Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2009
- 178 participants
- 250 discussions
Hello,
Can i execute an external program when authentication, authorization and
accounting events occurs (different program in each case)?
Thanks.
3
4
Hi,
I've been successfully using FreeRADIUS 1.1.4 to authenticate users
against Active Directory using LDAP and a plaintext password.
In the authorize section FreeRADIUS anonymously binds to our LDAP server
(Active Directory) and searches for the user identified in the
Access-Request (in my case we change the default search filter to
'sAMAccountName' as our AD doesn't contain 'uid'). If a match is found I
think the user's full Distinguised Name (e.g.
CN=bill,DC=foo,DC=ac,DC=uk) is added to the list of check items, and
Auth-Type is set to 'ldap'. In the authenticate section, FreeRADIUS
binds to the LDAP server using the user's full DN and the password
supplied in the Access-Request. If the bind is successful, the user is
authenticated because the password must have been correct.
I've recently updated a server to FreeRADIUS 2.1.3 and all
authentications now fail. LDAP is not set as the authentication method
during the authorize section. I don't know why as I can't seen any
configuration options which I've set differently between the two
versions. I still get the debug message "Info: [ldap] user <username>
authorized to use remote access" in the authorize section, so this
suggests that the anonymous bind and search work ok.
Does any one have any ideas? Have I made a stupid configuration error,
or did I miss something in the latest documentation?
Thanks in advance for any help,
Mark.
This is the debug output for version 1.1.4...
rad_recv: Access-Request packet from host 127.0.0.1:56359,
id=216, length=45
User-Name = "bill"
User-Password = "blahblah"
Sun Mar 15 18:07:11 2009 : Debug: Processing the authorize
section of radiusd.conf
Sun Mar 15 18:07:11 2009 : Debug: modcall: entering group
authorize for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
calling preprocess (rlm_preprocess) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from preprocess (rlm_preprocess) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
"preprocess" returns ok for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
calling chap (rlm_chap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from chap (rlm_chap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
"chap" returns noop for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
calling mschap (rlm_mschap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from mschap (rlm_mschap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
"mschap" returns noop for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
calling digest (rlm_digest) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from digest (rlm_digest) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
"digest" returns noop for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
calling eap (rlm_eap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_eap: No EAP-Message, not
doing EAP
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from eap (rlm_eap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
"eap" returns noop for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
calling ldap (rlm_ldap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: - authorize
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: performing user
authorization for bill
Sun Mar 15 18:07:11 2009 : Debug: radius_xlat:
'(sAMAccountName=bill)'
Sun Mar 15 18:07:11 2009 : Debug: radius_xlat:
'dc=foo,dc=ac,dc=uk'
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: ldap_get_conn:
Checking Id: 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: ldap_get_conn: Got
Id: 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: attempting LDAP
reconnection
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: (re)connect to
ad.foo.ac.uk:389, authentication 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: bind as / to
ad.foo.ac.uk:389
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: waiting for bind
result ...
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: Bind was successful
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: performing search in
dc=foo,dc=ac,dc=uk, with filter (sAMAccountName=bill)
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: looking for check
items in directory...
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: looking for reply
items in directory...
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: Setting Auth-Type =
ldap
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: user bill authorized
to use remote access
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: ldap_release_conn:
Release Id: 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from ldap (rlm_ldap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
"ldap" returns ok for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
calling pap (rlm_pap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_pap: WARNING! No "known
good" password found for the user. Authentication may fail because of
this.
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from pap (rlm_pap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
"pap" returns noop for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall: leaving group
authorize (returns ok) for request 0
Sun Mar 15 18:07:11 2009 : Debug: rad_check_password: Found
Auth-Type ldap
Sun Mar 15 18:07:11 2009 : Debug: auth: type "LDAP"
Sun Mar 15 18:07:11 2009 : Debug: Processing the authenticate
section of radiusd.conf
Sun Mar 15 18:07:11 2009 : Debug: modcall: entering group LDAP
for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authenticate]:
calling ldap (rlm_ldap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: - authenticate
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: login attempt by
"bill" with password "blahblah"
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: user DN:
CN=bill,dc=foo,dc=ac,dc=uk
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: (re)connect to
ad.foo.ac.uk:389, authentication 1
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: bind as
CN=bill,dc=foo,dc=ac,dc=uk/blahblah to ad.foo.ac.uk:389
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: waiting for bind
result ...
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: Bind was successful
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: user bill
authenticated succesfully
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authenticate]:
returned from ldap (rlm_ldap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authenticate]:
module "ldap" returns ok for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall: leaving group LDAP
(returns ok) for request 0
Sun Mar 15 18:07:11 2009 : Auth: Login OK: [bill] (from client
localNas port 0)
Sending Access-Accept of id 216 to 127.0.0.1 port 56359
Sun Mar 15 18:07:11 2009 : Debug: Finished request 0
Sun Mar 15 18:07:11 2009 : Debug: Going to the next request
Sun Mar 15 18:07:11 2009 : Debug: --- Walking the entire request
list ---
Sun Mar 15 18:07:11 2009 : Debug: Waking up in 6 seconds...
Sun Mar 15 18:07:17 2009 : Debug: --- Walking the entire request
list ---
Sun Mar 15 18:07:17 2009 : Debug: Cleaning up request 0 ID 216
with timestamp 49bd43cf
Sun Mar 15 18:07:17 2009 : Debug: Nothing to do. Sleeping until
we see a request.
And this is the debug output for version 2.1.3...
rad_recv: Access-Request packet from host 127.0.0.1 port 32787,
id=186, length=27
User-Name = "bill"
Sun Mar 15 17:59:37 2009 : Info: +- entering group authorize
{...}
Sun Mar 15 17:59:37 2009 : Info: ++[preprocess] returns ok
Sun Mar 15 17:59:37 2009 : Info: [auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20090315
Sun Mar 15 17:59:37 2009 : Info: [auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/127.0.0.1/auth-detail-20090315
Sun Mar 15 17:59:37 2009 : Info: [auth_log] expand: %t ->
Sun Mar 15 17:59:37 2009
Sun Mar 15 17:59:37 2009 : Info: ++[auth_log] returns ok
Sun Mar 15 17:59:37 2009 : Info: [ldap] performing user
authorization for bill
Sun Mar 15 17:59:37 2009 : Info: [ldap] WARNING: Deprecated
conditional expansion ":-". See "man unlang" for details
Sun Mar 15 17:59:37 2009 : Info: [ldap] expand:
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=bill)
Sun Mar 15 17:59:37 2009 : Info: [ldap] expand:
dc=foo,dc=ac,dc=uk -> dc=foo,dc=ac,dc=uk
Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: ldap_get_conn:
Checking Id: 0
Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: ldap_get_conn: Got
Id: 0
Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: attempting LDAP
reconnection
Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: (re)connect to
logon02.fed.cclrc.ac.uk:389, authentication 0
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: bind as / to
logon02.fed.cclrc.ac.uk:389
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: waiting for bind
result ...
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: Bind was successful
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: performing search in
dc=foo,dc=ac,dc=uk, with filter (sAMAccountName=bill)
Sun Mar 15 17:59:38 2009 : Info: [ldap] looking for check items
in directory...
Sun Mar 15 17:59:38 2009 : Info: [ldap] looking for reply items
in directory...
Sun Mar 15 17:59:38 2009 : Debug: WARNING: No "known good"
password was found in LDAP. Are you sure that the user is configured
correctly?
Sun Mar 15 17:59:38 2009 : Info: [ldap] user bill authorized to
use remote access
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: ldap_release_conn:
Release Id: 0
Sun Mar 15 17:59:38 2009 : Info: ++[ldap] returns ok
Sun Mar 15 17:59:38 2009 : Info: ++[expiration] returns noop
Sun Mar 15 17:59:38 2009 : Info: ++[logintime] returns noop
Sun Mar 15 17:59:38 2009 : Info: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
Sun Mar 15 17:59:38 2009 : Info: Failed to authenticate the
user.
Sun Mar 15 17:59:38 2009 : Auth: Login incorrect: [bill] (from
client localNas port 0)
Sun Mar 15 17:59:38 2009 : Info: Using Post-Auth-Type Reject
Sun Mar 15 17:59:38 2009 : Info: +- entering group REJECT {...}
Sun Mar 15 17:59:38 2009 : Info: [attr_filter.access_reject]
expand: %{User-Name} -> bill
Sun Mar 15 17:59:38 2009 : Debug: attr_filter: Matched entry
DEFAULT at line 11
Sun Mar 15 17:59:38 2009 : Info: ++[attr_filter.access_reject]
returns updated
Sun Mar 15 17:59:38 2009 : Info: Delaying reject of request 0
for 1 seconds
Sun Mar 15 17:59:38 2009 : Debug: Going to the next request
Sun Mar 15 17:59:38 2009 : Debug: Waking up in 0.9 seconds.
