Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2009
- 148 participants
- 197 discussions
Hi all,
I wrote a code in perl to calculate remaining time using my own database.
for authentication I used User-Password attribute. but then I tested it with
real NAS server and I realized that I haven't catered CHAP password. Now I
want to ask that if there any module which convert CHAP password to
user-password feild or there is any way to integrate CHAP password module in
perl code. Means I want to authenticate CHAP password through my own perl
code, how will I do it.
I'll be thankful for any help
Regards,
Saeed Akhtar
2
1
Hi,
I'm looking for help with the following.
The brief is to setup freeradius 2.0.5 on freebsd 6.2.
The requirements are for accounting and authentication for 1 monitoring user
via a .dbm file, as all other users are authenticated on a different server.
We are required to log accounting data in a flat file, rather than a
database, and this data needs to be logged according to Realm. I have
setup, as per the Acct_Type documentation, but the logging is failing with
the 'No response' from server message. The debug displays the ticket and
the following.
Finished request 7.
Cleaning up request 7 ID 57 with timestamp +24
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 37790, id=57,
length=374
If I change it back to log all data to one file it logs with no issues to
that file.
It doesn't appear to be reading the 'files' section of the radiusd.conf so I
thought that it should be referenced in the accounting section but I cant
find the correct syntax anywhere and the syntax I have made an educated
guess at, has not been correct.
I hope you can assist and thanks in advance,
Regards,
Clare
2
1
Hello all,
I am having some issues with setting up 802.1x using
freeradius-server-2.1.1-2.el5. I have 3 SSIDs setup. One of them is
doing Mac Auth against a file. One is using ldap auth and the other is
setup to use 802.1x. Mac auth and ldap auth works great so I know my
ldap config in radius should be setup correctly. It looks like the
authorize part of 802.1x works but it fails during the authenticate
part. Does anyone see what I have messed up? I am sure it is something
simple that I am overlooking. I am using windows xp sp3 to try to
connect to this network. My wireless network is all Cisco LWAPP AP's
connecting to Cisco WLAN controllers and we use Cisco WCS to manage
all of these devices. I am trying to setup a secure network using wpa
and wpa2 with 802.1x using eap-peap.
The message
'WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?'
shows up also on the non-802.1x ldap auth wlan that works. Let me know
if more detail is needed.
TIA!
Config file snippets:
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
ldap_all_myids
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type LDAP_ALL_MYIDS {
ldap_all_myids
}
eap
}
ldap ldap_all_myids {
server = "localhost"
identity = "cn=blah,ou=something,o=uga"
password = "my_pass"
basedn = "ou=users,o=uga"
filter = "(cn=%u)"
start_tls = no
tls_mode = no
# access_attr = "dialupAccess"
access_attr = "ugaelmkprov"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
Log file:
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=191, length=181
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x020b000d016b6c6564666f7264
Message-Authenticator = 0xb4fdd87de3f264b7a28bd05a07ceae23
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for kledford
[ldap] expand: (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=%u)) -> (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
[ldap] expand: ou=users,o=uga -> ou=users,o=uga
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=uga, with filter (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=cousteau-apache,ou=EDSAdmins,o=uga/my_pass to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=uga, with filter (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
[ldap] checking if remote access for kledford is allowed by ugaelmkprov
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user kledford authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
[ldap_all_myids] performing user authorization for kledford
[ldap_all_myids] expand: (cn=%u) -> (cn=kledford)
[ldap_all_myids] expand: ou=users,o=uga -> ou=users,o=uga
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=uga, with filter (cn=kledford)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=cousteau-apache,ou=EDSAdmins,o=uga/my_pass to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=uga, with filter (cn=kledford)
[ldap_all_myids] checking if remote access for kledford is allowed by ugaelmkprov
[ldap_all_myids] No default NMAS login sequence
[ldap_all_myids] looking for check items in directory...
[ldap_all_myids] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap_all_myids] user kledford authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_all_myids] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 191 to 172.17.6.205 port 32770
EAP-Message = 0x010c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e028ee22c7ff0f6bedc08a825
Finished request 70.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=192, length=266
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x020c005019800000004616030100410100003d0301496f410ff8ee077ce9d259abb7f81ed6db2ea758cffee4e7ad7eb61b95e8329a00001600040005000a000900640062000300060013001200630100
State = 0x0282fb8e028ee22c7ff0f6bedc08a825
Message-Authenticator = 0x2f08e7cd6b50bc98da1db2daf64fc80f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 192 to 172.17.6.205 port 32770
EAP-Message = 0x010d040019c00000089b160301002a020000260301496f3ee1ee8866b8a4376d656afa915e2b592a924331e0656bce890e613fc83d00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303130383232313433335a170d3130303130383232313433335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7d8c0ef7a3a864ea16abde689de9400a9efdf1a723cba7527411b145f5f30d30db1a7ef5d5a6c8e611c936e821ef04bf3a0a42bed5e573364ac9fc855d2
EAP-Message = 0x9dc5234c6a61b0c639d1205aa8f6baa7a1798dc955d6792d68778d995c460a09b5e1ee31c0ca65fd7df82c8a30b284ea76a1875e16a4fa0b08f93927516f8ceb745842c378db6d5c1406c734d618323918d433707c4e59e6435881a39e18cb0ce52c1623cf149e57425ddfae12be2b2befbd9ba756f589a05f8935ce573ad4f6fcad95116eb8499c1daa6f3f34da4ccb275c6686677bc25ae678b5fabadd8c474d2a87263705892a9dee3a8b5c5ad11d1b229d93b7b37235bfa25c908e4a5c643fe70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010046d53a405176aa48f1
EAP-Message = 0x9db9b1e524130f431f8d31d979c3c9cb9d01dfa19eacaa8bf1354d77b8431d571e12011a22f5adb109c8336191a861f9ee34a0f51c5d8991bd8feddac68ffac0ede52e5e9bd3efc17b6924e9bf4ec4944dda2bb48c10680ac49473dd2c474637c05c0594ec984f91468614a00e16547cb1b4227fe0b554a45d93852b09
EAP-Message = 0x69eba10c49200443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e008ce22c7ff0f6bedc08a825
Finished request 72.
