Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2009
- 178 participants
- 250 discussions
08 Mar '09
Hi,
I am using a passwd module to authorize users. First passwd module
checks cisco_users file (format = "*User-Name:Cleartext-Password") and
then passwd module must check cisco_groups file (format =
"~Cisco-Group:*,User-Name"). However when passwd module checks the
cisco_user file, it returns status "ok" even when user password (in
request packet) doesnt match with cisco_user file. So i am able to
distinguish users only by their User-Name, but i need to check their
passwords as well. I cannot figure out how to write that in my authorize
section. Later, if username and password matches an entry in my
cisco_user file i will call cisco_group file and find to which group
that user belongs to assign the right services.
currently my code looks like this:
passwd cisco_user_module {
#filename = /etc/group
filename = /usr/local/etc/raddb/cisco_users
#format = "=Etc-Group-Name:::*,User-Name"
format = "*User-Name:Cleartext-Password"
hashsize = 100
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}
authorize {
cisco_user_module
if(notfound){
update control{
Auth-Type := Reject
}
update reply{
Reply-Message := "Access denied, sorry!"
}
}
elseif(ok){
cisco_group_module
}
}
I hope u guys can help me, i will appreciate ;)
Thanks.
2
2
08 Mar '09
Hi All,
I installed FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu on OpenSuse 11.1 using Yast. I am having problems testing the radius server 10.10.10.11 from an external host 10.10.10.10 using radtest.
Background: I configured clients.conf, users and radiusd.conf. After changing permissions on the /etc/radb/certs directory I was able to start "radiusd -X" without any?reported errors, warnings.
I then successfully tested locally using radtest in another terminal window?on the radius server (IP = 10.10.10.11)
linux-au5f:/home/michael # radtest pencil richard6 10.10.10.11 0 testing123
Sending Access-Request of id 63 to 10.10.10.11 port 1812
?User-Name = "pencil"
?User-Password = "richard6"
?NAS-IP-Address = 127.0.0.2
?NAS-Port = 0
rad_recv: Access-Accept packet from host 10.10.10.11 port 1812, id=63, length=35
?Reply-Message = "Hello, pencil"
Next I tried testing radiusd using radtest from a 2nd host (10.10.10.10), which I had added previously added to the clients.conf (Note I can successfully ping the radius server 10.10.10.11 from this 2nd host 10.10.10.10).?But, I get no response from radius acc-request on either the radiusd terminal window or the radtest terminal window.
Below is the clients.conf definitiion
?client dellM65 {
?ipaddr = 10.10.10.10
?require_message_authenticator = no
?secret = "testing123"
?nastype = "other"
?}
I did a capture with Wireshark and I can see the radius request, but no responses. Have I missed some part of the Freeradius config to recognize the external radtest host?
I have attached some output to hopefully answer anything not described above.
Attached is the radiusd -X output
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Dec? 3 2008 at 10:47:13
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
?prefix = "/usr"
?localstatedir = "/var"
?logdir = "/var/log/radius"
?libdir = "/usr/lib/freeradius"
?radacctdir = "/var/log/radius/radacct"
?hostname_lookups = no
?max_request_time = 30
?cleanup_delay = 5
?max_requests = 1024
?allow_core_dumps = no
?pidfile = "/var/run/radiusd/radiusd.pid"
?checkrad = "/usr/sbin/checkrad"
?debug_level = 0
?proxy_requests = yes
?log {
?stripped_names = yes
?auth = yes
?auth_badpass = yes
?auth_goodpass = yes
?}
?security {
?max_attributes = 200
?reject_delay = 1
?status_server = yes
?}
}
?client localhost {
?ipaddr = 127.0.0.1
?require_message_authenticator = no
?secret = "testing123"
?nastype = "other"
?}
?client 10.10.10.11 {
?require_message_authenticator = no
?secret = "testing123"
?shortname = "liv1"
?}
?client dellM65 {
?ipaddr = 10.10.10.10
?require_message_authenticator = no
?secret = "testing123"
?nastype = "other"
?}
radiusd: #### Loading Realms and Home Servers ####
?proxy server {
?retry_delay = 5
?retry_count = 3
?default_fallback = no
?dead_time = 120
?wake_all_if_all_dead = no
?}
?home_server localhost {
?ipaddr = 127.0.0.1
?port = 1812
?type = "auth"
?secret = "testing123"
?response_window = 20
?max_outstanding = 65536
?zombie_period = 40
?status_check = "status-server"
?ping_interval = 30
?check_interval = 30
?num_answers_to_alive = 3
?num_pings_to_alive = 3
?revive_interval = 120
?status_check_timeout = 4
?}
?home_server_pool my_auth_failover {
?type = fail-over
?home_server = localhost
?}
?realm example.com {
?auth_pool = my_auth_failover
?}
?realm LOCAL {
?}
radiusd: #### Instantiating modules ####
?instantiate {
?Module: Linked to module rlm_exec
?Module: Instantiating exec
? exec {
?wait = no
?input_pairs = "request"
?shell_escape = yes
? }
?Module: Linked to module rlm_expr
?Module: Instantiating expr
?Module: Linked to module rlm_expiration
?Module: Instantiating expiration
? expiration {
?reply-message = "Password Has Expired? "
? }
?Module: Linked to module rlm_logintime
?Module: Instantiating logintime
? logintime {
?reply-message = "You are calling outside your allowed timespan? "
?minimum-timeout = 60
? }
?}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
?modules {
?Module: Checking authenticate {...} for more modules to load
?Module: Linked to module rlm_pap
?Module: Instantiating pap
? pap {
?encryption_scheme = "auto"
?auto_header = no
? }
?Module: Linked to module rlm_chap
?Module: Instantiating chap
?Module: Linked to module rlm_mschap
?Module: Instantiating mschap
? mschap {
?use_mppe = yes
?require_encryption = no
?require_strong = no
?with_ntdomain_hack = no
? }
?Module: Linked to module rlm_unix
?Module: Instantiating unix
? unix {
?radwtmp = "/var/log/radius/radwtmp"
? }
?Module: Linked to module rlm_eap
?Module: Instantiating eap
? eap {
?default_eap_type = "md5"
?timer_expire = 60
?ignore_unknown_eap_types = no
?cisco_accounting_username_bug = no
?max_sessions = 2048
? }
?Module: Linked to sub-module rlm_eap_md5
?Module: Instantiating eap-md5
?Module: Linked to sub-module rlm_eap_leap
?Module: Instantiating eap-leap
?Module: Linked to sub-module rlm_eap_gtc
?Module: Instantiating eap-gtc
?? gtc {
?challenge = "Password: "
?auth_type = "PAP"
?? }
?Module: Linked to sub-module rlm_eap_tls
?Module: Instantiating eap-tls
?? tls {
?rsa_key_exchange = no
?dh_key_exchange = yes
?rsa_key_length = 512
?dh_key_length = 512
?verify_depth = 0
?pem_file_type = yes
?private_key_file = "/etc/raddb/certs/server.pem"
?certificate_file = "/etc/raddb/certs/server.pem"
?CA_file = "/etc/raddb/certs/ca.pem"