Sun Mar 15 17:59:38 2009 : Info: Sending delayed reject for
request 0
Sending Access-Reject of id 186 to 127.0.0.1 port 32787
Sun Mar 15 17:59:38 2009 : Debug: Waking up in 4.9 seconds.
Sun Mar 15 17:59:43 2009 : Info: Cleaning up request 0 ID 186
with timestamp +91
Sun Mar 15 17:59:43 2009 : Debug: Ready to process requests.
3
5
16 Mar '09
I'm a relatively new freeradius user so I am not really an expert with it.
In our project, depending on a user's authentication/authorization by the
server, we need to send an "unlock/lock" byte to a microcontroller
(connected to /dev/ttyUSB0, by the way).
So where do I start with the solution? Can I run a certain code/program
automatically once the server authenticates a user?
Are there any previous applications similar to this?
Our installed version is 2.1.0+dfsg-0ubuntu2, running on Ubuntu 8.10.
The backend database we used is MySql.
Thanks in advance.
Rex Dizon
2
1
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
by Peter Param 16 Mar '09
by Peter Param 16 Mar '09
16 Mar '09
>Did you try RE-BUILDING the server when you only had one version of
>OpenSSL installed?
I did that and the SSL_CTX_ERROR message is now gone and radiusd runs
successfully. However it won't accept encrypted authentication requests:
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to secureldapcentral.stvincents.com.au:636, authentication
0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert File to certs/SVMHS_CA_SSL_Server.pem
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to
certs/SVMHS_CA_SSL_Server.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as
cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU/abc123 to
secureldapcentral.stvincents.com.au:636
rlm_ldap: waiting for bind result ...
rlm_ldap: ldap_result()
rlm_ldap: cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU bind to
secureldapcentral.stvincents.com.au:636 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
I can authenticate to the ldap backend with an ldap client using port 636 but not
with freeradius.
The complete -X output:
radius02:/etc/freeradius# radiusd -X
FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 16 2009 at
11:45:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/roles_search
including configuration file /etc/freeradius/modules/patient_search
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/people_search
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/etc"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 127.0.0.1 {
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 10.56.48.0/20 {
require_message_authenticator = no
secret = "testing123"
shortname = "patient-wireless-network-1"
nastype = "other"
}
client 10.56.0.0/20 {
require_message_authenticator = no
secret = testing123"
shortname = "wireless-network-1"
nastype = "cisco"
}
client 10.57.11.12 {
require_message_authenticator = no
secret = "testing123"
shortname = "wireless-network-1"
}
client 203.20.164.0/24 {
require_message_authenticator = no
secret = "testing123"
shortname = "campusvpn"
nastype = "cisco.vpn3000"
}
client 10.56.13.161 {
require_message_authenticator = no
secret = "testing123"
shortname = "svhxvr01acs01"
nastype = "cisco"
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_expr
Module: Instantiating expr
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_ldap
Module: Instantiating roles_search
ldap roles_search {
server = "secureldapcentral.stvincents.com.au"
port = 636
password = "testing123"
identity =
"cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = yes
start_tls = no
tls_cacertfile = "certs/SVMHS_CA_SSL_Server.pem"
tls_require_cert = "never"
basedn = "ou=roles,ou=darlinghurst,ou=nsw,o=schs,c=au"
filter = "(cn=%u)"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "SHA-Password"
auto_header = yes
access_attr = "cn"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute roles_search-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for roles_search-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name roles_search
rlm_ldap: Over-riding set_auth_type, as there is no module roles_search listed in
the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusSessionTerminateTime mapped to RADIUS
WISPr-Session-Terminate-Time
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
rlm_ldap: LDAP cVPN3000-Access-Hours mapped to RADIUS Access-Hours
rlm_ldap: LDAP cVPN3000-Simultaneous-Logins mapped to RADIUS Simultaneous-Logins
rlm_ldap: LDAP cVPN3000-Primary-DNS mapped to RADIUS Primary-DNS
rlm_ldap: LDAP cVPN3000-Secondary-DNS mapped to RADIUS Secondary-DNS
rlm_ldap: LDAP cVPN3000-Primary-WINS mapped to RADIUS Primary-WINS
rlm_ldap: LDAP cVPN3000-Primary-WINS mapped to RADIUS Secondary-WINS
rlm_ldap: LDAP cVPN3000-SEP-Card-Assignment mapped to RADIUS SEP-Card-Assignment
rlm_ldap: LDAP cVPN3000-Tunneling-Protocols mapped to RADIUS Tunneling-Protocols
rlm_ldap: LDAP cVPN3000-IPSec-Sec-Association mapped to RADIUS
IPSec-Sec-Association
rlm_ldap: LDAP cVPN3000-IPSec-Authentication mapped to RADIUS
IPSec-Authentication
rlm_ldap: LDAP cVPN3000-IPSec-Banner1 mapped to RADIUS IPSec-Banner1
rlm_ldap: LDAP cVPN3000-IPSec-Allow-Passwd-Store mapped to RADIUS
IPSec-Allow-Passwd-Store
rlm_ldap: LDAP cVPN3000-Use-Client-Address mapped to RADIUS Use-Client-Address
rlm_ldap: LDAP cVPN3000-PPTP-Encryption mapped to RADIUS PPTP-Encryption
rlm_ldap: LDAP cVPN3000-L2TP-Encryption mapped to RADIUS L2TP-Encryption
rlm_ldap: LDAP cVPN3000-IPSec-Split-Tunnel-List mapped to RADIUS
IPSec-Split-Tunnel-List
rlm_ldap: LDAP cVPN3000-IPSec-Default-Domain mapped to RADIUS
IPSec-Default-Domain
rlm_ldap: LDAP cVPN3000-IPSec-Split-DNS-Names mapped to RADIUS
IPSec-Split-DNS-Names
rlm_ldap: LDAP cVPN3000-IPSec-Tunnel-Type mapped to RADIUS IPSec-Tunnel-Type
rlm_ldap: LDAP cVPN3000-IPSec-Mode-Config mapped to RADIUS IPSec-Mode-Config
rlm_ldap: LDAP cVPN3000-IPSec-User-Group-Lock mapped to RADIUS
IPSec-User-Group-Lock
rlm_ldap: LDAP cVPN3000-IPSec-Over-UDP mapped to RADIUS IPSec-Over-UDP
rlm_ldap: LDAP cVPN3000-IPSec-Over-UDP-Port mapped to RADIUS IPSec-Over-UDP-Port
rlm_ldap: LDAP cVPN3000-IPSec-Banner2 mapped to RADIUS IPSec-Banner2
rlm_ldap: LDAP cVPN3000-PPTP-MPPC-Compression mapped to RADIUS
PPTP-MPPC-Compression
rlm_ldap: LDAP cVPN3000-L2TP-MPPC-Compression mapped to RADIUS
L2TP-MPPC-Compression
rlm_ldap: LDAP cVPN3000-IPSec-IP-Compression mapped to RADIUS
IPSec-IP-Compression
rlm_ldap: LDAP cVPN3000-IPSec-IKE-Peer-ID-Check mapped to RADIUS
IPSec-IKE-Peer-ID-Check
rlm_ldap: LDAP cVPN3000-IKE-Keep-Alives mapped to RADIUS IKE-Keep-Alives
rlm_ldap: LDAP cVPN3000-IPSec-Auth-On-Rekey mapped to RADIUS IPSec-Auth-On-Rekey
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Vendor-Code mapped to RADIUS
Reqrd-Client-Fw-Vendor-Code
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Product-Code mapped to RADIUS
Reqrd-Client-Fw-Product-Code
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Description mapped to RADIUS
Reqrd-Client-Fw-Description
rlm_ldap: LDAP cVPN3000-Require-HW-Client-Auth mapped to RADIUS
Reqr-HW-Client-Auth
rlm_ldap: LDAP cVPN3000-Require-Individual-User-Auth mapped to RADIUS
Reqr-Individual-User-Auth
rlm_ldap: LDAP cVPN3000-Authenticated-User-Idle-Timeout mapped to RADIUS
Authd-User-Idle-Timeout
rlm_ldap: LDAP cVPN3000-Cisco-IP-Phone-Bypass mapped to RADIUS
Cisco-IP-Phone-Bypass
rlm_ldap: LDAP cVPN3000-IPSec-Split-Tunneling-Policy mapped to RADIUS