Going to the next requ
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=194, length=192
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x020e00061900
State = 0x0282fb8e008ce22c7ff0f6bedc08a825
Message-Authenticator = 0x4aa592830ab1a5ab74e9a9a007187cb3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 14 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 194 to 172.17.6.205 port 32770
EAP-Message = 0x010f00b51900dbe740ea1ac0356d73325c3b4862b3d7de03f02a23dba6bca2f6f1b797a90fbf5218a80d927bb8db9704876c522721d2a501828d7bbe23987b3f9f1232f56c98240d6e7810db793c7dd5e34daf5cf4299daa19393ea7ca3fc824447b57a62db54a622b8245942bc900cb982216c393a912b5ec346076e6044863de5249f31e319e8a0e876937e0b3520514fc00e3072659bbb89957d1322ad32aa4cbcb9418749803eb4310ae16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e018de22c7ff0f6bedc08a825
Finished request 73.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=195, length=508
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x020f014019800000013616030101061000010201009b838b42c320d7d04e42a0b97c6f5480741eeb64be1f131e3dacb4c0394fb96bda91ccae4264e9a3264cc7e1bc621a8c9c0bf2be4de29042ee94469be9e3830f348df4009c679c00a1241df4b2b65fab811351cb1b97847eba5bfe321dc32739f93043103bd3a969513b10dbca3a2c9deb4a9a492603629e7e9ddaa362f0b148ad1842270a18321708ff0e314412079d458dd4b9fab38d9f1b86a65fa0fa8b0a2e06403c7a7a52d8c2a2e7ed5878c339d6905da1718c32b7f8ba07c8cedf866c980f690722e38fb421df3d67e55cc9b380bae38ef392c6234db71242b16f7ff56e352b7a3ca3837a
EAP-Message = 0xcf4e92de1e4d6728808dbf8df54d4819c57dabf00e16984114030100010116030100205c95b90821f44df33871c079ce0448065b483c9ef6504c023bba98c997702759
State = 0x0282fb8e018de22c7ff0f6bedc08a825
Message-Authenticator = 0x441cfb0518eb1e533b6445ac9ce68d59
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 15 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 195 to 172.17.6.205 port 32770
EAP-Message = 0x0110003119001403010001011603010020094cda7a332cef09766a43e6416115d88a0b0c2b9538c106d7a79530914df85b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e0692e22c7ff0f6bedc08a825
Finished request 74.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=196, length=192
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x021000061900
State = 0x0282fb8e0692e22c7ff0f6bedc08a825
Message-Authenticator = 0xb2541fc85b1ccd57fc7147c181c1f8b1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 16 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 196 to 172.17.6.205 port 32770
EAP-Message = 0x011100201900170301001563bc74883cd5e22b287fdc9866b0cf7b7527605d97
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e0793e22c7ff0f6bedc08a825
Finished request 75.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=197, length=222
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x0211002419001703010019cf021abfc4a36083c60b53cf5f495fc64fef8cb5cb08107c9a
State = 0x0282fb8e0793e22c7ff0f6bedc08a825
Message-Authenticator = 0x8249cfb08c9015d02c7dd9437b1ecd50
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 36
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - kledford
[peap] Got tunnled request
EAP-Message = 0x0211000d016b6c6564666f7264
server (null) {
PEAP: Got tunneled identity of kledford
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to kledford
Sending tunneled request
EAP-Message = 0x0211000d016b6c6564666f7264
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kledford"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 17 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x011200221a0112001d1054a490ba859f553d784df2dd0bde41906b6c6564666f7264
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x577c69d6576e7321a99fdce2c06ba398
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x011200221a0112001d1054a490ba859f553d784df2dd0bde41906b6c6564666f7264
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x577c69d6576e7321a99fdce2c06ba398
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 197 to 172.17.6.205 port 32770
EAP-Message = 0x011200391900170301002e1f2e6251b0ee12c3a6be5147b62d32ff1e8f5b4d653c72d63b2f51095dd26c88d9e80b73c7c67e4d2642369bb7cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e0490e22c7ff0f6bedc08a825
Finished request 76.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=198, length=276
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x0212005a1900170301004fbe3681cc29c08c6a9cb7790dee6a2413b0ebc8473162dc85f362a9966ab531a0eb62ade6f69f550ca67d378fbff0e34767146eb3407c022ee9bd1e1939557fdd64cd99d5a77b130c13aeea3580be9f
State = 0x0282fb8e0490e22c7ff0f6bedc08a825
Message-Authenticator = 0x1d0b5a02f83fd064643cf8b17b61649e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 18 length 90
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a0000000000000000977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264
server (null) {
PEAP: Setting User-Name to kledford
Sending tunneled request
EAP-Message = 0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a0000000000000000977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kledford"
State = 0x577c69d6576e7321a99fdce2c06ba398
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 18 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for kledford with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\022E=691 R=1"
EAP-Message = 0x04120004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\022E=691 R=1"
EAP-Message = 0x04120004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 198 to 172.17.6.205 port 32770
EAP-Message = 0x011300261900170301001b7d7ecb9363773c2925be6270b36c1cc64746512b567f6487e27a4e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e0591e22c7ff0f6bedc08a825
Finished request 77.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=199, length=224
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x021300261900170301001b989cf4d191ed8635a159d484e8b3ddcea284fc0177b8ed705dd9d8
State = 0x0282fb8e0591e22c7ff0f6bedc08a825
Message-Authenticator = 0xf942e38c5ad48d5f0723d8062283dcb2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 19 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> kledford
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 78 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 78
Sending Access-Reject of id 199 to 172.17.6.205 port 32770
EAP-Message = 0x04130004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
Cleaning up request 70 ID 191 with timestamp +511079
Cleaning up request 71 ID 192 with timestamp +511080
Waking up in 0.1 seconds.
Cleaning up request 72 ID 193 with timestamp +511080
Cleaning up request 73 ID 194 with timestamp +511080
Cleaning up request 74 ID 195 with timestamp +511080
Waking up in 0.1 seconds.
Cleaning up request 75 ID 196 with timestamp +511080
Cleaning up request 76 ID 197 with timestamp +511080
Cleaning up request 77 ID 198 with timestamp +511080
Waking up in 1.0 seconds.
Cleaning up request 78 ID 199 with timestamp +511080
--
Keith Ledford <kledford AT uga DOT edu>
Network Administrator
EITS Network Engineering
3
5
> smbencrypt is distributed with the server. Use it to check the
> password hash.
> Ivan Kalik
> Kalik Informatika ISP
The authentication is half finished. The hint with the smbencrypt showed
that the stored nt passwords in our ldap directory was wrong. The hint with
ldap.attrmap pointed to a wrong nt-password mapping. Thanks a lot for the
help.
Now we are facing another problem:
1. We use the native windows xp (sp2 + sp3) 802.1x client without the check
in the box "Validate server certificate". Result: The authentication works.
2. We check the box, fill in the right dns server name and select the right
Trusted Root CA. Result: The authentication fails.