?private_key_password = "whatever"
?dh_file = "/etc/raddb/certs/dh"
?random_file = "/etc/raddb/certs/random"
?fragment_size = 1024
?include_length = yes
?check_crl = no
?cipher_list = "DEFAULT"
?make_cert_command = "/etc/raddb/certs/bootstrap"
??? cache {
?enable = no
?lifetime = 24
?max_entries = 255
??? }
?? }
?Module: Linked to sub-module rlm_eap_ttls
?Module: Instantiating eap-ttls
?? ttls {
?default_eap_type = "md5"
?copy_request_to_tunnel = no
?use_tunneled_reply = no
?virtual_server = "inner-tunnel"
?? }
?Module: Linked to sub-module rlm_eap_peap
?Module: Instantiating eap-peap
?? peap {
?default_eap_type = "mschapv2"
?copy_request_to_tunnel = no
?use_tunneled_reply = no
?proxy_tunneled_request_as_eap = yes
?virtual_server = "inner-tunnel"
?? }
?Module: Linked to sub-module rlm_eap_mschapv2
?Module: Instantiating eap-mschapv2
?? mschapv2 {
?with_ntdomain_hack = no
?? }
?Module: Checking authorize {...} for more modules to load
?Module: Linked to module rlm_realm
?Module: Instantiating suffix
? realm suffix {
?format = "suffix"
?delimiter = "@"
?ignore_default = no
?ignore_null = no
? }
?Module: Linked to module rlm_files
?Module: Instantiating files
? files {
?usersfile = "/etc/raddb/users"
?acctusersfile = "/etc/raddb/acct_users"
?preproxy_usersfile = "/etc/raddb/preproxy_users"
?compat = "no"
? }
?Module: Checking session {...} for more modules to load
?Module: Linked to module rlm_radutmp
?Module: Instantiating radutmp
? radutmp {
?filename = "/var/log/radius/radutmp"
?username = "%{User-Name}"
?case_sensitive = yes
?check_with_nas = yes
?perm = 384
?callerid = yes
? }
?Module: Checking post-proxy {...} for more modules to load
?Module: Checking post-auth {...} for more modules to load
?Module: Linked to module rlm_attr_filter
?Module: Instantiating attr_filter.access_reject
? attr_filter attr_filter.access_reject {
?attrsfile = "/etc/raddb/attrs.access_reject"
?key = "%{User-Name}"
? }
?}
}
?modules {
?Module: Checking authenticate {...} for more modules to load
?Module: Checking authorize {...} for more modules to load
?Module: Linked to module rlm_preprocess
?Module: Instantiating preprocess
? preprocess {
?huntgroups = "/etc/raddb/huntgroups"
?hints = "/etc/raddb/hints"
?with_ascend_hack = no
?ascend_channels_per_line = 23
?with_ntdomain_hack = no
?with_specialix_jetstream_hack = no
?with_cisco_vsa_hack = no
?with_alvarion_vsa_hack = no
? }
?Module: Checking preacct {...} for more modules to load
?Module: Linked to module rlm_acct_unique
?Module: Instantiating acct_unique
? acct_unique {
?key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
? }
?Module: Checking accounting {...} for more modules to load
?Module: Linked to module rlm_detail
?Module: Instantiating detail
? detail {
?detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
?header = "%t"
?detailperm = 384
?dirperm = 493
?locking = no
?log_packet_header = no
? }
?Module: Instantiating attr_filter.accounting_response
? attr_filter attr_filter.accounting_response {
?attrsfile = "/etc/raddb/attrs.accounting_response"
?key = "%{User-Name}"
? }
?Module: Checking session {...} for more modules to load
?Module: Checking post-proxy {...} for more modules to load
?Module: Checking post-auth {...} for more modules to load
?}
radiusd: #### Opening IP addresses and Ports ####
listen {
?type = "auth"
?ipaddr = 10.10.10.11
?port = 1812
}
listen {
?type = "acct"
?ipaddr = *
?port = 0
}
Listening on authentication address 10.10.10.11 port 1812
Listening on accounting address * port 1813
Listening on proxy address 10.10.10.11 port 1814
Ready to process requests.
Attached is wireshark capture on the radius server (10.10.10.11) showing the packet arrives from the rad test client (10.10.10.10)
No.???? Time??????? Source??????????????? Destination?????????? Protocol Info
????? 2 2.997586??? 10.10.10.10?????????? 10.10.10.11?????????? RADIUS?? Access-Request(1) (id=241, l=58), Duplicate Request ID:241
Frame 2 (100 bytes on wire, 100 bytes captured)
??? Arrival Time: Mar? 7, 2009 10:02:20.966147000
??? [Time delta from previous captured frame: 2.997586000 seconds]
??? [Time delta from previous displayed frame: 2.997586000 seconds]
??? [Time since reference or first frame: 2.997586000 seconds]
??? Frame Number: 2
??? Frame Length: 100 bytes
??? Capture Length: 100 bytes
??? [Frame is marked: False]
??? [Protocols in frame: eth:ip:udp:radius]
??? [Coloring Rule Name: UDP]
??? [Coloring Rule String: udp]
Ethernet II, Src: 3com_ac:0a:0c (00:50:da:ac:0a:0c), Dst: DellPcba_78:86:32 (00:0d:56:78:86:32)
??? Destination: DellPcba_78:86:32 (00:0d:56:78:86:32)
??????? Address: DellPcba_78:86:32 (00:0d:56:78:86:32)
??????? .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
??????? .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
??? Source: 3com_ac:0a:0c (00:50:da:ac:0a:0c)
??????? Address: 3com_ac:0a:0c (00:50:da:ac:0a:0c)
??????? .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
??????? .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
??? Type: IP (0x0800)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 10.10.10.11 (10.10.10.11)
??? Version: 4
??? Header length: 20 bytes
??? Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
??????? 0000 00.. = Differentiated Services Codepoint: Default (0x00)
??????? .... ..0. = ECN-Capable Transport (ECT): 0
??????? .... ...0 = ECN-CE: 0
??? Total Length: 86
??? Identification: 0x0000 (0)
??? Flags: 0x04 (Don't Fragment)
??????? 0... = Reserved bit: Not set
??????? .1.. = Don't fragment: Set
??????? ..0. = More fragments: Not set
??? Fragment offset: 0
??? Time to live: 64
??? Protocol: UDP (0x11)
??? Header checksum: 0x126f [correct]
??????? [Good: True]
??????? [Bad : False]
??? Source: 10.10.10.10 (10.10.10.10)
??? Destination: 10.10.10.11 (10.10.10.11)
User Datagram Protocol, Src Port: 47970 (47970), Dst Port: radius (1812)
??? Source port: 47970 (47970)
??? Destination port: radius (1812)
??? Length: 66
??? Checksum: 0xc264 [correct]
??????? [Good Checksum: True]
??????? [Bad Checksum: False]
Radius Protocol
??? Code: Access-Request (1)
??? Packet identifier: 0xf1 (241)
??? Length: 58
??? Authenticator: DF4A578FEB08708AEFEA3236CA37650C
??? [Duplicate Request: 241]
??? Attribute Value Pairs
??????? AVP: l=8? t=User-Name(1): pencil
??????????? User-Name: pencil
??????? AVP: l=18? t=User-Password(2): Encrypted
??????????? User-Password: \267\017U\227\320\216\305\y\373\314\377\306\316\350\255
??????? AVP: l=6? t=NAS-IP-Address(4): 127.0.0.2
??????????? NAS-IP-Address: 127.0.0.2 (127.0.0.2)
??????? AVP: l=6? t=NAS-Port(5): 0
??????????? NAS-Port: 0
4
5
Hey,
Regarding realms handled in the local server (mysql) and accounting...