IPSec-Split-Tunneling-Policy
rlm_ldap: LDAP cVPN3000-IPSec-Required-Client-Firewall-Capability mapped to
RADIUS IPSec-Reqrd-Client-Fw-Cap
rlm_ldap: LDAP cVPN3000-IPSec-Client-Firewall-Filter-Name mapped to RADIUS
IPSec-Client-Fw-Filter-Name
rlm_ldap: LDAP cVPN3000-IPSec-Client-Firewall-Filter-Optional mapped to RADIUS
IPSec-Client-Fw-Filter-Opt
rlm_ldap: LDAP cVPN3000-IPSec-Backup-Servers mapped to RADIUS
IPSec-Backup-Servers
rlm_ldap: LDAP cVPN3000-IPSec-Backup-Server-List mapped to RADIUS
IPSec-Backup-Server-List
rlm_ldap: LDAP cVPN3000-Client-Intercept-DHCP-Configure-Msg mapped to RADIUS
MS-Client-Icpt-DHCP-Conf-Msg
rlm_ldap: LDAP cVPN3000-MS-Client-Subnet-Mask mapped to RADIUS
MS-Client-Subnet-Mask
rlm_ldap: LDAP cVPN3000-Allow-Network-Extension-Mode mapped to RADIUS
Allow-Network-Extension-Mode
rlm_ldap: LDAP cVPN3000-Strip-Realm mapped to RADIUS Strip-Realm
rlm_ldap: LDAP Cisco-AVPair mapped to RADIUS Cisco-AVPair
rlm_ldap: LDAP cVPN3000-Confidence-Interval mapped to RADIUS
IKE-KeepAlive-Confidence-Interval
rlm_ldap: LDAP cVPN3000-Cisco-LEAP-Bypass mapped to RADIUS Cisco-LEAP-Bypass
rlm_ldap: LDAP cVPN3000-DHCP-Network-Scope mapped to RADIUS DHCP-Network-Scope
rlm_ldap: LDAP cVPN3000-Client-Type-Version-Limiting mapped to RADIUS
Client-Type-Version-Limiting
rlm_ldap: LDAP cVPN3000-WebVPN-Content-Filter-Parameters mapped to RADIUS
WebVPN-Content-Filter-Parameters
rlm_ldap: LDAP cVPN3000-Port-Forwarding-Name mapped to RADIUS
WebVPN-Port-Forwarding-Name
rlm_ldap: LDAP cVPN3000-IETF-Radius-Session-Timeout mapped to RADIUS
IETF-Radius-Session-Timeout
rlm_ldap: LDAP cVPN3000-IETF-Radius-Idle-Timeout mapped to RADIUS
IETF-Radius-Idle-Timeout
rlm_ldap: LDAP cVPN3000-Authorization-Required mapped to RADIUS
Authorization-Required
rlm_ldap: LDAP cVPN3000-Authorization-Type mapped to RADIUS Authorization-Type
rlm_ldap: LDAP cVPN3000-DN-Field mapped to RADIUS DN-Field
rlm_ldap: LDAP cVPN3000-WebVPN-URL-List mapped to RADIUS WebVPN-URL-List
rlm_ldap: LDAP cVPN3000-WebVPN-Forwarded-Ports mapped to RADIUS
WebVPN-Forwarded-Ports
rlm_ldap: LDAP cVPN3000-WebVPN-ACL-Filters mapped to RADIUS WebVPN-ACL-Filters
rlm_ldap: LDAP cVPN3000-WebVPN-Homepage mapped to RADIUS WebVPN-Homepage
rlm_ldap: LDAP cVPN3000-WebVPN-Single-Sign-On-Server-Name mapped to RADIUS
WebVPN-Single-Sign-On-Server-Name
rlm_ldap: LDAP cVPN3000-WebVPN-URL-Entry-Enable mapped to RADIUS
WebVPN-URL-Entry-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Access-Enable mapped to RADIUS
WebVPN-File-Access-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Server-Entry-Enable mapped to RADIUS
WebVPN-File-Server-Entry-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Server-Browsing-Enable mapped to RADIUS
WebVPN-File-Server-Browsing-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Enable mapped to RADIUS
WebVPN-Port-Forwarding-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Exchange-Proxy-Enable mapped to
RADIUS WebVPN-Outlook-Exchange-Proxy-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-HTTP-Proxy-Enable mapped to RADIUS
WebVPN-Port-Forwarding-HTTP-Proxy-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Auto-Download-Enable mapped to
RADIUS WebVPN-Auto-Applet-Download-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Citrix-Support-Enable mapped to RADIUS
WebVPN-Citrix-Metaframe-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Apply-ACL-Enable mapped to RADIUS
WebVPN-Apply-ACL
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Required-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Required
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Keep-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Keep-Installation
rlm_ldap: LDAP cVPN3000-IE-Proxy-Server mapped to RADIUS IE-Proxy-Server
rlm_ldap: LDAP cVPN3000-IE-Proxy-Method mapped to RADIUS IE-Proxy-Server-Policy
rlm_ldap: LDAP cVPN3000-IE-Proxy-Exception-List mapped to RADIUS
IE-Proxy-Exception-List
rlm_ldap: LDAP cVPN3000-IE-Proxy-Bypass-Local mapped to RADIUS
IE-Proxy-Bypass-Local
rlm_ldap: LDAP cVPN3000-Tunnel-Group-Lock mapped to RADIUS Tunnel-Group-Lock
rlm_ldap: LDAP cVPN3000-Firewall-ACL-In mapped to RADIUS Access-List-Inbound
rlm_ldap: LDAP cVPN3000-Firewall-ACL-Out mapped to RADIUS Access-List-Outbound
rlm_ldap: LDAP cVPN3000-PFS-Required mapped to RADIUS PFS-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Keepalive mapped to RADIUS
WebVPN-SSL-VPN-Client-Keepalive
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Client-DPD mapped to RADIUS
WebVPN-SSL-VPN-Client-Client-DPD
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Gateway-DPD mapped to RADIUS
WebVPN-SSL-VPN-Client-Gateway-DPD
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Rekey-Period mapped to RADIUS
WebVPN-SSL-VPN-Client-Rekey-Period
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Rekey-Method mapped to RADIUS
WebVPN-SSL-VPN-Client-Rekey-Method
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Compression mapped to RADIUS
WebVPN-SSL-VPN-Client-Compression
conns: 0x817c1b0
Module: Instantiating people_search
ldap people_search {
server = "secureldapcentral.stvincents.com.au"
port = 636
password = "testing123"
identity =
"cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = yes
start_tls = no
tls_cacertfile = "certs/SVMHS_CA_SSL_Server.pem"
tls_require_cert = "never"
basedn = "ou=people,ou=darlinghurst,ou=nsw,o=schs,c=au"
filter = "(cn=%u)"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "SHA-Password"
auto_header = yes
access_attr = "cn"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute people_search-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for people_search-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name people_search
rlm_ldap: Over-riding set_auth_type, as there is no module people_search listed
in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusSessionTerminateTime mapped to RADIUS
WISPr-Session-Terminate-Time
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
rlm_ldap: LDAP cVPN3000-Access-Hours mapped to RADIUS Access-Hours
rlm_ldap: LDAP cVPN3000-Simultaneous-Logins mapped to RADIUS Simultaneous-Logins
rlm_ldap: LDAP cVPN3000-Primary-DNS mapped to RADIUS Primary-DNS
rlm_ldap: LDAP cVPN3000-Secondary-DNS mapped to RADIUS Secondary-DNS
rlm_ldap: LDAP cVPN3000-Primary-WINS mapped to RADIUS Primary-WINS
rlm_ldap: LDAP cVPN3000-Primary-WINS mapped to RADIUS Secondary-WINS
rlm_ldap: LDAP cVPN3000-SEP-Card-Assignment mapped to RADIUS SEP-Card-Assignment
rlm_ldap: LDAP cVPN3000-Tunneling-Protocols mapped to RADIUS Tunneling-Protocols
rlm_ldap: LDAP cVPN3000-IPSec-Sec-Association mapped to RADIUS
IPSec-Sec-Association
rlm_ldap: LDAP cVPN3000-IPSec-Authentication mapped to RADIUS
IPSec-Authentication
rlm_ldap: LDAP cVPN3000-IPSec-Banner1 mapped to RADIUS IPSec-Banner1
rlm_ldap: LDAP cVPN3000-IPSec-Allow-Passwd-Store mapped to RADIUS
IPSec-Allow-Passwd-Store
rlm_ldap: LDAP cVPN3000-Use-Client-Address mapped to RADIUS Use-Client-Address
rlm_ldap: LDAP cVPN3000-PPTP-Encryption mapped to RADIUS PPTP-Encryption
rlm_ldap: LDAP cVPN3000-L2TP-Encryption mapped to RADIUS L2TP-Encryption
rlm_ldap: LDAP cVPN3000-IPSec-Split-Tunnel-List mapped to RADIUS
IPSec-Split-Tunnel-List
rlm_ldap: LDAP cVPN3000-IPSec-Default-Domain mapped to RADIUS
IPSec-Default-Domain
rlm_ldap: LDAP cVPN3000-IPSec-Split-DNS-Names mapped to RADIUS
IPSec-Split-DNS-Names
rlm_ldap: LDAP cVPN3000-IPSec-Tunnel-Type mapped to RADIUS IPSec-Tunnel-Type