3. We use an macintosh with leopard, the authentication works fine.
4. We use windows xp (sp3) with an odyssey client, the authentication works
fine.
The failed authentication shows in the debug log, that something goes wrong
with the user data in the inner tunnel. There is no "rlm_eap_peap: Identity
- username". Instead it breaks with an "TLS Alert" and an "No data inside
the tunnel"
Our Server Certificate has the extended key-usage
PKIX serverAuth (OID: 1.3.6.1.5.5.7.3.1)
PKIX clientAuth (OID: 1.3.6.1.5.5.7.3.2)
Any help is appreciated,
best regards
Michael
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=60,
length=82
User-Name = "nutzername"
EAP-Message = 0x0200000b016d706f736572
Message-Authenticator = 0x4f1d0d2973fdb38611ce6bfacb5846f2
NAS-Identifier = "cb-jur-vc0-11og"
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 238
radius_xlat: 'nutzername'
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat: '(uid=nutzername)'
radius_xlat: 'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldaps://septimus.domain.de, authentication 0
rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/ca-bundle.crt
rlm_ldap: bind as uid=authproxy,o=bla,dc=bla,dc=de/geheim$ to
ldaps://septimus.domain.de
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 60 to 141.2.252.203:55558
User-Name = "nutzername"
EAP-Message = 0x010100160410cae9bfb010ee5187489092b9a2f82ddd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbea2ee7e075274739942fa3464748581
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=226,
length=95
User-Name = "nutzername"
State = 0xbea2ee7e075274739942fa3464748581
EAP-Message = 0x020100060319
Message-Authenticator = 0x200b492108ca7cac81f0e8922229d1ce
NAS-Identifier = "cb-jur-vc0-11og"
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 238
radius_xlat: 'nutzername'
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat: '(uid=nutzername)'
radius_xlat: 'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 226 to 141.2.252.203:55558
User-Name = "nutzername"
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5750c0ff371ce186f1965748119d04ac
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=38,
length=169
User-Name = "nutzername"
State = 0x5750c0ff371ce186f1965748119d04ac
EAP-Message =
0x0202005019800000004616030100410100003d0301496e0c138b66c4b2b03439662b6dbd53
73c2bffd1be848b6eacc3fb4f77dba7900001600040005000a00090064006200030006001300
1200630100
Message-Authenticator = 0x13930a9cfe35d09670f4963fa3e99ece
NAS-Identifier = "cb-jur-vc0-11og"
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 2 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched DEFAULT at 238
radius_xlat: 'nutzername'
modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat: '(uid=nutzername)'
radius_xlat: 'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 08e4], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 38 to 141.2.252.203:55558
User-Name = "nutzername"
EAP-Message =
0x0103040a19c000000941160301004a020000460301496e0c0a313b94cc31ef3ce5fcf21642
9dcae1a13d91a1f4d634e431b7fba52f2063656f16763acb98fb6dae900682fe430116f46619
ef62da13543c269dca608200040016030108e40b0008e00008dd00057730820573308204dca0
03020102020e369900010002c59829d76c5f17cc300d06092a864886f70d01010505003081bc
310b30090603550406130244453110300e0603550408130748616d627572673110300e060355
0407130748616d62757267313a3038060355040a1331544320547275737443656e7465722066
6f7220536563757269747920696e2044617461204e6574776f72
EAP-Message =
0x6b7320476d624831223020060355040b1319544320547275737443656e74657220436c6173
7320322043413129302706092a864886f70d010901161a636572746966696361746540747275
737463656e7465722e6465301e170d3038303830343132303430355a170d3039303832393132
303430355a3081d5310b3009060355040613024445310f300d0603550408130648657373656e
311a3018060355040713114672616e6b6675727420616d204d61696e312c302a060355040a13
234a6f68616e6e20576f6c6667616e6720476f657468652d556e69766572736974616574311f
301d060355040b1316486f6368736368756c72656368656e7a65
EAP-Message =
0x6e7472756d31223020060355040314192a2e7365727665722e756e692d6672616e6b667572
742e64653126302406092a864886f70d010901161777777740727a2e756e692d6672616e6b66
7572742e646530820122300d06092a864886f70d01010105000382010f003082010a02820101
00be916aaefcd7a193458cea127673dd7296b608360945fcd1288f4537f751bf37ea0c47b7a4
ca89ecbd7677012462b1519de606a232c2e73e28d0d04ed554ce6a82e38d4f7bb8942008df11
e17122c5215333c5a49658abded7116628676a4f49e0f7230a1f85a339dfca410a5ff5045b51
3b413eb6bc84f171084be88d31b5159d915f86ddb50499409df2
EAP-Message =
0x0207f15d52432a76601ed7bea5f25d59093b39632a02424eb053b9688ff91db85f9ca665b4
a42b985b9afe2cd9b6e9b8c5c8b30c7be0a8227fec6f6948fbec296b256879fe09403cb2c476
0643605e6ea1746d02fb0274c38139d16397733c36997fbf3c7775ca54f869dd47dc1cd4ed0e
28dc52ff0203010001a38201d7308201d330818e06082b06010505070101048181307f304c06
082b060105050730028640687474703a2f2f7777772e747275737463656e7465722e64652f63
65727473657276696365732f636163657274732f74635f636c6173735f325f63612e63727430
2f06082b060105050730018623687474703a2f2f6f6373702e74
EAP-Message = 0x63636c617373322e747275737463656e7465722e6465
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7d2d73c29099b11eba9f436f60e7786f
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=100,
length=95
User-Name = "nutzername"
State = 0x7d2d73c29099b11eba9f436f60e7786f
EAP-Message = 0x020300061900
Message-Authenticator = 0xc16bfac26a67d57deac7d60e2da85581
NAS-Identifier = "cb-jur-vc0-11og"
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched DEFAULT at 238
radius_xlat: 'nutzername'
modcall[authorize]: module "files" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat: '(uid=nutzername)'
radius_xlat: 'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 100 to 141.2.252.203:55558
User-Name = "nutzername"
EAP-Message =
0x010404061940300c0603551d130101ff040230003081820603551d20047b3079307706092a
8214002c01010102306a303606082b06010505070202302a1a28544320547275737443656e74
657220436c6173733220536572766572204365727469666963617465303006082b0601050507
02011624687474703a2f2f7777772e747275737463656e7465722e64652f67756964656c696e