I have defined realms in the users file such as:
DEFAULT Realm == "example.com", Autz-Type := SQL_EXAMPLE
and in radiusd.conf I add in authorize { }
Autz-Type SQL_EXAMPLE {
sql_example
}
and as expected authentication works just fine by looking up in the current
database.
To enable accounting for both realms I have done the same thing in
radiusd.conf
for the accounting { } module:
Acct-Type SQL_EXAMPLE {
sql_example
}
Although this is defined no accounting records are saved in the database.
I am wondering if I'm missing something else like adding the Acct-Type to
the users file too, such as:
DEFAULT Realm == "example.com", Autz-Type := SQL_EXAMPLE, Acct-Type :=
SQL_HOTELNOVA
Regards,
2
4
When freeradius group include in your codes support full accounting,
include commands accounting, how long?
Means this is would be mutch better for all IT spacialists in the world,
wich implements freeradius in your net infrastrucure!
Thanks!!
2
1
Now I present fully situation on a trouble process
(radiusd -X; cisco debug accounting; tcpdump vvv ports 1812-1814)
On radius server firewall is absent, this is the open system. On cisco
like this:
access-list 1 permit 192.168.255.0 0.0.0.255
access-list 1 deny any
1) User connect to the cisco
1.1) radiusd -X
rad_recv: Access-Request packet from host 192.168.255.10 port 1812,
id=140, length=77
NAS-IP-Address = 192.168.255.10
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
User-Password = "passwA"
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry userA at line 7
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "passwA"
[pap] Using clear text password "passwA"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [userA/passwA] (from client csv port 2 cli 192.168.255.116)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 140 to 192.168.255.10 port 1812
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=1"
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=141, length=93
NAS-IP-Address = 192.168.255.10
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "0000012B"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 2,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"0000012B",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "76873ebbdef2d2d8".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090308
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090308
[detail] expand: %t -> Sun Mar 8 00:20:17 2009
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
[radutmp] expand: /var/log/radutmp -> /var/log/radutmp
[radutmp] expand: %{User-Name} -> userA
++[radutmp] returns ok
[sradutmp] expand: /var/log/sradutmp -> /var/log/sradutmp
[sradutmp] expand: %{User-Name} -> userA
++[sradutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> userA
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 141 to 192.168.255.10 port 1813
Finished request 7.
Cleaning up request 7 ID 141 with timestamp +144
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 6 ID 140 with timestamp +144
Ready to process requests.
1.2) cisco debug log
002143: Mar 7 21:20:11: AAA: parse name=tty2 idb type=-1 tty=-1
002144: Mar 7 21:20:11: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=2 channel=0
002145: Mar 7 21:20:11: AAA/MEMORY: create_user (0x80D19744) user=''
ruser='' port='tty2' rem_addr='192.168.255.116' authen_type=ASCII
service=LOGIN priv=1
002146: Mar 7 21:20:19: tty2 AAA/AUTHOR/EXEC (4225439048): Port='tty2'
list='' service=EXEC
002147: Mar 7 21:20:19: AAA/AUTHOR/EXEC: tty2 (4225439048) user='userA'
002148: Mar 7 21:20:19: tty2 AAA/AUTHOR/EXEC (4225439048): send AV
service=shell
002149: Mar 7 21:20:19: tty2 AAA/AUTHOR/EXEC (4225439048): send AV cmd*
002150: Mar 7 21:20:19: tty2 AAA/AUTHOR/EXEC (4225439048): found list
"default"
002151: Mar 7 21:20:19: tty2 AAA/AUTHOR/EXEC (4225439048):
Method=radius (radius)
002152: Mar 7 21:20:19: AAA/AUTHOR (4225439048): Post authorization
status = PASS_ADD
002153: Mar 7 21:20:19: AAA/AUTHOR/EXEC: Processing AV service=shell
002154: Mar 7 21:20:19: AAA/AUTHOR/EXEC: Processing AV cmd*
002155: Mar 7 21:20:19: AAA/AUTHOR/EXEC: Processing AV priv-lvl=1
1.3) tcpdump
00:20:17.595207 IP (tos 0x0, ttl 255, id 39695, offset 0, flags [none],
proto UDP (17), length 105) 192.168.255.10.1812 > 192.168.255.2.1812:
RADIUS, length: 77
Access Request (1), id: 0x8c, Authenticator:
61af38df3d49196d536ade8e46774faa
NAS IP Address Attribute (4), length: 6, Value: 192.168.255.10
0x0000: c0a8 ff0a
NAS Port Attribute (5), length: 6, Value: 2
0x0000: 0000 0002
NAS Port Type Attribute (61), length: 6, Value: Virtual
0x0000: 0000 0005
Username Attribute (1), length: 4, Value: userA
0x0000: 7532
Calling Station Attribute (31), length: 17, Value: [|radius]
0x0000: 3139 322e 3136 382e 3235 [|radius]
00:20:17.595632 IP (tos 0x0, ttl 64, id 40797, offset 0, flags [none],
proto UDP (17), length 78) 192.168.255.2.1812 > 192.168.255.10.1812:
[bad udp cksum 5a95!] RADIUS, length: 50
Access Accept (2), id: 0x8c, Authenticator:
32d46241a0413e2a2970fff9fbf1a010
Service Type Attribute (6), length: 6, Value: NAS Prompt
0x0000: 0000 0007
Vendor Specific Attribute (26), length: 24, Value: Vendor:
Cisco (9)
Vendor Attribute: 1, Length: 16, Value: shell:priv-lvl=1
0x0000: 0000 0009 0112 7368 656c 6c3a 7072 6976
0x0010: 2d6c 766c 3d31
00:20:17.613428 IP (tos 0x0, ttl 255, id 39697, offset 0, flags [none],
proto UDP (17), length 121) 192.168.255.10.1813 > 192.168.255.2.1813:
RADIUS, length: 93
Accounting Request (4), id: 0x8d, Authenticator:
78efee9d88e11dcafaaf188213873e56
NAS IP Address Attribute (4), length: 6, Value: 192.168.255.10
0x0000: c0a8 ff0a
NAS Port Attribute (5), length: 6, Value: 2
0x0000: 0000 0002
NAS Port Type Attribute (61), length: 6, Value: Virtual
0x0000: 0000 0005
Username Attribute (1), length: 4, Value: userA
0x0000: 7532
Calling Station Attribute (31), length: 17, Value: [|radius]
0x0000: 3139 322e 3136 382e 3235 [|radius]
00:20:17.614190 IP (tos 0x0, ttl 64, id 40799, offset 0, flags [none],
proto UDP (17), length 48) 192.168.255.2.1813 > 192.168.255.10.1813:
[bad udp cksum 7518!] RADIUS, length: 20
Accounting Response (5), id: 0x8d, Authenticator:
59edaa59beed3b78b57a3e4c9b6146b5
2.) User run some command
2.1) radiusd -X
(nothing)
2.2) cisco debug
002156: Mar 7 21:22:59: AAA/ACCT/CMD: User userA, Port tty2, Priv 1:
"ping 192.168.101.147 <cr>"
002157: Mar 7 21:22:59: AAA/ACCT/CMD: Found list "default"
002158: Mar 7 21:22:59: AAA/ACCT: user userA, acct type 3 (2103679520):
Method=radius (radius)
2.3) tcpdump
(nothing)
3) User logoff from cisco
3.1) radiusd -X
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=142, length=105
NAS-IP-Address = 192.168.255.10
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "0000012B"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 286
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 2,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"0000012B",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "76873ebbdef2d2d8".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090308
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090308
[detail] expand: %t -> Sun Mar 8 00:25:03 2009
++[detail] returns ok
rlm_counter: Packet Unique ID = '76873ebbdef2d2d8'
rlm_counter: This Service-Type is not allowed. Returning NOOP.