rlm_ldap: LDAP cVPN3000-IPSec-Mode-Config mapped to RADIUS IPSec-Mode-Config
rlm_ldap: LDAP cVPN3000-IPSec-User-Group-Lock mapped to RADIUS
IPSec-User-Group-Lock
rlm_ldap: LDAP cVPN3000-IPSec-Over-UDP mapped to RADIUS IPSec-Over-UDP
rlm_ldap: LDAP cVPN3000-IPSec-Over-UDP-Port mapped to RADIUS IPSec-Over-UDP-Port
rlm_ldap: LDAP cVPN3000-IPSec-Banner2 mapped to RADIUS IPSec-Banner2
rlm_ldap: LDAP cVPN3000-PPTP-MPPC-Compression mapped to RADIUS
PPTP-MPPC-Compression
rlm_ldap: LDAP cVPN3000-L2TP-MPPC-Compression mapped to RADIUS
L2TP-MPPC-Compression
rlm_ldap: LDAP cVPN3000-IPSec-IP-Compression mapped to RADIUS
IPSec-IP-Compression
rlm_ldap: LDAP cVPN3000-IPSec-IKE-Peer-ID-Check mapped to RADIUS
IPSec-IKE-Peer-ID-Check
rlm_ldap: LDAP cVPN3000-IKE-Keep-Alives mapped to RADIUS IKE-Keep-Alives
rlm_ldap: LDAP cVPN3000-IPSec-Auth-On-Rekey mapped to RADIUS IPSec-Auth-On-Rekey
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Vendor-Code mapped to RADIUS
Reqrd-Client-Fw-Vendor-Code
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Product-Code mapped to RADIUS
Reqrd-Client-Fw-Product-Code
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Description mapped to RADIUS
Reqrd-Client-Fw-Description
rlm_ldap: LDAP cVPN3000-Require-HW-Client-Auth mapped to RADIUS
Reqr-HW-Client-Auth
rlm_ldap: LDAP cVPN3000-Require-Individual-User-Auth mapped to RADIUS
Reqr-Individual-User-Auth
rlm_ldap: LDAP cVPN3000-Authenticated-User-Idle-Timeout mapped to RADIUS
Authd-User-Idle-Timeout
rlm_ldap: LDAP cVPN3000-Cisco-IP-Phone-Bypass mapped to RADIUS
Cisco-IP-Phone-Bypass
rlm_ldap: LDAP cVPN3000-IPSec-Split-Tunneling-Policy mapped to RADIUS
IPSec-Split-Tunneling-Policy
rlm_ldap: LDAP cVPN3000-IPSec-Required-Client-Firewall-Capability mapped to
RADIUS IPSec-Reqrd-Client-Fw-Cap
rlm_ldap: LDAP cVPN3000-IPSec-Client-Firewall-Filter-Name mapped to RADIUS
IPSec-Client-Fw-Filter-Name
rlm_ldap: LDAP cVPN3000-IPSec-Client-Firewall-Filter-Optional mapped to RADIUS
IPSec-Client-Fw-Filter-Opt
rlm_ldap: LDAP cVPN3000-IPSec-Backup-Servers mapped to RADIUS
IPSec-Backup-Servers
rlm_ldap: LDAP cVPN3000-IPSec-Backup-Server-List mapped to RADIUS
IPSec-Backup-Server-List
rlm_ldap: LDAP cVPN3000-Client-Intercept-DHCP-Configure-Msg mapped to RADIUS
MS-Client-Icpt-DHCP-Conf-Msg
rlm_ldap: LDAP cVPN3000-MS-Client-Subnet-Mask mapped to RADIUS
MS-Client-Subnet-Mask
rlm_ldap: LDAP cVPN3000-Allow-Network-Extension-Mode mapped to RADIUS
Allow-Network-Extension-Mode
rlm_ldap: LDAP cVPN3000-Strip-Realm mapped to RADIUS Strip-Realm
rlm_ldap: LDAP Cisco-AVPair mapped to RADIUS Cisco-AVPair
rlm_ldap: LDAP cVPN3000-Confidence-Interval mapped to RADIUS
IKE-KeepAlive-Confidence-Interval
rlm_ldap: LDAP cVPN3000-Cisco-LEAP-Bypass mapped to RADIUS Cisco-LEAP-Bypass
rlm_ldap: LDAP cVPN3000-DHCP-Network-Scope mapped to RADIUS DHCP-Network-Scope
rlm_ldap: LDAP cVPN3000-Client-Type-Version-Limiting mapped to RADIUS
Client-Type-Version-Limiting
rlm_ldap: LDAP cVPN3000-WebVPN-Content-Filter-Parameters mapped to RADIUS
WebVPN-Content-Filter-Parameters
rlm_ldap: LDAP cVPN3000-Port-Forwarding-Name mapped to RADIUS
WebVPN-Port-Forwarding-Name
rlm_ldap: LDAP cVPN3000-IETF-Radius-Session-Timeout mapped to RADIUS
IETF-Radius-Session-Timeout
rlm_ldap: LDAP cVPN3000-IETF-Radius-Idle-Timeout mapped to RADIUS
IETF-Radius-Idle-Timeout
rlm_ldap: LDAP cVPN3000-Authorization-Required mapped to RADIUS
Authorization-Required
rlm_ldap: LDAP cVPN3000-Authorization-Type mapped to RADIUS Authorization-Type
rlm_ldap: LDAP cVPN3000-DN-Field mapped to RADIUS DN-Field
rlm_ldap: LDAP cVPN3000-WebVPN-URL-List mapped to RADIUS WebVPN-URL-List
rlm_ldap: LDAP cVPN3000-WebVPN-Forwarded-Ports mapped to RADIUS
WebVPN-Forwarded-Ports
rlm_ldap: LDAP cVPN3000-WebVPN-ACL-Filters mapped to RADIUS WebVPN-ACL-Filters
rlm_ldap: LDAP cVPN3000-WebVPN-Homepage mapped to RADIUS WebVPN-Homepage
rlm_ldap: LDAP cVPN3000-WebVPN-Single-Sign-On-Server-Name mapped to RADIUS
WebVPN-Single-Sign-On-Server-Name
rlm_ldap: LDAP cVPN3000-WebVPN-URL-Entry-Enable mapped to RADIUS
WebVPN-URL-Entry-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Access-Enable mapped to RADIUS
WebVPN-File-Access-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Server-Entry-Enable mapped to RADIUS
WebVPN-File-Server-Entry-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Server-Browsing-Enable mapped to RADIUS
WebVPN-File-Server-Browsing-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Enable mapped to RADIUS
WebVPN-Port-Forwarding-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Exchange-Proxy-Enable mapped to
RADIUS WebVPN-Outlook-Exchange-Proxy-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-HTTP-Proxy-Enable mapped to RADIUS
WebVPN-Port-Forwarding-HTTP-Proxy-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Auto-Download-Enable mapped to
RADIUS WebVPN-Auto-Applet-Download-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Citrix-Support-Enable mapped to RADIUS
WebVPN-Citrix-Metaframe-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Apply-ACL-Enable mapped to RADIUS
WebVPN-Apply-ACL
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Required-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Required
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Keep-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Keep-Installation
rlm_ldap: LDAP cVPN3000-IE-Proxy-Server mapped to RADIUS IE-Proxy-Server
rlm_ldap: LDAP cVPN3000-IE-Proxy-Method mapped to RADIUS IE-Proxy-Server-Policy
rlm_ldap: LDAP cVPN3000-IE-Proxy-Exception-List mapped to RADIUS
IE-Proxy-Exception-List
rlm_ldap: LDAP cVPN3000-IE-Proxy-Bypass-Local mapped to RADIUS
IE-Proxy-Bypass-Local
rlm_ldap: LDAP cVPN3000-Tunnel-Group-Lock mapped to RADIUS Tunnel-Group-Lock
rlm_ldap: LDAP cVPN3000-Firewall-ACL-In mapped to RADIUS Access-List-Inbound
rlm_ldap: LDAP cVPN3000-Firewall-ACL-Out mapped to RADIUS Access-List-Outbound
rlm_ldap: LDAP cVPN3000-PFS-Required mapped to RADIUS PFS-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Keepalive mapped to RADIUS
WebVPN-SSL-VPN-Client-Keepalive
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Client-DPD mapped to RADIUS
WebVPN-SSL-VPN-Client-Client-DPD
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Gateway-DPD mapped to RADIUS
WebVPN-SSL-VPN-Client-Gateway-DPD
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Rekey-Period mapped to RADIUS
WebVPN-SSL-VPN-Client-Rekey-Period
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Rekey-Method mapped to RADIUS
WebVPN-SSL-VPN-Client-Rekey-Method
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Compression mapped to RADIUS
WebVPN-SSL-VPN-Client-Compression
conns: 0x817f878
Module: Instantiating patient_search
ldap patient_search {
server = "secureldapcentral.stvincents.com.au"
port = 636
password = "testing123"
identity =
"cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = yes
start_tls = no
tls_cacertfile = "certs/SVMHS_CA_SSL_Server.pem"
tls_require_cert = "never"
basedn = "ou=patients,ou=darlinghurst,ou=nsw,o=schs,c=au"
filter = "(cn=%u)"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "SHA-Password"
auto_header = yes
access_attr = "cn"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute patient_search-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for patient_search-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name patient_search
rlm_ldap: Over-riding set_auth_type, as there is no module patient_search listed