6573300e0603551d0f0101ff0404030205e0301d0603551d0e04160414b766adfc0fd80652bc
51275e88e6b5254598806a304c0603551d1f044530433041a03fa03d863b687474703a2f2f63
726c2e7463636c617373322e747275737463656e7465722e6465
EAP-Message =
0x2f63726c2f76322f74635f636c6173735f325f63612e63726c301d0603551d250416301406
082b0601050507030106082b06010505070302301106096086480186f84201010404030206c0
300d06092a864886f70d01010505000381810029a625b45ec3f9852a465b2fec2a9c47c7c781
33fc2cd3bc58f75a5ea04a32755dd12c7a7f4c0c3850ab7bf42504ec8ea307e5629919700750
c0114ef2772d713179c68258157d2873d61d9491ff5ba0252cf52020ed9dc4fce69ae5d58e82
171e077b1a193c903c1cfd27c6125e2201b0b31ac8a70de3592fe903a1258644620003603082
035c308202c5a003020102020203ea300d06092a864886f70d01
EAP-Message =
0x010405003081bc310b30090603550406130244453110300e0603550408130748616d627572
673110300e0603550407130748616d62757267313a3038060355040a13315443205472757374
43656e74657220666f7220536563757269747920696e2044617461204e6574776f726b732047
6d624831223020060355040b1319544320547275737443656e74657220436c61737320322043
413129302706092a864886f70d010901161a636572746966696361746540747275737463656e
7465722e6465301e170d3938303330393131353935395a170d3131303130313131353935395a
3081bc310b30090603550406130244453110300e060355040813
EAP-Message =
0x0748616d627572673110300e0603550407130748616d62757267313a3038060355040a1331
544320547275737443656e74657220666f7220536563757269747920696e2044617461204e65
74776f726b7320476d624831223020060355040b1319544320547275737443656e7465722043
6c61737320322043413129302706092a864886f70d010901161a636572746966696361746540
747275737463656e7465722e646530819f300d06092a864886f70d010101050003818d003081
8902818100da38e8ed3200297183010dbf8c01dcdac6ad39a4a98a2fd58b5c685f50c662f566
bdca9122ecaa1d51d73db351b2834e5dcb49b0f04c55e56b2dc7
EAP-Message = 0x850b301c924e82d4ca02edf76fbedce0e314
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6f3c1ccd94830375640659699664a51a
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=62,
length=95
User-Name = "nutzername"
State = 0x6f3c1ccd94830375640659699664a51a
EAP-Message = 0x020400061900
Message-Authenticator = 0xd3621dcb8ecf03d17c966eb0f661ad99
NAS-Identifier = "cb-jur-vc0-11og"
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched DEFAULT at 238
radius_xlat: 'nutzername'
modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat: '(uid=nutzername)'
radius_xlat: 'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 62 to 141.2.252.203:55558
User-Name = "nutzername"
EAP-Message =
0x010501471900b80553f29af4568b5a9e8593d1b48256ae4dbba84b5716bcfef8589ef8298d
b07bcd78c94fac8b670cf19cfbfc579b575c4f0d0203010001a36b3069300f0603551d130101
ff040530030101ff300e0603551d0f0101ff040403020186303306096086480186f842010804
261624687474703a2f2f7777772e747275737463656e7465722e64652f67756964656c696e65
73301106096086480186f8420101040403020007300d06092a864886f70d0101040500038181
008452fb28dfff1f7501bc01be0456976a7442243183f946b1068a89cf962c33bf8cb55f7a72
a18506ce86f8058ee8f925cada838c06aceb366d8591340436f4
EAP-Message =
0x42f0f8792e0a485cabcc514f7876a0d9ac19bd2ad169042891ca36102780575bd25cf5c25b
ab6481637451f497bfcd1228f74d667fa7f01c012678b2664770516416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd5c957dea92c16671d2a4bb23ff2a96
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=77,
length=411
User-Name = "nutzername"
State = 0xbd5c957dea92c16671d2a4bb23ff2a96
EAP-Message =
0x02050140198000000136160301010610000102010083c661702c546243ae82b89c22329e68
70c992c122d7d6eba0cd49909a808a5246245e5368d9871f7256a00f1d02fc7655fdb3407ff0
f2c334920716bbc7c249a6915917b2c81b2dbe2769d6bfbb0f5c746863e7f429a4a9b6236568
9637b27317c4fc1c5e8b6876a93f8b0119fb66204c48dadcae5f1d7ca514b2690e15a7e857f0
e2f8925e910bc4e8678340bb80c9581e16a4fabd801b7ce90839497be1938b3800f28574d37a
e46f7313ec6f2eac7b1c332e9c06773ded5f136e8b3e942ebfd4977cefd66550cb16882de8f4
e6c65cb843008f3738b94085ddb2fbd48cf79312ca1ee6e5ae09
EAP-Message =
0x8d724ebb401cd378fc2965eb82b476f705b7795ed924f34e1403010001011603010020d6d7
ac087f5a4b8452126caa6f15acee0d30608d4b259d910486c4dc153a7940
Message-Authenticator = 0x3a8c157d07a1eeedddbe386f4cfca41b
NAS-Identifier = "cb-jur-vc0-11og"
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 238
radius_xlat: 'nutzername'
modcall[authorize]: module "files" returns ok for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat: '(uid=nutzername)'
radius_xlat: 'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 77 to 141.2.252.203:55558
User-Name = "nutzername"
EAP-Message =
0x0106003119001403010001011603010020941bf982a2967829df2e9158013bbecb542a799d
37afb0ee09da1aa705146157
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1f497af4715856825aa1004c515a4d0
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=242,
length=122
User-Name = "nutzername"
State = 0xf1f497af4715856825aa1004c515a4d0
EAP-Message =
0x02060021198000000017150301001272c8140acf019f865785ebe57bfdc0ed9fdf
Message-Authenticator = 0x7f0775975b56263d6d04c5d1714f2ed8
NAS-Identifier = "cb-jur-vc0-11og"
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 6 length 33
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched DEFAULT at 238
radius_xlat: 'nutzername'
modcall[authorize]: module "files" returns ok for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat: '(uid=nutzername)'
radius_xlat: 'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 6
modcall: group authenticate returns invalid for request 6
auth: Failed to validate the user.
Login incorrect: [nutzername] (from client Juniper-EX port 0)
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=242,
length=122
Sending Access-Reject of id 242 to 141.2.252.203:55558
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 38 with timestamp 496e0c0a
Cleaning up request 0 ID 60 with timestamp 496e0c0a
Cleaning up request 4 ID 62 with timestamp 496e0c0a
Cleaning up request 5 ID 77 with timestamp 496e0c0a
Cleaning up request 3 ID 100 with timestamp 496e0c0a
Cleaning up request 1 ID 226 with timestamp 496e0c0a
Cleaning up request 6 ID 242 with timestamp 496e0c0a
Nothing to do. Sleeping until we see a request.