++[daily] returns noop
[radutmp] expand: /var/log/radutmp -> /var/log/radutmp
[radutmp] expand: %{User-Name} -> userA
++[radutmp] returns ok
[sradutmp] expand: /var/log/sradutmp -> /var/log/sradutmp
[sradutmp] expand: %{User-Name} -> userA
++[sradutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> userA
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 142 to 192.168.255.10 port 1813
Finished request 8.
Cleaning up request 8 ID 142 with timestamp +430
Going to the next request
Ready to process requests.
3.2) cisco debug
002159: Mar 7 21:25:05: AAA/ACCT/ACCT_DISC: Found list "default"
002160: Mar 7 21:25:05: tty2 AAA/DISC: 1/"User Request"
002161: Mar 7 21:25:05: AAA/ACCT/ACCT_DISC: Found list "default"
002162: Mar 7 21:25:05: tty2 AAA/DISC/EXT: 1020/"User Request"
002163: Mar 7 21:25:05: AAA/ACCT/ACCT_DISC: Found list "default"
002164: Mar 7 21:25:05: tty2 AAA/DISC: 9/"NAS Error"
002165: Mar 7 21:25:05: AAA/ACCT/ACCT_DISC: Found list "default"
002166: Mar 7 21:25:05: tty2 AAA/DISC/EXT: 1002/"Unknown"
002167: Mar 7 21:25:05: AAA/ACCT: no attribute "elapsed_time" to
replace, adding it
002168: Mar 7 21:25:05: AAA/ACCT/EXEC/STOP: cannot retrieve modem speed
3.3) tcpdump
00:25:03.354629 IP (tos 0x0, ttl 255, id 40103, offset 0, flags [none],
proto UDP (17), length 133) 192.168.255.10.1813 > 192.168.255.2.1813:
RADIUS, length: 105
Accounting Request (4), id: 0x8e, Authenticator:
7e7d0e10eedbb36b1c4576db6cb7ed55
NAS IP Address Attribute (4), length: 6, Value: 192.168.255.10
0x0000: c0a8 ff0a
NAS Port Attribute (5), length: 6, Value: 2
0x0000: 0000 0002
NAS Port Type Attribute (61), length: 6, Value: Virtual
0x0000: 0000 0005
Username Attribute (1), length: 4, Value: userA
0x0000: 7532
Calling Station Attribute (31), length: 17, Value: [|radius]
0x0000: 3139 322e 3136 382e 3235 [|radius]
00:25:03.355476 IP (tos 0x0, ttl 64, id 40963, offset 0, flags [none],
proto UDP (17), length 48) 192.168.255.2.1813 > 192.168.255.10.1813:
[bad udp cksum a2ee!] RADIUS, length: 20
Accounting Response (5), id: 0x8e, Authenticator:
e433717ece1d6709b80331d05e7d2b31
PS:Sorry for my bad english and thanks for a privious answers!
2
1
Ok! Then I have one a question about moving Accounting packets through
my network:
When I login to cisco on log server(radius server) I racieve a:
tcpdump port 1813
15:48:00.281073 IP 192.168.255.10.radacct > carlogg.radacct: RADIUS,
Accounting Request (4), id: 0x67 length: 93
15:48:00.281727 IP carlogg.radacct > 192.168.255.10.radacct: RADIUS,
Accounting Response (5), id: 0x67 length: 20
Then mean the ttrouble in my radius setting, but I don't resolve where!
3
2
If you mean when I type a some command on cisco shell, in the cisco
console already I show you (much more), else you mean a radius server
then I must disappoint you there is a silent, nothing to do!
If you consider for important all debug information on radius when user
login-run some command-log
rad_recv: Access-Request packet from host 192.168.255.10 port 1812,
id=91, length=77
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
User-Password = "passwA"
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry userA at line 7
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "passwA"
[pap] Using clear text password "passwA"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [userA/passwA] (from client csp port 1 cli 192.168.255.116)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 91 to 192.168.255.10 port 1812
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=1"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=92, length=93
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000108"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"00000108",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "37c9ff46441cf46b".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090307
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090307
[detail] expand: %t -> Sat Mar 7 02:26:33 2009
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
[radutmp] expand: /var/log/radutmp -> /var/log/radutmp
[radutmp] expand: %{User-Name} -> userA
++[radutmp] returns ok
[sradutmp] expand: /var/log/sradutmp -> /var/log/sradutmp
[sradutmp] expand: %{User-Name} -> userA
++[sradutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> userA
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 92 to 192.168.255.10 port 1813
Finished request 1.
Cleaning up request 1 ID 92 with timestamp +20
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 91 with timestamp +20
Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=93, length=105
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000108"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 14
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"00000108",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "37c9ff46441cf46b".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090307
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090307
[detail] expand: %t -> Sat Mar 7 02:26:47 2009
++[detail] returns ok
rlm_counter: Packet Unique ID = '37c9ff46441cf46b'
rlm_counter: This Service-Type is not allowed. Returning NOOP.