in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusSessionTerminateTime mapped to RADIUS
WISPr-Session-Terminate-Time
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
rlm_ldap: LDAP cVPN3000-Access-Hours mapped to RADIUS Access-Hours
rlm_ldap: LDAP cVPN3000-Simultaneous-Logins mapped to RADIUS Simultaneous-Logins
rlm_ldap: LDAP cVPN3000-Primary-DNS mapped to RADIUS Primary-DNS
rlm_ldap: LDAP cVPN3000-Secondary-DNS mapped to RADIUS Secondary-DNS
rlm_ldap: LDAP cVPN3000-Primary-WINS mapped to RADIUS Primary-WINS
rlm_ldap: LDAP cVPN3000-Primary-WINS mapped to RADIUS Secondary-WINS
rlm_ldap: LDAP cVPN3000-SEP-Card-Assignment mapped to RADIUS SEP-Card-Assignment
rlm_ldap: LDAP cVPN3000-Tunneling-Protocols mapped to RADIUS Tunneling-Protocols
rlm_ldap: LDAP cVPN3000-IPSec-Sec-Association mapped to RADIUS
IPSec-Sec-Association
rlm_ldap: LDAP cVPN3000-IPSec-Authentication mapped to RADIUS
IPSec-Authentication
rlm_ldap: LDAP cVPN3000-IPSec-Banner1 mapped to RADIUS IPSec-Banner1
rlm_ldap: LDAP cVPN3000-IPSec-Allow-Passwd-Store mapped to RADIUS
IPSec-Allow-Passwd-Store
rlm_ldap: LDAP cVPN3000-Use-Client-Address mapped to RADIUS Use-Client-Address
rlm_ldap: LDAP cVPN3000-PPTP-Encryption mapped to RADIUS PPTP-Encryption
rlm_ldap: LDAP cVPN3000-L2TP-Encryption mapped to RADIUS L2TP-Encryption
rlm_ldap: LDAP cVPN3000-IPSec-Split-Tunnel-List mapped to RADIUS
IPSec-Split-Tunnel-List
rlm_ldap: LDAP cVPN3000-IPSec-Default-Domain mapped to RADIUS
IPSec-Default-Domain
rlm_ldap: LDAP cVPN3000-IPSec-Split-DNS-Names mapped to RADIUS
IPSec-Split-DNS-Names
rlm_ldap: LDAP cVPN3000-IPSec-Tunnel-Type mapped to RADIUS IPSec-Tunnel-Type
rlm_ldap: LDAP cVPN3000-IPSec-Mode-Config mapped to RADIUS IPSec-Mode-Config
rlm_ldap: LDAP cVPN3000-IPSec-User-Group-Lock mapped to RADIUS
IPSec-User-Group-Lock
rlm_ldap: LDAP cVPN3000-IPSec-Over-UDP mapped to RADIUS IPSec-Over-UDP
rlm_ldap: LDAP cVPN3000-IPSec-Over-UDP-Port mapped to RADIUS IPSec-Over-UDP-Port
rlm_ldap: LDAP cVPN3000-IPSec-Banner2 mapped to RADIUS IPSec-Banner2
rlm_ldap: LDAP cVPN3000-PPTP-MPPC-Compression mapped to RADIUS
PPTP-MPPC-Compression
rlm_ldap: LDAP cVPN3000-L2TP-MPPC-Compression mapped to RADIUS
L2TP-MPPC-Compression
rlm_ldap: LDAP cVPN3000-IPSec-IP-Compression mapped to RADIUS
IPSec-IP-Compression
rlm_ldap: LDAP cVPN3000-IPSec-IKE-Peer-ID-Check mapped to RADIUS
IPSec-IKE-Peer-ID-Check
rlm_ldap: LDAP cVPN3000-IKE-Keep-Alives mapped to RADIUS IKE-Keep-Alives
rlm_ldap: LDAP cVPN3000-IPSec-Auth-On-Rekey mapped to RADIUS IPSec-Auth-On-Rekey
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Vendor-Code mapped to RADIUS
Reqrd-Client-Fw-Vendor-Code
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Product-Code mapped to RADIUS
Reqrd-Client-Fw-Product-Code
rlm_ldap: LDAP cVPN3000-Required-Client-Firewall-Description mapped to RADIUS
Reqrd-Client-Fw-Description
rlm_ldap: LDAP cVPN3000-Require-HW-Client-Auth mapped to RADIUS
Reqr-HW-Client-Auth
rlm_ldap: LDAP cVPN3000-Require-Individual-User-Auth mapped to RADIUS
Reqr-Individual-User-Auth
rlm_ldap: LDAP cVPN3000-Authenticated-User-Idle-Timeout mapped to RADIUS
Authd-User-Idle-Timeout
rlm_ldap: LDAP cVPN3000-Cisco-IP-Phone-Bypass mapped to RADIUS
Cisco-IP-Phone-Bypass
rlm_ldap: LDAP cVPN3000-IPSec-Split-Tunneling-Policy mapped to RADIUS
IPSec-Split-Tunneling-Policy
rlm_ldap: LDAP cVPN3000-IPSec-Required-Client-Firewall-Capability mapped to
RADIUS IPSec-Reqrd-Client-Fw-Cap
rlm_ldap: LDAP cVPN3000-IPSec-Client-Firewall-Filter-Name mapped to RADIUS
IPSec-Client-Fw-Filter-Name
rlm_ldap: LDAP cVPN3000-IPSec-Client-Firewall-Filter-Optional mapped to RADIUS
IPSec-Client-Fw-Filter-Opt
rlm_ldap: LDAP cVPN3000-IPSec-Backup-Servers mapped to RADIUS
IPSec-Backup-Servers
rlm_ldap: LDAP cVPN3000-IPSec-Backup-Server-List mapped to RADIUS
IPSec-Backup-Server-List
rlm_ldap: LDAP cVPN3000-Client-Intercept-DHCP-Configure-Msg mapped to RADIUS
MS-Client-Icpt-DHCP-Conf-Msg
rlm_ldap: LDAP cVPN3000-MS-Client-Subnet-Mask mapped to RADIUS
MS-Client-Subnet-Mask
rlm_ldap: LDAP cVPN3000-Allow-Network-Extension-Mode mapped to RADIUS
Allow-Network-Extension-Mode
rlm_ldap: LDAP cVPN3000-Strip-Realm mapped to RADIUS Strip-Realm
rlm_ldap: LDAP Cisco-AVPair mapped to RADIUS Cisco-AVPair
rlm_ldap: LDAP cVPN3000-Confidence-Interval mapped to RADIUS
IKE-KeepAlive-Confidence-Interval
rlm_ldap: LDAP cVPN3000-Cisco-LEAP-Bypass mapped to RADIUS Cisco-LEAP-Bypass
rlm_ldap: LDAP cVPN3000-DHCP-Network-Scope mapped to RADIUS DHCP-Network-Scope
rlm_ldap: LDAP cVPN3000-Client-Type-Version-Limiting mapped to RADIUS
Client-Type-Version-Limiting
rlm_ldap: LDAP cVPN3000-WebVPN-Content-Filter-Parameters mapped to RADIUS
WebVPN-Content-Filter-Parameters
rlm_ldap: LDAP cVPN3000-Port-Forwarding-Name mapped to RADIUS
WebVPN-Port-Forwarding-Name
rlm_ldap: LDAP cVPN3000-IETF-Radius-Session-Timeout mapped to RADIUS
IETF-Radius-Session-Timeout
rlm_ldap: LDAP cVPN3000-IETF-Radius-Idle-Timeout mapped to RADIUS
IETF-Radius-Idle-Timeout
rlm_ldap: LDAP cVPN3000-Authorization-Required mapped to RADIUS
Authorization-Required
rlm_ldap: LDAP cVPN3000-Authorization-Type mapped to RADIUS Authorization-Type
rlm_ldap: LDAP cVPN3000-DN-Field mapped to RADIUS DN-Field
rlm_ldap: LDAP cVPN3000-WebVPN-URL-List mapped to RADIUS WebVPN-URL-List
rlm_ldap: LDAP cVPN3000-WebVPN-Forwarded-Ports mapped to RADIUS
WebVPN-Forwarded-Ports
rlm_ldap: LDAP cVPN3000-WebVPN-ACL-Filters mapped to RADIUS WebVPN-ACL-Filters
rlm_ldap: LDAP cVPN3000-WebVPN-Homepage mapped to RADIUS WebVPN-Homepage
rlm_ldap: LDAP cVPN3000-WebVPN-Single-Sign-On-Server-Name mapped to RADIUS
WebVPN-Single-Sign-On-Server-Name
rlm_ldap: LDAP cVPN3000-WebVPN-URL-Entry-Enable mapped to RADIUS
WebVPN-URL-Entry-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Access-Enable mapped to RADIUS
WebVPN-File-Access-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Server-Entry-Enable mapped to RADIUS
WebVPN-File-Server-Entry-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-File-Server-Browsing-Enable mapped to RADIUS
WebVPN-File-Server-Browsing-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Enable mapped to RADIUS
WebVPN-Port-Forwarding-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Exchange-Proxy-Enable mapped to
RADIUS WebVPN-Outlook-Exchange-Proxy-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-HTTP-Proxy-Enable mapped to RADIUS
WebVPN-Port-Forwarding-HTTP-Proxy-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Port-Forwarding-Auto-Download-Enable mapped to
RADIUS WebVPN-Auto-Applet-Download-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Citrix-Support-Enable mapped to RADIUS
WebVPN-Citrix-Metaframe-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-Apply-ACL-Enable mapped to RADIUS
WebVPN-Apply-ACL
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Required-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Required
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Keep-Enable mapped to RADIUS
WebVPN-SSL-VPN-Client-Keep-Installation
rlm_ldap: LDAP cVPN3000-IE-Proxy-Server mapped to RADIUS IE-Proxy-Server
rlm_ldap: LDAP cVPN3000-IE-Proxy-Method mapped to RADIUS IE-Proxy-Server-Policy
rlm_ldap: LDAP cVPN3000-IE-Proxy-Exception-List mapped to RADIUS
IE-Proxy-Exception-List
rlm_ldap: LDAP cVPN3000-IE-Proxy-Bypass-Local mapped to RADIUS
IE-Proxy-Bypass-Local
rlm_ldap: LDAP cVPN3000-Tunnel-Group-Lock mapped to RADIUS Tunnel-Group-Lock