[root@wlan1 ~]#
1
0
Hello,
Maybe I'm just too stupid to figure this one out, but I have been
googling around for several days trying to find a solution...
I am running freeradius on Mac OS X Server.
I have a Cisco WLC runnning several APs with multiple SSIDs.
Everything is working fine, except:
I have not found a way to limit access of a certain SSID to a certain
LDAP group.
I need to have different WLANs for different Users who are in LDAP
groups.
The user of group A should be able to use WLAN A but not WLAN B and so
on.
How on earth do I configure this?
Does anybody have any experience with this?
Thanks
Qurt
4
6
Hi ..i'm trying to send INVITE message between alice and bob.
and i want to call control using b2bua_radius.py (sippy http://b2bua.org/wiki/B2BUADocumentation) i.e i want call will
disconnect after 30 second and radius will generate Start/Stop
.
i did all the setup and also i don't want to redius server
Authentication/Authorization because
the my sip proxy i.e open-ims already did
Authentication/Authorization sing Md5-digest
so i want bypass. so i'm using following command
i'm not able to set -s flag for static routing and what will be value for this like
b2bua_radius.py ... -s '200110508667@b2bua.org;cli=16046288900;rid=-1;expires=30;np_expires=5;ash=Name%3AValue' .
or where radius get for this routing for dynamic routing like this
h323-ivr-in = 'Routing:200110508667@b2bua.org;cli=16046288900;rid=-1;expires=30;np_expires=5;ash=Name%3AValue'
[root@ngpchn sippy]# python b2bua_radius.py -fDU -l 172.18.3.52 -p 5065
-a 172.18.3.52 -k 3 -A 2 -m 30
i'm not pretty much sure about flag -s and how i will.
after successfully running all these component i found
when I INVITE for alice to bob
i found SIP/2.0 500 Internal Server Error (2)
then call able to connect but call not able to disconnect after 30
second e.i my requirement
another problem is when i hang up call after 30(manually ) only one
side call is dissconnet
and another side is continue .. i'm not able rectify the problem.
can any help me regarding resolve this problem also what i doing
roungh specially senting with
-s.
i'm attaching log file also....
waiting for positive responce..
Thanks
~Suresh
[root@ngpchn sippy]# python b2bua_radius.py -fD -l 172.18.3.52 -p 5065
-a 172.18.3.52 -k 3 -A 2 -m 30
14 Jan 16:03:13/GLOBAL/b2bua: RECEIVED message from 172.18.3.52:6060:
INVITE sip:bob@info-spectrum.com SIP/2.0
Record-Route: <sip:mo@scscf.info-spectrum.com:6060;lr>
Route: <sip:172.18.3.52:5065;lr>,
<sip:iscmark@scscf.info-spectrum.com:6060;lr;s=1;h=0;d=0;a=7369703a616c69636540696e666f2d737065637472756d2e636f6d>
Record-Route: <sip:mo@pcscf.info-spectrum.com:4060;lr>
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.8904bbf3.0
Via: SIP/2.0/UDP 172.18.3.52:4060;branch=z9hG4bKa35e.28aed705.0
Via: SIP/2.0/UDP 172.18.1.197:1976;rport=1976;branch=z9hG4bK7376
From: <sip:alice@info-spectrum.com>;tag=11382
To: <sip:bob@info-spectrum.com>
Call-ID: 1231924661763(a)172.18.1.197
CSeq: 901 INVITE
Max-Forwards: 15
Allow: INVITE,ACK,CANCEL,BYE,MESSAGE,OPTIONS,UPDATE,NOTIFY,PRACK
Contact: <sip:alice@172.18.1.197:1976;transport=udp>;expires=1000
User-Agent: Mercuro IMS Client Beta (4.0.1011.0)
Supported: sdp-anat
Content-Type: application/sdp
P-Access-Network-Info: 3GPP-UTRAN-TDD;utran-cell-id-3gpp=00000000
Privacy: none
Content-Length: 231
P-Asserted-Identity: <sip:alice@info-spectrum.com>
P-Charging-Vector:
icid-value="P-CSCFabcd496dbf6900000026";icid-generated-at=172.18.3.52;orig-ioi="info-spectrum.com"
Timestamp: 1231929193
v=0
o=- 3344 3344 IN IP4 172.18.1.197
s=Mercuro IMS Client Session
t=0 0
m=audio 31562 RTP/AVP 0 8 101
c=IN IP4 172.18.1.197
a=rtpmap:0 PCMU/8000/1
a=rtpmap:8 PCMA/8000/1
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
14 Jan 16:03:13/GLOBAL/b2bua: SENDING message to 172.18.3.52:6060:
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.8904bbf3.0
Via: SIP/2.0/UDP 172.18.3.52:4060;branch=z9hG4bKa35e.28aed705.0
Via: SIP/2.0/UDP 172.18.1.197:1976;rport=1976;branch=z9hG4bK7376
Record-Route: <sip:mo@scscf.info-spectrum.com:6060;lr>
Record-Route: <sip:mo@pcscf.info-spectrum.com:4060;lr>
From: <sip:alice@info-spectrum.com>;tag=11382
To: <sip:bob@info-spectrum.com>
Call-ID: 1231924661763(a)172.18.1.197
CSeq: 901 INVITE
Server: Sippy B2BUA (RADIUS)
14 Jan 16:03:13/1231924661763@172.18.1.197/b2bua: sending AAA request:
User-Name = '172.18.3.52'
Password = 'cisco'
Calling-Station-Id = 'alice'
Called-Station-Id = 'bob'
h323-conf-id = 'B8377C92 DF6642BB 25A7C3A3 D4E529CE'
call-id = '1231924661763(a)172.18.1.197'
h323-remote-address = '172.18.3.52'
h323-session-protocol = 'sipv2'
14 Jan 16:03:13/1231924661763@172.18.1.197/b2bua: AAA request accepted
(delay is 0.030), processing response:
14 Jan 16:03:13/GLOBAL/b2bua: SENDING message to 172.18.3.52:6060:
SIP/2.0 500 Internal Server Error (2)
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.8904bbf3.0