++[daily] returns noop
[radutmp] expand: /var/log/radutmp -> /var/log/radutmp
[radutmp] expand: %{User-Name} -> userA
++[radutmp] returns ok
[sradutmp] expand: /var/log/sradutmp -> /var/log/sradutmp
[sradutmp] expand: %{User-Name} -> userA
++[sradutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> userA
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 93 to 192.168.255.10 port 1813
Finished request 2.
Cleaning up request 2 ID 93 with timestamp +34
Going to the next request
Ready to process requests.
2
1
OK, I comment all unix section in site-enable/default, but result is the
same!
In pucture below I thurned on debug on cisco about accounting, therefore
cisco work correctly, but radius server not recieve Accounting-Request? Why?
001534: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): Port='tty2'
list='' service=EXEC
001535: Mar 6 22:38:57: AAA/AUTHOR/EXEC: tty2 (3942780195) user='userA'
001536: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): send AV
service=shell
001537: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): send AV cmd*
001538: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195): found list
"default"
001539: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195):
Method=radius (radius)
001540: Mar 6 22:38:57: AAA/AUTHOR (3942780195): Post authorization
status = PASS_ADD
001541: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV service=shell
001542: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV cmd*
001543: Mar 6 22:38:57: AAA/AUTHOR/EXEC: Processing AV priv-lvl=1
001544: Mar 7 01:39:17 MSK: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting
message Start for session 000000FB failed to receive Accounting Response.
001545: Mar 6 22:39:34: AAA/ACCT/CMD: User userA, Port tty2, Priv 1:
"ping 192.168.101.147 <cr>"
001546: Mar 6 22:39:34: AAA/ACCT/CMD: Found list "default"
001547: Mar 6 22:39:34: AAA/ACCT: user userA, acct type 3 (2924816630):
Method=radius (radius)
2
1
Hi,
I need to upgrade our freeRADIUS 1.1.7 config to 2.1.3 on
an embedded Linux platform.
I can build everything just fine but all our authentication
attempts are rejected. I didn't do the 1.1.7 work so I am
sure I am missing something simple.
This is for a private wireless network using WPA2-PEAP.
Looks like a config screwup somewhere but I can't figure out
which specific config is causing this to fail.
The users file is:
"000000093701a89d" Cleartext-Password == "66e3c1cd773f487d"
(It used to be: "000000093701a89d" User-Password == "66e3c1cd773f487d")
The log from 'radiusd -X' is below:
(Apologies for the long log but I didn't know which stuff is
important and which isn't)
Thanks for your patience and help,
- Harshal
FreeRADIUS Version 2.1.3, for host arm-unknown-linux-gnu, built on Mar 5 2009 at 05:10:53
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/etc/raddb/radiusd.conf
including configuration file /usr/etc/raddb/proxy.conf
including configuration file /usr/etc/raddb/clients.conf
including files in directory /usr/etc/raddb/modules/
including configuration file /usr/etc/raddb/modules/passwd
including configuration file /usr/etc/raddb/modules/expiration
including configuration file /usr/etc/raddb/modules/checkval
including configuration file /usr/etc/raddb/modules/acct_unique
including configuration file /usr/etc/raddb/modules/mac2vlan
including configuration file /usr/etc/raddb/modules/echo
including configuration file /usr/etc/raddb/modules/etc_group
including configuration file /usr/etc/raddb/modules/perl
including configuration file /usr/etc/raddb/modules/expr
including configuration file /usr/etc/raddb/modules/krb5
including configuration file /usr/etc/raddb/modules/smbpasswd
including configuration file /usr/etc/raddb/modules/exec
including configuration file /usr/etc/raddb/modules/mschap
including configuration file /usr/etc/raddb/modules/unix
including configuration file /usr/etc/raddb/modules/linelog
including configuration file /usr/etc/raddb/modules/pam
including configuration file /usr/etc/raddb/modules/detail.example.com
including configuration file /usr/etc/raddb/modules/policy
including configuration file /usr/etc/raddb/modules/sql_log
including configuration file /usr/etc/raddb/modules/always
including configuration file /usr/etc/raddb/modules/logintime
including configuration file /usr/etc/raddb/modules/chap
including configuration file /usr/etc/raddb/modules/preprocess
including configuration file /usr/etc/raddb/modules/attr_rewrite
including configuration file /usr/etc/raddb/modules/inner-eap
including configuration file /usr/etc/raddb/modules/wimax
including configuration file /usr/etc/raddb/modules/mac2ip
including configuration file /usr/etc/raddb/modules/radutmp
including configuration file /usr/etc/raddb/modules/detail
including configuration file /usr/etc/raddb/modules/ldap
including configuration file /usr/etc/raddb/modules/detail.log
including configuration file /usr/etc/raddb/modules/attr_filter
including configuration file /usr/etc/raddb/modules/pap
including configuration file /usr/etc/raddb/modules/ippool
including configuration file /usr/etc/raddb/modules/realm
including configuration file /usr/etc/raddb/modules/digest
including configuration file /usr/etc/raddb/modules/counter
including configuration file /usr/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/etc/raddb/modules/files
including configuration file /usr/etc/raddb/modules/sradutmp
including configuration file /usr/etc/raddb/eap.conf
including configuration file /usr/etc/raddb/sql.conf
including configuration file /usr/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/etc/raddb/policy.conf
including files in directory /usr/etc/raddb/sites-enabled/
including configuration file /usr/etc/raddb/sites-enabled/default
including configuration file /usr/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /usr/etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/tmp"
logdir = "/tmp"
libdir = "/usr/lib"
radacctdir = "/tmp/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/tmp/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.0.232/24 {
require_message_authenticator = no
secret = "testing123"
shortname = "test-net"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/tmp/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/etc/raddb/certs/server.pem"
certificate_file = "/usr/etc/raddb/certs/server.pem"
CA_file = "/usr/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/etc/raddb/certs/dh"
random_file = "/usr/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/tmp/users"
acctusersfile = "/usr/etc/raddb/acct_users"
preproxy_usersfile = "/usr/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/tmp/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/etc/raddb/huntgroups"
hints = "/usr/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/tmp/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.232 port 1095, id=185, length=212
Message-Authenticator = 0xe0f835e34ec645b5600372b7db84b633
Service-Type = Framed-User
User-Name = "000000093701b60b"
Framed-MTU = 1488
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B60B"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020100150130303030303030393337303162363062
NAS-IP-Address = 192.168.0.232
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b60b", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 185 to 192.168.0.232 port 1095