rlm_ldap: LDAP cVPN3000-Firewall-ACL-In mapped to RADIUS Access-List-Inbound
rlm_ldap: LDAP cVPN3000-Firewall-ACL-Out mapped to RADIUS Access-List-Outbound
rlm_ldap: LDAP cVPN3000-PFS-Required mapped to RADIUS PFS-Enable
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Keepalive mapped to RADIUS
WebVPN-SSL-VPN-Client-Keepalive
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Client-DPD mapped to RADIUS
WebVPN-SSL-VPN-Client-Client-DPD
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Gateway-DPD mapped to RADIUS
WebVPN-SSL-VPN-Client-Gateway-DPD
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Rekey-Period mapped to RADIUS
WebVPN-SSL-VPN-Client-Rekey-Period
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Rekey-Method mapped to RADIUS
WebVPN-SSL-VPN-Client-Rekey-Method
rlm_ldap: LDAP cVPN3000-WebVPN-SVC-Compression mapped to RADIUS
WebVPN-SSL-VPN-Client-Compression
conns: 0x8182f90
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking session {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 203.20.164.21 port 2133, id=70,
length=70
User-Name = "pparam"
User-Password = "testing123"
Vendor-3076-Attr-32 = 0x0000000b
NAS-IP-Address = 203.20.164.21
NAS-Port-Type = Virtual
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pparam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[roles_search] performing user authorization for pparam
[roles_search] expand: (cn=%u) -> (cn=pparam)
[roles_search] expand: ou=roles,ou=darlinghurst,ou=nsw,o=schs,c=au ->
ou=roles,ou=darlinghurst,ou=nsw,o=schs,c=au
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to secureldapcentral.stvincents.com.au:636, authentication
0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert File to certs/SVMHS_CA_SSL_Server.pem
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to
certs/SVMHS_CA_SSL_Server.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as
cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU/radius9065 to
secureldapcentral.stvincents.com.au:636
rlm_ldap: waiting for bind result ...
rlm_ldap: ldap_result()
rlm_ldap: cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU bind to
secureldapcentral.stvincents.com.au:636 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
[roles_search] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[roles_search] returns fail
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested
action.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 203.20.164.21 port 2133, id=70,
length=70
Waiting to send Access-Reject to client campusvpn port 2133 - ID: 70
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 70 to 203.20.164.21 port 2133
Waking up in 4.9 seconds.
Cleaning up request 0 ID 70 with timestamp +40
Ready to process requests.
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been virus
scanned and although no viruses were detected by the system, St Vincents &
Mater Health Sydney accepts no liability for any consequential damage
resulting from email containing any computer viruses.
**********************************************************************
2
1
i want to implement peap for my wifi connection. I have set up the access
point(D-Link DWL 2100 AP) for using FreeRADIUS 2.1 For
authentication.Whenever i send a request from the client to the server,the
server fails to authenticate the client. What happens can be seen in the
debug code attached below.The problem may be due to the fact that the server
certificate used requires to be signed by special XP extensions but i am not
sure about it.I am currently using the default certificates created when
FreeRADIUS 2.1 is first installed.Can anyone please tell me why the error is
occuring and what the remedy for this is??
I am using Fedora 8 as server.
Debug output for FreeRADIUS is as follows:
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.250 port 1034
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9927156798250cebdde85f1a77c9228b
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=2,
length=290
Message-Authenticator = 0xf65b54a824859ff5858d51b34bb2ea0a
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x9927156798250cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0202005019800000004616030100410100003d030149b8c76c86fa22fb3b65c1a3da9d93f69b65a4f9489aaffaa42657f64516c2f600001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 03b0], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.1.250 port 1034
EAP-Message =
0x010303f31900160301002a02000026030149b8c79ad72fa31c2fc8459b30bd15126d3e5d6c74b1cb5228c06435c81fa6440000040016030103b00b0003ac0003a90003a6308203a23082028aa003020102020102300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d
EAP-Message =
0x3039303232373139323130325a170d3130303232373139323130325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac916a34fdc11effd3bf47f5e73c79237047fe7f11563c666003ddfc4d734778cf075ee5998c76f03bf71fa77f53e08588af1dcb33f926a1404901e5d8008e613952
EAP-Message =
0x979ae3c175d60f86c9c0ae82c554378f11f0cf9302931b3888dc716df066a15c655817bd3cc6617cb6feb8e2f41ad9531b68cddece4f8ebe50581111d673463cd9a00198eb4d43adefaa1322618e20d7fe3c5408d3a2329be135a664bf99f281b2b8c1810be4fb1b0cee61b7f943e9eac630a69865faeba4a4206f4bb89c8b27ecbd8e9545615a030151559b539a8c533f5b9779d1c4eb22279c0b5409eb2e242878bff8ac400c10f0fd81e15e246f85d940182be0a60a4a4399cc0bd0a70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101001b2311c96ac3ee97d6ecfd99e8
EAP-Message =
0x0adfa8b3b89b7481c139127c0a69572763e40b467f29150c33c33ac9a582fe1c591bd4150d769c0e35195182835bc301441bbb8235a3cdcabf877b8652ce74782d0045114312dd6c214e67adc2ebc59b7330e5fdba13a5e28be5cfdaa4d2e5eaa84e5c500df001989d673ec3ee37cd4b2404722233d2f5ab442e691ff244653402d1b22260370262bee269a518e02bb0b47452aeb51465d047fc83f9075914ba86efbc202b60d5e9ce652ce28561edb25ec4e49cae1a3762672a85ad2bc11efc117481b7de96613d83438a712c589b5f6aef84c695f516c87a6b1f17bfe69446e4e9e7b03fe9f5553486e8dd1aa28d6b36a47216030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679b240cebdde85f1a77c9228b
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=3,
length=532
Message-Authenticator = 0xc54164092ed8dc2f09a7418d5560f076
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679b240cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0203014019800000013616030101061000010201000c969749c74343d53a00c5cd79f5301ddf1fdc7283cd04a8f1083c17e1944c5c7cbed10b12ee27e4b5d4eb1430e87e9f739302bc725d88acd7f03e5db8b5cd7d9d89cd283ade84801b26aa4e337d4b31589f1bf73c906348443555a170e26ba0ec25df48d057c543282027d39982bfd922e3efc5fea974147b2a1439ef3be601084102ab0c4974ef2dde486b00c9b5110a812bf2a4913ed711ae9b749c45779344535984212c852b5bc1056d1389d51ae647fe6341fcc24109f379da2762aa8def42675dc0472220927b6b0b3f93082ab8ab06df5dfb76e4645dda6ddd2c588229ad183ca921501b
EAP-Message =
0xa3bbac963e046ef6c7c96392af28b267d494957e189efda814030100010116030100201f15bf9882f5f81840a2f0b88eacf2b32487bec7a66273e6bae9f5899090f568
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.1.250 port 1034
EAP-Message =
0x01040031190014030100010116030100204c2d5ce111b4cf1d8484d0a7b0bc663743b67f0dfcf3bc69dfa62631fd9d3e30
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679a230cebdde85f1a77c9228b
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=4,
length=216
Message-Authenticator = 0xfb5cafdd0840b6ccedd584509afb6159
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679a230cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020400061900