Via: SIP/2.0/UDP 172.18.3.52:4060;branch=z9hG4bKa35e.28aed705.0
Via: SIP/2.0/UDP 172.18.1.197:1976;rport=1976;branch=z9hG4bK7376
Record-Route: <sip:mo@scscf.info-spectrum.com:6060;lr>
Record-Route: <sip:mo@pcscf.info-spectrum.com:4060;lr>
From: <sip:alice@info-spectrum.com>;tag=11382
To: <sip:bob@info-spectrum.com>;tag=d63760e38a4879ada2cf7f5c137369ac
Call-ID: 1231924661763(a)172.18.1.197
CSeq: 901 INVITE
Server: Sippy B2BUA (RADIUS)
14 Jan 16:03:13/1231924661763@172.18.1.197/b2bua: sending Acct Stop (Answer):
h323-call-origin = 'answer'
h323-call-type = 'VoIP'
h323-session-protocol = 'sipv2'
h323-setup-time = '10:33:13.000 GMT Wed Jan 14 2009'
User-Name = '172.18.3.52'
Calling-Station-Id = 'alice'
Called-Station-Id = 'bob'
h323-conf-id = 'B8377C92 DF6642BB 25A7C3A3 D4E529CE'
call-id = '1231924661763(a)172.18.1.197'
Acct-Session-Id = '1231924661763(a)172.18.1.197'
h323-remote-address = '172.18.3.52'
h323-disconnect-time = '10:33:13.000 GMT Wed Jan 14 2009'
h323-connect-time = '10:33:13.000 GMT Wed Jan 14 2009'
Acct-Session-Time = '0'
h323-disconnect-cause = '29'
Acct-Status-Type = 'Stop'
14 Jan 16:03:13/GLOBAL/b2bua: RECEIVED message from 172.18.3.52:6060:
ACK sip:bob@info-spectrum.com SIP/2.0
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.8904bbf3.0
From: <sip:alice@info-spectrum.com>;tag=11382
Call-ID: 1231924661763(a)172.18.1.197
To: <sip:bob@info-spectrum.com>;tag=d63760e38a4879ada2cf7f5c137369ac
CSeq: 901 ACK
Route: <sip:orig@scscf.info-spectrum.com:6060;lr>
User-Agent: InfoIMS(1.0.0-dev1 InfoIMS (i386/linux))
Content-Length: 0
14 Jan 16:03:13/GLOBAL/b2bua: RECEIVED message from 172.18.3.52:6060:
INVITE sip:bob@info-spectrum.com SIP/2.0
Record-Route: <sip:mt@scscf.info-spectrum.com:6060;lr>
Route: <sip:172.18.3.52:5065;lr>,
<sip:iscmark@scscf.info-spectrum.com:6060;lr;s=1;h=0;d=1;a=7369703a626f6240696e666f2d737065637472756d2e636f6d>
Record-Route: <sip:mo@scscf.info-spectrum.com:6060;lr>
Record-Route: <sip:mo@pcscf.info-spectrum.com:4060;lr>
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.9904bbf3.0
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.8904bbf3.1
Via: SIP/2.0/UDP 172.18.3.52:4060;branch=z9hG4bKa35e.28aed705.0
Via: SIP/2.0/UDP 172.18.1.197:1976;rport=1976;branch=z9hG4bK7376
From: <sip:alice@info-spectrum.com>;tag=11382
To: <sip:bob@info-spectrum.com>
Call-ID: 1231924661763(a)172.18.1.197
CSeq: 901 INVITE
Max-Forwards: 14
Allow: INVITE,ACK,CANCEL,BYE,MESSAGE,OPTIONS,UPDATE,NOTIFY,PRACK
Contact: <sip:alice@172.18.1.197:1976;transport=udp>;expires=1000
User-Agent: Mercuro IMS Client Beta (4.0.1011.0)
Supported: sdp-anat
Content-Type: application/sdp
P-Access-Network-Info: 3GPP-UTRAN-TDD;utran-cell-id-3gpp=00000000
Privacy: none
Content-Length: 231
P-Asserted-Identity: <sip:alice@info-spectrum.com>
P-Charging-Vector:
icid-value="P-CSCFabcd496dbf6900000026";icid-generated-at=172.18.3.52;orig-ioi="info-spectrum.com"
Timestamp: 1231929193
v=0
o=- 3344 3344 IN IP4 172.18.1.197
s=Mercuro IMS Client Session
t=0 0
m=audio 31562 RTP/AVP 0 8 101
c=IN IP4 172.18.1.197
a=rtpmap:0 PCMU/8000/1
a=rtpmap:8 PCMA/8000/1
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
14 Jan 16:03:13/GLOBAL/b2bua: SENDING message to 172.18.3.52:6060:
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.9904bbf3.0
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.8904bbf3.1
Via: SIP/2.0/UDP 172.18.3.52:4060;branch=z9hG4bKa35e.28aed705.0
Via: SIP/2.0/UDP 172.18.1.197:1976;rport=1976;branch=z9hG4bK7376
Record-Route: <sip:mt@scscf.info-spectrum.com:6060;lr>
Record-Route: <sip:mo@scscf.info-spectrum.com:6060;lr>
Record-Route: <sip:mo@pcscf.info-spectrum.com:4060;lr>
From: <sip:alice@info-spectrum.com>;tag=11382
To: <sip:bob@info-spectrum.com>
Call-ID: 1231924661763(a)172.18.1.197
CSeq: 901 INVITE
Server: Sippy B2BUA (RADIUS)
14 Jan 16:03:13/1231924661763@172.18.1.197/b2bua: sending AAA request:
User-Name = '172.18.3.52'
Password = 'cisco'
Calling-Station-Id = 'alice'
Called-Station-Id = 'bob'
h323-conf-id = '7EAC4F20 651D23F0 75C1FFA6 E6EE4BFA'
call-id = '1231924661763(a)172.18.1.197'
h323-remote-address = '172.18.3.52'
h323-session-protocol = 'sipv2'
14 Jan 16:03:13/1231924661763@172.18.1.197/b2bua: AAA request accepted
(delay is 0.025), processing response:
14 Jan 16:03:13/GLOBAL/b2bua: SENDING message to 172.18.3.52:6060:
SIP/2.0 500 Internal Server Error (2)
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.9904bbf3.0
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.8904bbf3.1
Via: SIP/2.0/UDP 172.18.3.52:4060;branch=z9hG4bKa35e.28aed705.0
Via: SIP/2.0/UDP 172.18.1.197:1976;rport=1976;branch=z9hG4bK7376
Record-Route: <sip:mt@scscf.info-spectrum.com:6060;lr>
Record-Route: <sip:mo@scscf.info-spectrum.com:6060;lr>
Record-Route: <sip:mo@pcscf.info-spectrum.com:4060;lr>
From: <sip:alice@info-spectrum.com>;tag=11382
To: <sip:bob@info-spectrum.com>;tag=4d778ee83fef7504d306e1345f51b4dd