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa0b48160a0b698cec6597cf0a57b9d1c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1095, id=186, length=295
Message-Authenticator = 0x5d895818b52213e57ca6df8ee6e2d19c
Service-Type = Framed-User
User-Name = "000000093701b60b"
Framed-MTU = 1488
State = 0xa0b48160a0b698cec6597cf0a57b9d1c
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B60B"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0202005619800000004c16030100470100004303014598559d10840d3a4766c7b1ae31ba3b92bc5b690c2b8c52eaabcda9d5727fcb00001c0016000a0005000400640062006100600015000900140008000600030100
NAS-IP-Address = 192.168.0.232
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b60b", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 86
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 76
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0047], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 186 to 192.168.0.232 port 1095
EAP-Message = 0x0103040019c000000aad160301002a0200002603010000008d57e879159ac19a305df3123af9d7a90ccd25447bc919abe38081701f00001600160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303330353134343933355a170d3130303330353134343933355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b306fa09d68dd41fbe1568fafddad6d413712ad92652aca7b0debcbfcdd8ab0bc50831e0d3df713781d2ed33683359bd3ce7ee73e593387e3fef3bdfbe02
EAP-Message = 0xf7f53983ae58c057a8a2195d095e28bb493fa2d8d4a610b39eebd98334c9d2d7a2419c04e0566be6a0cd4a9523e72a43c24408fe3f044aac2b83e36e6d9038cb0ebd6d4c2e59757be53b3adfe9961b87546fdff6e7506aa1f9fa0204967dec51f231e9d1f58a63b372dd711b01aa00b967df311fa2b2475149cde315893f6f35b7046754213bb7c205f2b86ad00acda93880facc007128428490812980fb13a37a38a158bdd447aac18cfbd0482d93796593cdb1567b23c649a07586b797c6716aab0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010044bd7a3fc8d0e35086
EAP-Message = 0xff4c148fdaf8f34d666bf50dc140d644fdd3ec635141a21ef9067226b41051d8bf977a4006449f147f9f8d1de600d4779a97b936627643570e1b372b963b0901654c0ef0ea819091699d4354f06d5dbb1414e8c44bbe949eb2ca3c2ba329dbd49695423171291fb244288713d62c04831fb0f4d49425ca307ded160f12574810e6aa952a9c1fb41eb88e561ff51d86f64369d6dd505bd4327ded8bfa1b02610cee7513e862abed4e39ec7a1b61d807f3a93009bbd904729ae220c684ecdabce42f8565840334f9d7513fd58e1e3b7069c7d9eaf29cfc6e0200009ea46d89ca661915891fac290d0121ce7439b44d8f5ad660dfbb84dbda0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa0b48160a1b798cec6597cf0a57b9d1c
Finished request 1.
Going to the next request
Waking up in 3.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1095, id=186, length=295
Sending duplicate reply to client test-net port 1095 - ID: 186
Sending Access-Challenge of id 186 to 192.168.0.232 port 1095
Waking up in 3.5 seconds.
Cleaning up request 0 ID 185 with timestamp +0
Waking up in 1.4 seconds.
Cleaning up request 1 ID 186 with timestamp +0
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.232 port 1096, id=187, length=212
Message-Authenticator = 0x4c97bf19ac4fa2df52ab10ad61de5c03
Service-Type = Framed-User
User-Name = "000000093701b6c7"
Framed-MTU = 1488
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B6C7"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020000150130303030303030393337303162366337
NAS-IP-Address = 192.168.0.232
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b6c7", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 187 to 192.168.0.232 port 1096
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3b2107603b201e8dfa81b0190ae2e8a5
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1098, id=188, length=212
Message-Authenticator = 0x73ebf1ad24a8f0ecd41f0e7474a09497
Service-Type = Framed-User
User-Name = "000000093701b5fc"
Framed-MTU = 1488
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B5FC"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020000150130303030303030393337303162356663
NAS-IP-Address = 192.168.0.232
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b5fc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 188 to 192.168.0.232 port 1098
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb31e13c2b31f0a5eb51d4c7224b622d0
Finished request 3.
Going to the next request
Waking up in 2.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1098, id=189, length=295
Message-Authenticator = 0x23515616db771204a7e6e4d055914ad8
Service-Type = Framed-User
User-Name = "000000093701b5fc"
Framed-MTU = 1488
State = 0xb31e13c2b31f0a5eb51d4c7224b622d0
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B5FC"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201005619800000004c160301004701000043030145985554e52452470f4e2c04745d0cca702792aa39a859c218edd113a11f3a2d00001c0016000a0005000400640062006100600015000900140008000600030100
NAS-IP-Address = 192.168.0.232
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b5fc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 86
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 76
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0047], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 189 to 192.168.0.232 port 1098
EAP-Message = 0x0102040019c000000aad160301002a0200002603010000009d18f73f11270fee08a7ddf7758b0b2a4dda0f697a754196cd3c89356100001600160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303330353134343933355a170d3130303330353134343933355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b306fa09d68dd41fbe1568fafddad6d413712ad92652aca7b0debcbfcdd8ab0bc50831e0d3df713781d2ed33683359bd3ce7ee73e593387e3fef3bdfbe02
EAP-Message = 0xf7f53983ae58c057a8a2195d095e28bb493fa2d8d4a610b39eebd98334c9d2d7a2419c04e0566be6a0cd4a9523e72a43c24408fe3f044aac2b83e36e6d9038cb0ebd6d4c2e59757be53b3adfe9961b87546fdff6e7506aa1f9fa0204967dec51f231e9d1f58a63b372dd711b01aa00b967df311fa2b2475149cde315893f6f35b7046754213bb7c205f2b86ad00acda93880facc007128428490812980fb13a37a38a158bdd447aac18cfbd0482d93796593cdb1567b23c649a07586b797c6716aab0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010044bd7a3fc8d0e35086
EAP-Message = 0xff4c148fdaf8f34d666bf50dc140d644fdd3ec635141a21ef9067226b41051d8bf977a4006449f147f9f8d1de600d4779a97b936627643570e1b372b963b0901654c0ef0ea819091699d4354f06d5dbb1414e8c44bbe949eb2ca3c2ba329dbd49695423171291fb244288713d62c04831fb0f4d49425ca307ded160f12574810e6aa952a9c1fb41eb88e561ff51d86f64369d6dd505bd4327ded8bfa1b02610cee7513e862abed4e39ec7a1b61d807f3a93009bbd904729ae220c684ecdabce42f8565840334f9d7513fd58e1e3b7069c7d9eaf29cfc6e0200009ea46d89ca661915891fac290d0121ce7439b44d8f5ad660dfbb84dbda0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb31e13c2b21c0a5eb51d4c7224b622d0
Finished request 4.
Going to the next request
Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1099, id=190, length=212
Message-Authenticator = 0x10ff6939a7c6ffe69cd1d3d6895eeb1b
Service-Type = Framed-User
User-Name = "000000093701b6c7"
Framed-MTU = 1488
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B6C7"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020000150130303030303030393337303162366337
NAS-IP-Address = 192.168.0.232
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b6c7", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 190 to 192.168.0.232 port 1099
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x312aaba3312bb29dfc0d1b7d8db54603
Finished request 5.