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.1.250 port 1034
EAP-Message =
0x0105002019001703010015b1bb8da1accb8c051e43c474f0b25b6888371dafd2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679d220cebdde85f1a77c9228b
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=5,
length=253
Message-Authenticator = 0x559b57aca5bffa7b01a186f5ae288fc8
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679d220cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0205002b19001703010020a690881c896db8f3366ba3ee32944a59d4b9fea829756099f89ed10931342409
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - ITDEPT.COM\scoe
[peap] Got tunnled request
EAP-Message = 0x02050014014954444550542e434f4d5c73636f65
server (null) {
PEAP: Got tunneled identity of ITDEPT.COM\scoe
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to ITDEPT.COM\scoe
Sending tunneled request
EAP-Message = 0x02050014014954444550542e434f4d5c73636f65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ITDEPT.COM\\scoe"
Service-Type = Framed-User
Framed-MTU = 1488
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 5 length 20
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010600291a01060024100063da3b7cc3f43eabec58facf4e1a544954444550542e434f4d5c73636f65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5dac34625daa2ecf48629eb40108d58e
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010600291a01060024100063da3b7cc3f43eabec58facf4e1a544954444550542e434f4d5c73636f65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5dac34625daa2ecf48629eb40108d58e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.1.250 port 1034
EAP-Message =
0x01060040190017030100352c6462427fabed095dd20eb0a27126d825f307f85f0ecd4fd26ae52617d9731aa14fcadeb19fac8fc0d0137ed2f8014bf4ef79384e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679c210cebdde85f1a77c9228b
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=6,
length=307
Message-Authenticator = 0xa39a6fe70736fcc5f6106730554498e1
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679c210cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0206006119001703010056ef7f7df93da28d67e1bb560078a1f55a38558fc7fe965a4d12729fedfd5978ea7678f294285464c7a58049a65ac6bfed51f72f89937a6275d512063adefe77cd4a4866c11af7b1d49e60f77003a2581559e005a77732
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 97
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message =
0x0206004a1a02060045315c0291fe1459500e2ea66e03781a141b0000000000000000a1f11ae4843edcb38707bda4af4252c47ea544de54571725004954444550542e434f4d5c73636f65
server (null) {
PEAP: Setting User-Name to ITDEPT.COM\scoe
Sending tunneled request
EAP-Message =
0x0206004a1a02060045315c0291fe1459500e2ea66e03781a141b0000000000000000a1f11ae4843edcb38707bda4af4252c47ea544de54571725004954444550542e434f4d5c73636f65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ITDEPT.COM\\scoe"
State = 0x5dac34625daa2ecf48629eb40108d58e
Service-Type = Framed-User
Framed-MTU = 1488
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 74
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for ITDEPT.COM\scoe with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.1.250 port 1034
EAP-Message =
0x010700261900170301001b0b161d0dbb31d7d3cd65286f7aa084ee8708935bed2bc963e60797
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679f200cebdde85f1a77c9228b
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=7,
length=248
Message-Authenticator = 0x5b1ec30419fb1addf07d5979c76176e0
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679f200cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x020700261900170301001b01aef267bca260c0c202dbaad96a2914551d213d9a74266916a21a
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ITDEPT.COM\scoe
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 7 to 192.168.1.250 port 1034
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 8 ID 0 with timestamp +558
Cleaning up request 9 ID 1 with timestamp +558
Cleaning up request 10 ID 2 with timestamp +559
Cleaning up request 11 ID 3 with timestamp +559
Cleaning up request 12 ID 4 with timestamp +559
Cleaning up request 13 ID 5 with timestamp +559
Cleaning up request 14 ID 6 with timestamp +559
Waking up in 1.0 seconds.
Cleaning up request 15 ID 7 with timestamp +559
Ready to process requests.
--
View this message in context: http://www.nabble.com/peap-not-working-for-windows-XP-client-tp22473441p224…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
2
3
Hi,
I've set up a 2.1.4 server, and working pretty well with authentication
against LDAP alone. What I've noticed though is that if the LDAP server is
down on the same box then the LDAP module, rightfully, fails. However whilst
this leaves the service unable to authenticate the user, it still replies
back with a REJECT packet to the client. As such the client switch / router
whatever, doesn't try the next server in it's config, as it's had a valid
RADIUS response.
Is there any way to force a logic whereby if the ldap module fails, it would
drop the RADIUS request on the floor, to make it look like a service failure
to the client? Kinda wrecks our resiliency model if not! We're only using a
single ldap server per box, but even if we were using other ldap servers on
other servers, there still is a logic whereby it may be impossible to reach
any LDAP server whilst another FreeRADIUS box can reach one, but is of a
lower order of preference so can't be used.
Thanks
Chris
4
15
autoreconf on suse does not seem to work and I commented it out in the
specfile.
otp.conf does not seem to exist any longer,
/usr/sbin/raddebug must be applied.
With these little modifications of the suse specfile 2.1.4 builds on
suse 10.3.
bugs.freeradius.org still seems to be unavailable, therefore I post the
patch here.
# diff -Nru freeradius.spec-org freeradius.spec
--- freeradius.spec-org 2009-03-11 13:29:53.000000000 +0100
+++ freeradius.spec 2009-03-11 13:30:02.000000000 +0100
@@ -179,7 +179,7 @@
%build
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -DLDAP_DEPRECATED
-fPIC -DPIC"
#export CFLAGS="$CFLAGS -std=c99 -pedantic"
-autoreconf
+#autoreconf
%configure \
--libdir=%{_libdir}/freeradius \
@@ -332,7 +332,7 @@
%attr(640,-,radiusd) %config(noreplace)
/etc/raddb/sql/oracle/msqlippool.txt
%attr(640,-,radiusd) %config(noreplace) /etc/raddb/users
%attr(640,-,radiusd) %config(noreplace) /etc/raddb/experimental.conf
-%attr(640,-,radiusd) %config(noreplace) /etc/raddb/otp.conf
+#%attr(640,-,radiusd) %config(noreplace) /etc/raddb/otp.conf
%dir %attr(750,-,radiusd) /etc/raddb/certs
/etc/raddb/certs/Makefile
/etc/raddb/certs/README
@@ -355,6 +355,7 @@
/usr/sbin/radrelay
/usr/sbin/radwatch
/usr/sbin/radmin
+/usr/sbin/raddebug
# man-pages
%doc %{_mandir}/man1/*
%doc %{_mandir}/man5/*
Norbert Wegener
3
3
i want to implement peap for my wifi connection. I have set up the access
point(D-Link DWL 2100 AP) for using FreeRADIUS 2.1 For
authentication.Whenever i send a request from the client to the server,the
server fails to authenticate the client. What happens can be seen in the
debug code attached below.The problem may be due to the fact that the server
certificate used requires to be signed by special XP extensions but i am not
sure about it.I am currently using the default certificates created when
FreeRADIUS 2.1 is first installed.Can anyone please tell me why the error is
occuring and what the remedy for this is??
I am using Fedora 8 as server.