Call-ID: 1231924661763(a)172.18.1.197
CSeq: 901 INVITE
Server: Sippy B2BUA (RADIUS)
14 Jan 16:03:13/1231924661763@172.18.1.197/b2bua: sending Acct Stop (Answer):
h323-call-origin = 'answer'
h323-call-type = 'VoIP'
h323-session-protocol = 'sipv2'
h323-setup-time = '10:33:13.000 GMT Wed Jan 14 2009'
User-Name = '172.18.3.52'
Calling-Station-Id = 'alice'
Called-Station-Id = 'bob'
h323-conf-id = '7EAC4F20 651D23F0 75C1FFA6 E6EE4BFA'
call-id = '1231924661763(a)172.18.1.197'
Acct-Session-Id = '1231924661763(a)172.18.1.197'
h323-remote-address = '172.18.3.52'
h323-disconnect-time = '10:33:13.000 GMT Wed Jan 14 2009'
h323-connect-time = '10:33:13.000 GMT Wed Jan 14 2009'
Acct-Session-Time = '0'
h323-disconnect-cause = '29'
Acct-Status-Type = 'Stop'
14 Jan 16:03:13/GLOBAL/b2bua: RECEIVED message from 172.18.3.52:6060:
ACK sip:bob@info-spectrum.com SIP/2.0
Via: SIP/2.0/UDP 172.18.3.52:6060;branch=z9hG4bKa35e.9904bbf3.0
From: <sip:alice@info-spectrum.com>;tag=11382
Call-ID: 1231924661763(a)172.18.1.197
To: <sip:bob@info-spectrum.com>;tag=4d778ee83fef7504d306e1345f51b4dd
CSeq: 901 ACK
User-Agent: InfoIMS(1.0.0-dev1 InfoIMS (i386/linux))
Content-Length: 0
14 Jan 16:03:13/1231924661763@172.18.1.197/b2bua: Acct/answer request
accepted (delay is 0.083)
14 Jan 16:03:13/1231924661763@172.18.1.197/b2bua: Acct/answer request
accepted (delay is 0.071)
GC is invoked, 0 calls in map
0 client, 0 server transactions in memory
--------------------------------------------------------------------------------------
[root@ngpchn raddb]# radiusd -X
FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Jan 13
2009 at 11:56:22
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 172.18.3.52 {
ipaddr = 172.18.3.52
require_message_authenticator = no
secret = "testing123"
shortname = "local"
nastype = "portslave"
login = "!root"
password = "nopassword"
}
client 172.18.1.197 {
ipaddr = 172.18.1.197
require_message_authenticator = no
secret = "testing123"
shortname = "NTRadPing"
nastype = "portslave"
login = "!root"
password = "nopassword"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm info-spectrum.com {
nostrip
authhost = LOCAL
accthost = LOCAL
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 172.18.3.52
port = 1645
}
listen {
type = "acct"
ipaddr = 172.18.3.52
port = 1646
}
Listening on authentication address 172.18.3.52 port 1645
Listening on accounting address 172.18.3.52 port 1646
Listening on proxy address 172.18.3.52 port 1647
Ready to process requests.
rad_recv: Access-Request packet from host 172.18.3.52 port 32957,
id=237, length=247
User-Name = "172.18.3.52"
User-Password = "cisco"
Calling-Station-Id = "alice"
Called-Station-Id = "bob"
h323-conf-id = "h323-conf-id=B8377C92 DF6642BB 25A7C3A3 D4E529CE"
Cisco-AVPair = "call-id=1231924661763(a)172.18.1.197"
h323-remote-address = "h323-remote-address=172.18.3.52"
Cisco-AVPair = "h323-session-protocol=sipv2"
NAS-Port = 5060
NAS-IP-Address = 172.18.3.52
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "172.18.3.52", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry 172.18.3.52 at line 92
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 237 to 172.18.3.52 port 32957
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.18.3.52 port 32958,
id=238, length=540
h323-call-origin = "h323-call-origin=answer"
h323-call-type = "h323-call-type=VoIP"
Cisco-AVPair = "h323-session-protocol=sipv2"
h323-setup-time = "h323-setup-time=10:33:13.000 GMT Wed Jan 14 2009"
User-Name = "172.18.3.52"
Calling-Station-Id = "alice"
Called-Station-Id = "bob"
h323-conf-id = "h323-conf-id=B8377C92 DF6642BB 25A7C3A3 D4E529CE"
Cisco-AVPair = "call-id=1231924661763(a)172.18.1.197"
Acct-Session-Id = "1231924661763(a)172.18.1.197"
h323-remote-address = "h323-remote-address=172.18.3.52"
h323-disconnect-time = "h323-disconnect-time=10:33:13.000 GMT
Wed Jan 14 2009"
h323-connect-time = "h323-connect-time=10:33:13.000 GMT Wed Jan 14 2009"
Acct-Session-Time = 0
h323-disconnect-cause = "h323-disconnect-cause=29"
Acct-Status-Type = Stop
NAS-Port = 5060
Acct-Delay-Time = 0
NAS-IP-Address = 172.18.3.52
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 5060,Client-IP-Address =
172.18.3.52,NAS-IP-Address = 172.18.3.52,Acct-Session-Id =
"1231924661763(a)172.18.1.197",User-Name = "172.18.3.52"'
[acct_unique] Acct-Unique-Session-ID = "547b4ecb37f1696c".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "172.18.3.52", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/172.18.3.52/detail-20090114
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/172.18.3.52/detail-20090114
[detail] expand: %t -> Wed Jan 14 16:03:13 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 172.18.3.52
rlm_radutmp: Logout for NAS local port 5060, but no Login record
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 172.18.3.52
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 238 to 172.18.3.52 port 32958
Finished request 1.