Going to the next request
Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1098, id=189, length=295
Sending duplicate reply to client test-net port 1098 - ID: 189
Sending Access-Challenge of id 189 to 192.168.0.232 port 1098
Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1099, id=190, length=212
Sending duplicate reply to client test-net port 1099 - ID: 190
Sending Access-Challenge of id 190 to 192.168.0.232 port 1099
Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1098, id=191, length=215
Message-Authenticator = 0xd3d1056071526cfbe28d928a9921fa5b
Service-Type = Framed-User
User-Name = "000000093701b5fc"
Framed-MTU = 1488
State = 0xb31e13c2b21c0a5eb51d4c7224b622d0
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B5FC"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061900
NAS-IP-Address = 192.168.0.232
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b5fc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 191 to 192.168.0.232 port 1098
EAP-Message = 0x010303fc194000d393d4c53e72cbea300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303330353134343933355a170d3130303330353134343933355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a6b6b14350309d312a5d96ef4f5cc3086a878331d189e6537627ca32714761b252936eea0ca7209776d6b8d59ead812140930fdafb384510af971b234f51d01ea255c14bcd152b15283d617156a2257a78898f35ec6342de600ba413276c14020bc2ba6e7b120ff01b1d5fa6c1b9dd
EAP-Message = 0x5ccb6618762d4365081317a13a79145cc72f438e47ced4959204a7cf09956feca25db8bcac2b24e525c7ac8cee5753a71e74646baa8f64643a11222c5c1d606fb21252ec812a85f0beed9ef5303a052480f3377e44dbf0daba8117f6e4e225147f3a70cbbef7255d7124bc6c750e9da2221af106703428c7fe9e670e19bd804e1fcbc32584875838981b18f48def966aa50203010001a381fb3081f8301d0603551d0e04160414d7eec1a4a69bb281125ab18ca5d6f4fef77966423081c80603551d230481c03081bd8014d7eec1a4a69bb281125ab18ca5d6f4fef7796642a18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900d393d4c53e72cbea300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007cfe4ae8cad6fadd3a99213dc11f8e2afe739136e1fe4331fc4dcf0f8f187c2a5eb3aaebe78a7e2b5d67ba72bc7cf5eb674428e860f22461c6940d15b6da5cfa165f5ddebc04940db42120b903638cdd2d41
EAP-Message = 0xb783ee1113f440de
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb31e13c2b11d0a5eb51d4c7224b622d0
Finished request 6.
Going to the next request
Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1099, id=192, length=295
Message-Authenticator = 0xbca1640ffe29b5a484f5efb0f693ecf0
Service-Type = Framed-User
User-Name = "000000093701b6c7"
Framed-MTU = 1488
State = 0x312aaba3312bb29dfc0d1b7d8db54603
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B6C7"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201005619800000004c16030100470100004303014598557f1545d6afb7fb247f29f88c5e6da59eb6d4dc04037d9f0bfe8eaf4ffb00001c0016000a0005000400640062006100600015000900140008000600030100
NAS-IP-Address = 192.168.0.232
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b6c7", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 86
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 76
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0047], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 192 to 192.168.0.232 port 1099
EAP-Message = 0x0102040019c000000aad160301002a0200002603010000009ecdf237efbda59f6079cd54cd2c43f8d89915e14f4e2eab27ae7fded300001600160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303330353134343933355a170d3130303330353134343933355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b306fa09d68dd41fbe1568fafddad6d413712ad92652aca7b0debcbfcdd8ab0bc50831e0d3df713781d2ed33683359bd3ce7ee73e593387e3fef3bdfbe02
EAP-Message = 0xf7f53983ae58c057a8a2195d095e28bb493fa2d8d4a610b39eebd98334c9d2d7a2419c04e0566be6a0cd4a9523e72a43c24408fe3f044aac2b83e36e6d9038cb0ebd6d4c2e59757be53b3adfe9961b87546fdff6e7506aa1f9fa0204967dec51f231e9d1f58a63b372dd711b01aa00b967df311fa2b2475149cde315893f6f35b7046754213bb7c205f2b86ad00acda93880facc007128428490812980fb13a37a38a158bdd447aac18cfbd0482d93796593cdb1567b23c649a07586b797c6716aab0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010044bd7a3fc8d0e35086
EAP-Message = 0xff4c148fdaf8f34d666bf50dc140d644fdd3ec635141a21ef9067226b41051d8bf977a4006449f147f9f8d1de600d4779a97b936627643570e1b372b963b0901654c0ef0ea819091699d4354f06d5dbb1414e8c44bbe949eb2ca3c2ba329dbd49695423171291fb244288713d62c04831fb0f4d49425ca307ded160f12574810e6aa952a9c1fb41eb88e561ff51d86f64369d6dd505bd4327ded8bfa1b02610cee7513e862abed4e39ec7a1b61d807f3a93009bbd904729ae220c684ecdabce42f8565840334f9d7513fd58e1e3b7069c7d9eaf29cfc6e0200009ea46d89ca661915891fac290d0121ce7439b44d8f5ad660dfbb84dbda0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x312aaba33028b29dfc0d1b7d8db54603
Finished request 7.
Going to the next request
Cleaning up request 2 ID 187 with timestamp +14
rad_recv: Access-Request packet from host 192.168.0.232 port 1098, id=193, length=215
Message-Authenticator = 0x66e1f59e297af70248ffd9279fa7cacb
Service-Type = Framed-User
User-Name = "000000093701b5fc"
Framed-MTU = 1488
State = 0xb31e13c2b11d0a5eb51d4c7224b622d0
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B5FC"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 192.168.0.232
NAS-Port = 2
NAS-Port-Id = "STA port # 2"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b5fc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 193 to 192.168.0.232 port 1098
EAP-Message = 0x010402c71900b6f40ba62a75c3f7e056ed63dab08273a26ced73db2ad67ec63452a1a9081835e5dc4c940335e40677cd4702c4716d15cbc3fdd4e9ca2614daf7f9da4ecdb87f748742bccdc9be59949b9ea42c704a183aed6e44d2ff4a8f276cae66d42433c26b2a0fab2d96f8750eb07a05ed4d2fb5903686c3ea30fa1137bfe57fdcc1b359d637a13a927171dc37938e11681a2afd8ee6ac2b8294685229413cde1ff4f0c66c282bcaee05160301020d0c0002090080be3a40349815c11d5ce66a0dbfbcb34b04ebc0a4102ba559658c53eecdaa1736f4d2aa57ac656ecd6345dda8bd1655097064eb08693863036f44630bcc975d4f29e52338a33f
EAP-Message = 0x9151fa77ecc98ccfe21bd0dd962e4aa7122870eda956ceb69a1dc1dca9d01ac9cad5d3c157e28d606f01e1fcf4719e3008edd7de9ed3a95f5953000102008006aa16a72210dd32ed8a1dd0547651e127dec3abbe72f600620fccf6b24fdceda572caab3dc2d61118632db2caa083db4643f0d837d40652edd54efe60093892c2a5cee708ce787d770849528eaafbbf16d3fcfa5b9f525f45aa5e9caf859d49495545447939de9727d48dd03a2747ad6c67dcab29600ebb68dbfcc2880da89401002357fb29f10c93311301e98bdf6260082072603584ee9e25a5f3d17c64b71b84edeb5d30ca912459570fb2a6a2b99866f32aad1405730561da388a6e
EAP-Message = 0xb5e77fa88a6af1cbe3f6a47981179cc3654b3a61dc86a456bbc0561bf228bd4e392e94cc6991894b9666cc2e54a2bb7f9b0ef14468dbe78a25931eb0304bf369bb77e7a56d914a5dccc5dcbb26444d3c8b42280bb339013f1ea7f52fccb11064c5cb1eca5010db732ee1976f0a715228e440c897379c09b3d3f3288aa184a7303052e8a9434704f31df0c06dce3c16d158b13ddeacc57ffb24143caa7ac492a3e6d6b41263547ba5050f7647aa8bafc23a4e5b7839e57f56aecf2fba7ec8ccf3cf071eed16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb31e13c2b01a0a5eb51d4c7224b622d0
Finished request 8.