Debug output for FreeRADIUS is as follows:
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.1.250 port 1034
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9927156798250cebdde85f1a77c9228b
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=2,
length=290
Message-Authenticator = 0xf65b54a824859ff5858d51b34bb2ea0a
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x9927156798250cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0202005019800000004616030100410100003d030149b8c76c86fa22fb3b65c1a3da9d93f69b65a4f9489aaffaa42657f64516c2f600001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 03b0], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.1.250 port 1034
EAP-Message =
0x010303f31900160301002a02000026030149b8c79ad72fa31c2fc8459b30bd15126d3e5d6c74b1cb5228c06435c81fa6440000040016030103b00b0003ac0003a90003a6308203a23082028aa003020102020102300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d
EAP-Message =
0x3039303232373139323130325a170d3130303232373139323130325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac916a34fdc11effd3bf47f5e73c79237047fe7f11563c666003ddfc4d734778cf075ee5998c76f03bf71fa77f53e08588af1dcb33f926a1404901e5d8008e613952
EAP-Message =
0x979ae3c175d60f86c9c0ae82c554378f11f0cf9302931b3888dc716df066a15c655817bd3cc6617cb6feb8e2f41ad9531b68cddece4f8ebe50581111d673463cd9a00198eb4d43adefaa1322618e20d7fe3c5408d3a2329be135a664bf99f281b2b8c1810be4fb1b0cee61b7f943e9eac630a69865faeba4a4206f4bb89c8b27ecbd8e9545615a030151559b539a8c533f5b9779d1c4eb22279c0b5409eb2e242878bff8ac400c10f0fd81e15e246f85d940182be0a60a4a4399cc0bd0a70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101001b2311c96ac3ee97d6ecfd99e8
EAP-Message =
0x0adfa8b3b89b7481c139127c0a69572763e40b467f29150c33c33ac9a582fe1c591bd4150d769c0e35195182835bc301441bbb8235a3cdcabf877b8652ce74782d0045114312dd6c214e67adc2ebc59b7330e5fdba13a5e28be5cfdaa4d2e5eaa84e5c500df001989d673ec3ee37cd4b2404722233d2f5ab442e691ff244653402d1b22260370262bee269a518e02bb0b47452aeb51465d047fc83f9075914ba86efbc202b60d5e9ce652ce28561edb25ec4e49cae1a3762672a85ad2bc11efc117481b7de96613d83438a712c589b5f6aef84c695f516c87a6b1f17bfe69446e4e9e7b03fe9f5553486e8dd1aa28d6b36a47216030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679b240cebdde85f1a77c9228b
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=3,
length=532
Message-Authenticator = 0xc54164092ed8dc2f09a7418d5560f076
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679b240cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0203014019800000013616030101061000010201000c969749c74343d53a00c5cd79f5301ddf1fdc7283cd04a8f1083c17e1944c5c7cbed10b12ee27e4b5d4eb1430e87e9f739302bc725d88acd7f03e5db8b5cd7d9d89cd283ade84801b26aa4e337d4b31589f1bf73c906348443555a170e26ba0ec25df48d057c543282027d39982bfd922e3efc5fea974147b2a1439ef3be601084102ab0c4974ef2dde486b00c9b5110a812bf2a4913ed711ae9b749c45779344535984212c852b5bc1056d1389d51ae647fe6341fcc24109f379da2762aa8def42675dc0472220927b6b0b3f93082ab8ab06df5dfb76e4645dda6ddd2c588229ad183ca921501b
EAP-Message =
0xa3bbac963e046ef6c7c96392af28b267d494957e189efda814030100010116030100201f15bf9882f5f81840a2f0b88eacf2b32487bec7a66273e6bae9f5899090f568
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.1.250 port 1034
EAP-Message =
0x01040031190014030100010116030100204c2d5ce111b4cf1d8484d0a7b0bc663743b67f0dfcf3bc69dfa62631fd9d3e30
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679a230cebdde85f1a77c9228b
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=4,
length=216
Message-Authenticator = 0xfb5cafdd0840b6ccedd584509afb6159
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679a230cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020400061900
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.1.250 port 1034
EAP-Message =
0x0105002019001703010015b1bb8da1accb8c051e43c474f0b25b6888371dafd2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679d220cebdde85f1a77c9228b
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=5,
length=253
Message-Authenticator = 0x559b57aca5bffa7b01a186f5ae288fc8
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679d220cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0205002b19001703010020a690881c896db8f3366ba3ee32944a59d4b9fea829756099f89ed10931342409
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - ITDEPT.COM\scoe
[peap] Got tunnled request
EAP-Message = 0x02050014014954444550542e434f4d5c73636f65
server (null) {
PEAP: Got tunneled identity of ITDEPT.COM\scoe
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to ITDEPT.COM\scoe
Sending tunneled request
EAP-Message = 0x02050014014954444550542e434f4d5c73636f65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ITDEPT.COM\\scoe"
Service-Type = Framed-User
Framed-MTU = 1488
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 5 length 20
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010600291a01060024100063da3b7cc3f43eabec58facf4e1a544954444550542e434f4d5c73636f65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5dac34625daa2ecf48629eb40108d58e
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010600291a01060024100063da3b7cc3f43eabec58facf4e1a544954444550542e434f4d5c73636f65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5dac34625daa2ecf48629eb40108d58e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.1.250 port 1034
EAP-Message =
0x01060040190017030100352c6462427fabed095dd20eb0a27126d825f307f85f0ecd4fd26ae52617d9731aa14fcadeb19fac8fc0d0137ed2f8014bf4ef79384e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679c210cebdde85f1a77c9228b
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=6,
length=307
Message-Authenticator = 0xa39a6fe70736fcc5f6106730554498e1
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679c210cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0206006119001703010056ef7f7df93da28d67e1bb560078a1f55a38558fc7fe965a4d12729fedfd5978ea7678f294285464c7a58049a65ac6bfed51f72f89937a6275d512063adefe77cd4a4866c11af7b1d49e60f77003a2581559e005a77732
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 97
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message =
0x0206004a1a02060045315c0291fe1459500e2ea66e03781a141b0000000000000000a1f11ae4843edcb38707bda4af4252c47ea544de54571725004954444550542e434f4d5c73636f65
server (null) {
PEAP: Setting User-Name to ITDEPT.COM\scoe
Sending tunneled request
EAP-Message =
0x0206004a1a02060045315c0291fe1459500e2ea66e03781a141b0000000000000000a1f11ae4843edcb38707bda4af4252c47ea544de54571725004954444550542e434f4d5c73636f65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ITDEPT.COM\\scoe"
State = 0x5dac34625daa2ecf48629eb40108d58e
Service-Type = Framed-User
Framed-MTU = 1488
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 74
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for ITDEPT.COM\scoe with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.1.250 port 1034
EAP-Message =
0x010700261900170301001b0b161d0dbb31d7d3cd65286f7aa084ee8708935bed2bc963e60797
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x992715679f200cebdde85f1a77c9228b
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.250 port 1034, id=7,
length=248
Message-Authenticator = 0x5b1ec30419fb1addf07d5979c76176e0
Service-Type = Framed-User
User-Name = "ITDEPT.COM\\scoe\000"
Framed-MTU = 1488
State = 0x992715679f200cebdde85f1a77c9228b
Called-Station-Id = "00-17-9A-09-C4-DD:scoeit"
Calling-Station-Id = "00-13-02-12-16-6E"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x020700261900170301001b01aef267bca260c0c202dbaad96a2914551d213d9a74266916a21a
NAS-IP-Address = 192.168.1.250
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ITDEPT.COM\scoe", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ITDEPT.COM\scoe
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 7 to 192.168.1.250 port 1034
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 8 ID 0 with timestamp +558
Cleaning up request 9 ID 1 with timestamp +558
Cleaning up request 10 ID 2 with timestamp +559
Cleaning up request 11 ID 3 with timestamp +559
Cleaning up request 12 ID 4 with timestamp +559
Cleaning up request 13 ID 5 with timestamp +559
Cleaning up request 14 ID 6 with timestamp +559
Waking up in 1.0 seconds.
Cleaning up request 15 ID 7 with timestamp +559
Ready to process requests.
--
View this message in context: http://www.nabble.com/eap-peap-%22challenge%22-error-for-windows-XP-clients…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
1
0
Hi,
I'm trying implement freeRadius for users using EAP-TLS. My eap.conf:
> eap {
> ...
>
> tls {
> private_key_file = /etc/ssl/private/radius.etest.cesnet.cz.key.pem
> certificate_file = /etc/ssl/certs/radius.etest.cesnet.cz.crt.pem
>
> CA_path = /etc/ssl/certs/
>
> fragment_size = 1024
>
> include_length = yes
>
> check_crl = yes
> }
>
When CRL is changed on disk during freeRadius is running it never
notices changed version and still uses older cached. This behavior come
from OpenSSL I guess. For my implementation is this serious problem.
Complete restart of freeRadius will break ongoing EAP sessions and
introduce random problems with service for users
I found mailing list post:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31354.…
When I try send HUP signal to running freeRadius it crashes with return
code 1 in case it didn't process any request. Log output is in file
crash1.log
When I send HUP signal to running freeRadius which processed several
requests it survive and crash with segfault after receiving first
request after the HUP signal. Log output is in crash2.log
I was testing with freeRadius version 1.1.4 and 1.1.7 both with same
result.
Is there chance to get this fixed?
Best regards
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
4
6
Have a radius box setup and am using ntlm_auth to authenticate peapv0
with mschapv2 in the inner tunnel off a samba pdc.
All normal users authenticate fine. When I try to authenticate using the
machine account I get this:
eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/cc20000 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=cc20000$
[mschap] setting NT-Domain to same as machine name
[mschap] expand: --domain=%{mschap:NT-Domain:-ISD} -> --domain=cc20000
[mschap] mschap2: bc
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=857e792244c9e024
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0e44e0288f3f64004f58718f93e09c629670ab97d1e997bf
Exec-Program output: Must change password (0xc0000224)
Exec-Program-Wait: plaintext: Must change password (0xc0000224)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [host/cc20000] (from client CCISD-REMC-Radius port 0
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 71 to 172.17.10.108 port 1033
EAP-Message =
0x010900261900170301001b34bc45f7fbc2e102f7ec6da756ce808f27d99f1074294fb3b5b69c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb410f68ebc19efa88b187555f468f0ff
Finished request 18.
I do see the "Exec-Program output: Must change password (0xc0000224)"
which to me means the computer account password has expired? I tried
removing and re-adding the computer to the domain but get the same error.
Any ideas? Anyone else successfully doing peapv0 auth with machine
accounts and ntlm_auth?
Thanks for any help.
2
2