Cleaning up request 1 ID 238 with timestamp +54
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.3.52 port 32959,
id=239, length=247
User-Name = "172.18.3.52"
User-Password = "cisco"
Calling-Station-Id = "alice"
Called-Station-Id = "bob"
h323-conf-id = "h323-conf-id=7EAC4F20 651D23F0 75C1FFA6 E6EE4BFA"
Cisco-AVPair = "call-id=1231924661763(a)172.18.1.197"
h323-remote-address = "h323-remote-address=172.18.3.52"
Cisco-AVPair = "h323-session-protocol=sipv2"
NAS-Port = 5060
NAS-IP-Address = 172.18.3.52
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "172.18.3.52", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry 172.18.3.52 at line 92
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 239 to 172.18.3.52 port 32959
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 172.18.3.52 port 32960,
id=240, length=540
h323-call-origin = "h323-call-origin=answer"
h323-call-type = "h323-call-type=VoIP"
Cisco-AVPair = "h323-session-protocol=sipv2"
h323-setup-time = "h323-setup-time=10:33:13.000 GMT Wed Jan 14 2009"
User-Name = "172.18.3.52"
Calling-Station-Id = "alice"
Called-Station-Id = "bob"
h323-conf-id = "h323-conf-id=7EAC4F20 651D23F0 75C1FFA6 E6EE4BFA"
Cisco-AVPair = "call-id=1231924661763(a)172.18.1.197"
Acct-Session-Id = "1231924661763(a)172.18.1.197"
h323-remote-address = "h323-remote-address=172.18.3.52"
h323-disconnect-time = "h323-disconnect-time=10:33:13.000 GMT
Wed Jan 14 2009"
h323-connect-time = "h323-connect-time=10:33:13.000 GMT Wed Jan 14 2009"
Acct-Session-Time = 0
h323-disconnect-cause = "h323-disconnect-cause=29"
Acct-Status-Type = Stop
NAS-Port = 5060
Acct-Delay-Time = 0
NAS-IP-Address = 172.18.3.52
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 5060,Client-IP-Address =
172.18.3.52,NAS-IP-Address = 172.18.3.52,Acct-Session-Id =
"1231924661763(a)172.18.1.197",User-Name = "172.18.3.52"'
[acct_unique] Acct-Unique-Session-ID = "547b4ecb37f1696c".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "172.18.3.52", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/172.18.3.52/detail-20090114
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/172.18.3.52/detail-20090114
[detail] expand: %t -> Wed Jan 14 16:03:13 2009
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 172.18.3.52
rlm_radutmp: Logout for NAS local port 5060, but no Login record
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 172.18.3.52
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 240 to 172.18.3.52 port 32960
Finished request 3.
Cleaning up request 3 ID 240 with timestamp +54
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 237 with timestamp +54
Cleaning up request 2 ID 239 with timestamp +54
Ready to process requests.
2
1
Hello All,
I would like to know if it's possible to have more then one authenticaton backend with Freeradius.
Let's say I have User1 on OpenLDAP and User2 On Microosft Windows Active Directory.
I configure my device to send Authentication request (Radius) to Freeradius. User1 and User2 should be able to authentice.
I was able to make it work separetly but not both at the same time
Thanks for your reply.
2
1
I need a script by recognizing the class of a particular danger to my
network, so in this way create a basis for any number of classes that
would not and thus deny access.
What is rlm_eap_tnc?
_________________________________________________________________
Disfrutá los mejores contenidos en MSN Video.
http://video.msn.com/?mkt=es-xl
2
1
Hi all,
I'm trying to monitor my radius servers using The Dude by Mikrotik.
Here, there's not a prebuild check, but there's a radius test, made in UDP
on port 1812, where I have to manually set the "sent string" and the
"received string".
How is a radius request made, or where can I find some docs about it?
When I send a request with the default string, on the radius I receive:
Wed Jan 14 08:55:45 2009 : Error: WARNING: Malformed RADIUS packet from host
xxx.xxx.xxx.xxx: packet attributes do NOT exactly fill the packet
Wed Jan 14 08:55:55 2009 : Error: WARNING: Malformed RADIUS packet from host
xxx.xxx.xxx.xxx: packet attributes do NOT exactly fill the packet
Wed Jan 14 08:56:30 2009 : Error: WARNING: Malformed RADIUS packet from host
xxx.xxx.xxx.xxx: packet attributes do NOT exactly fill the packet
Thanks,
Andrea
3
4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi folks,
I've deployed FR2 to service 802.1X wireless authentication (Cisco LWAPP
infrastructure), and it's working splendidly from the users'
perspective. Accounting, however, is acting weirdly, and I have yet to
determine why. 'radlast' gives output like this:
gsmith 029:CvbP6g 10.1.2.3 Tue Jan 13 17:48 - 17:54 (00:06)
mjones 029:CvbP9A 10.2.8.9 Tue Jan 13 17:25 - 17:34 (00:09)
mjones 029:CvbP9A 192.168.2.2 Tue Jan 13 17:25 - 17:25 (00:00)
bblack 029:CvbP9A 10.1.1.9 Tue Jan 13 17:24 - 17:25 (00:01)
cwhite 029:CvbP6g 10.1.2.4 Tue Jan 13 17:23 - 17:24 (00:00)
cwhite 029:CvbP6g 10.1.2.4 Tue Jan 13 17:23 - 17:23 (00:00)
cwhite 029:CvbP6g 10.250.59.255 Tue Jan 13 17:23 - 17:23 (00:00)
cwhite 029:CvbP6g 10.250.59.255 Tue Jan 13 17:23 - 17:23 (00:00)
mbrown 029:CvbP9A 10.9.8.7 Tue Jan 13 17:23 - 17:24 (00:00)
mbrown 029:CvbP9A 192.168.0.6 Tue Jan 13 17:23 - 17:23 (00:00)
...
(note the very brief session lengths)
'radwho' reacts accordingly, only listing those users whose very brief
window of "accounting existence" has not yet closed.
If you've heard this tune before, please feel free to send a link to the
appropriate mailing list thread or wiki article.
The LWAPP controllers send accounting start packets to the RADIUS server
as expected, but shortly thereafter, send accounting stop messages. I
fell asleep part of the way through RFC3580, so I humbly ask the
experts: is this "correct" behavior, consistent with the protocol (or at
least, most implementations of the protocol)? Do most 802.1X
authenticators not wait for actual port closure to send an accounting
stop message?
In a thread from back in June of 2008, (Vol 38, Issues 116, 121, and
122: "radacct/radutmp out of sync"), Alan refers to radutmp as a hack,
and recommends moving to an SQL database. Is this the way I should be
going? People around here like 'radwho', but I'm happy to write a script
called 'radwho' that performs an SQL query. And if this is a known
issue, is there a widely-accepted method for addressing the lack of
coincidence between the accounting stop messages and actual closure of
the port, or is everyone left to make their own assumptions about that?
Many thanks,
- -sth
sam hooker|http://www.noiseplant.com|i am between the internet
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkltH6sACgkQX8KByLv3aQ3s2ACeOfKWRSa9nZ3bSwebBcitcrL8
VqoAnjA8DoRUjwBUqkwMBs7qOiDmhGOd
=SXac
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
4
3