Going to the next request
Waking up in 2.1 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1098, id=193, length=215
Sending duplicate reply to client test-net port 1098 - ID: 193
Sending Access-Challenge of id 193 to 192.168.0.232 port 1098
Waking up in 2.1 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1099, id=192, length=295
Sending duplicate reply to client test-net port 1099 - ID: 192
Sending Access-Challenge of id 192 to 192.168.0.232 port 1099
Waking up in 2.1 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1099, id=194, length=215
Message-Authenticator = 0x2ccfb642b8b05cf81b5180d2af7be0d2
Service-Type = Framed-User
User-Name = "000000093701b6c7"
Framed-MTU = 1488
State = 0x312aaba33028b29dfc0d1b7d8db54603
Called-Station-Id = "001E2AFFFED9:TI-NAV-N-001E2AFFFED9"
Calling-Station-Id = "00093701B6C7"
NAS-Identifier = "netgearfffed8"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061900
NAS-IP-Address = 192.168.0.232
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "000000093701b6c7", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 194 to 192.168.0.232 port 1099
EAP-Message = 0x010303fc194000d393d4c53e72cbea300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303330353134343933355a170d3130303330353134343933355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a6b6b14350309d312a5d96ef4f5cc3086a878331d189e6537627ca32714761b252936eea0ca7209776d6b8d59ead812140930fdafb384510af971b234f51d01ea255c14bcd152b15283d617156a2257a78898f35ec6342de600ba413276c14020bc2ba6e7b120ff01b1d5fa6c1b9dd
EAP-Message = 0x5ccb6618762d4365081317a13a79145cc72f438e47ced4959204a7cf09956feca25db8bcac2b24e525c7ac8cee5753a71e74646baa8f64643a11222c5c1d606fb21252ec812a85f0beed9ef5303a052480f3377e44dbf0daba8117f6e4e225147f3a70cbbef7255d7124bc6c750e9da2221af106703428c7fe9e670e19bd804e1fcbc32584875838981b18f48def966aa50203010001a381fb3081f8301d0603551d0e04160414d7eec1a4a69bb281125ab18ca5d6f4fef77966423081c80603551d230481c03081bd8014d7eec1a4a69bb281125ab18ca5d6f4fef7796642a18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message = 0xb783ee1113f440de
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x312aaba33329b29dfc0d1b7d8db54603
Finished request 9.
Going to the next request
Waking up in 2.0 seconds.
rad_recv: Access-Request packet from host 192.168.0.232 port 1099, id=195, length=215
Message-Authenticator = 0x68144a1161a125be6469c57a96d7c4a4
Service-Type = Framed-User
User-Name = "000000093701b6c7"
Framed-MTU = 1488
State = 0x312aaba33329b29dfc0d1b7d8db54603
EAP-Message = 0x020300061900
2
2
Of course I debuged information from radius server:
netstat -an -p udp:
udp4 0 0 *.1814 *.*
udp4 0 0 *.1813 *.*
udp4 0 0 *.1812 *.*
radiusd.conf:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-2.1.3
pidfile = ${run_dir}/${name}.pid
user = freeradius
group = freeradius
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/modules/
#$INCLUDE sql/postgresql/counter.conf
#$INCLUDE sqlippool.conf
# $INCLUDE otp.conf
}
instantiate {
exec
expr
expiration
logintime
#redundant redundant_sql {
# sql1
# sql2
#}
}
$INCLUDE policy.conf
$INCLUDE sites-enabled/default
$INCLUDE sites-enabled/inner-tunnel
$INCLUDE sites-available/status
Part what's to happen when freeradius users login to cisco:
rad_recv: Access-Request packet from host 192.168.255.10 port 1812,
id=160, length=78
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
User-Password = "passwA"
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[unix] returns notfound
[files] users: Matched entry userA at line 9
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "passwA"
[pap] Using clear text password "passwA"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [userA/passwA] (from client csp port 1 cli 192.168.255.116)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 160 to 192.168.255.10 port 1812
Service-Type = Administrative-User
Cisco-AVPair = "shell:priv-lvl=15"
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=161, length=94
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "0000008D"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"0000008D",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "e2a4910d828919b0".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090306
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090306
[detail] expand: %t -> Fri Mar 6 11:43:15 2009
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
++[unix] returns fail
Finished request 5.
Cleaning up request 5 ID 161 with timestamp +65
Going to the next request
Waking up in 4.9 seconds.
When I type any command on cisco shell:
- in debug mode on freeradius NOTHING
- cisco generate only one time message like this: -
"%RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session
0000008D failed to receive Accounting Response"
When user logoff from cisco:
rad_recv: Accounting-Request packet from host 192.168.255.10 port 1813,
id=174, length=106
NAS-IP-Address = 192.168.255.10
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "userA"
Calling-Station-Id = "192.168.255.116"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = NAS-Prompt-User
Acct-Session-Id = "0000008E"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 68
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
192.168.255.10,NAS-IP-Address = 192.168.255.10,Acct-Session-Id =
"0000008E",User-Name = "userA"'
[acct_unique] Acct-Unique-Session-ID = "cddf853fb7660ff6".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "userA", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radacct/192.168.255.10/detail-20090306
[detail] /var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radacct/192.168.255.10/detail-20090306
[detail] expand: %t -> Fri Mar 6 11:53:05 2009
++[detail] returns ok
rlm_counter: Packet Unique ID = 'cddf853fb7660ff6'
rlm_counter: This Service-Type is not allowed. Returning NOOP.
++[daily] returns noop
++[unix] returns fail
Finished request 9.
Cleaning up request 9 ID 174 with timestamp +135
Going to the next request
Ready to process requests.
...(same message like this repeat yet 3 time in differed number Finished
request 10,11,12)
2
1