Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
December 2010
- 128 participants
- 148 discussions
Hello,
I need a little help:) I am setting radius for voip. I comment sql in
default file (authorize, Authentication) and I enable voip-postpaid for
postgresql. I have import filw for databases in
/etc/raddb/sql/postgresql/shema.sql.
Please help me out!
thanks!
I have put users in table but I am getting this error:
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql/postgresql/voip-postpaid.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 1.2.3.4 {
require_message_authenticator = no
secret = "b"
shortname = "intraswitch"
nastype = "cisco"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Linked to module rlm_pam
Module: Instantiating module "pam" from file /etc/raddb/modules/pam
pam {
pam_auth = "radiusd"
}
Module: Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_challenge {
attrsfile = "/etc/raddb/attrs.access_challenge"
key = "%{User-Name}"
}
Module: Linked to module rlm_always
Module: Instantiating module "handled" from file /etc/raddb/modules/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "ok" from file /etc/raddb/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
Module: Linked to module rlm_sql
Module: Instantiating module "pgsql-voip" from file
/etc/raddb/sql/postgresql/voip-postpaid.conf
sql pgsql-voip {
driver = "rlm_sql_postgresql"
server = "localhost"
port = ""
login = "softnet"
password = "soft1234"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 25
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_group_check_query = ""
authorize_group_reply_query = ""
accounting_onoff_query = ""
accounting_update_query = ""
accounting_update_query_alt = ""
accounting_start_query = "INSERT into Start%{h323-call-type}
(RadiusServerName, UserName, NASIPAddress, AcctTime, CalledStationId,
CallingStationId, AcctDelayTime, h323gwid, h323callorigin, h323setuptime,
H323ConnectTime, callid) values('FreeRADIUS', '%{SQL-User-Name}',
'%{NAS-IP-Address}', now(), '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Delay-Time:-0}', '%{h323-gw-id}',
'%{h323-call-origin}', strip_dot('%{h323-setup-time}'),
strip_dot('%{h323-connect-time}'), pick_id('%{h323-conf-id}',
'%{call-id}'))"
accounting_start_query_alt = ""
accounting_stop_query = "INSERT into Stop%{h323-call-type}
(RadiusServerName, UserName, NASIPAddress, AcctTime,
AcctSessionTime, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctDelayTime, H323RemoteAddress,
H323VoiceQuality, CiscoNASPort, h323callorigin, callid,
h323connecttime, h323disconnectcause, h323disconnecttime, h323gwid,
h323setuptime) values('FreeRADIUS', '%{SQL-User-Name}',
'%{NAS-IP-Address}', now(), '%{Acct-Session-Time:-0}',
'%{Acct-Input-Octets:-0}', '%{Acct-Output-Octets:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Delay-Time:-0}',
NULLIF('%{h323-remote-address}', '')::inet,
NULLIF('%{h323-voice-quality}','')::integer, NULLIF('%{Cisco-NAS-Port}',
''), '%{h323-call-origin}', pick_id('%{h323-conf-id}',
'%{call-id}'), strip_dot('%{h323-connect-time}'),
'%{h323-disconnect-cause}',
strip_dot('%{h323-disconnect-time}'), '%{h323-gw-id}',
strip_dot('%{h323-setup-time}'))"
accounting_stop_query_alt = ""
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = ""
postauth_query = ""
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql Creating new attribute pgsql-voip-SQL-Group
rlm_sql (pgsql-voip): Driver rlm_sql_postgresql (module rlm_sql_postgresql)
loaded and linked
rlm_sql (pgsql-voip): Attempting to connect to softnet@localhost:/radius
rlm_sql (pgsql-voip): starting 0
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #0
rlm_sql (pgsql-voip): Connected new DB handle, #0
rlm_sql (pgsql-voip): starting 1
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #1
rlm_sql (pgsql-voip): Connected new DB handle, #1
rlm_sql (pgsql-voip): starting 2
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #2
rlm_sql (pgsql-voip): Connected new DB handle, #2
rlm_sql (pgsql-voip): starting 3
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #3
rlm_sql (pgsql-voip): Connected new DB handle, #3
rlm_sql (pgsql-voip): starting 4
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #4
rlm_sql (pgsql-voip): Connected new DB handle, #4
rlm_sql (pgsql-voip): starting 5
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #5
rlm_sql (pgsql-voip): Connected new DB handle, #5
rlm_sql (pgsql-voip): starting 6
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #6
rlm_sql (pgsql-voip): Connected new DB handle, #6
rlm_sql (pgsql-voip): starting 7
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #7
rlm_sql (pgsql-voip): Connected new DB handle, #7
rlm_sql (pgsql-voip): starting 8
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #8
rlm_sql (pgsql-voip): Connected new DB handle, #8
rlm_sql (pgsql-voip): starting 9
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #9
rlm_sql (pgsql-voip): Connected new DB handle, #9
rlm_sql (pgsql-voip): starting 10
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #10
rlm_sql (pgsql-voip): Connected new DB handle, #10
rlm_sql (pgsql-voip): starting 11
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #11
rlm_sql (pgsql-voip): Connected new DB handle, #11
rlm_sql (pgsql-voip): starting 12
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #12
rlm_sql (pgsql-voip): Connected new DB handle, #12
rlm_sql (pgsql-voip): starting 13
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #13
rlm_sql (pgsql-voip): Connected new DB handle, #13
rlm_sql (pgsql-voip): starting 14
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #14
rlm_sql (pgsql-voip): Connected new DB handle, #14
rlm_sql (pgsql-voip): starting 15
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #15
rlm_sql (pgsql-voip): Connected new DB handle, #15
rlm_sql (pgsql-voip): starting 16
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #16
rlm_sql (pgsql-voip): Connected new DB handle, #16
rlm_sql (pgsql-voip): starting 17
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #17
rlm_sql (pgsql-voip): Connected new DB handle, #17
rlm_sql (pgsql-voip): starting 18
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #18
rlm_sql (pgsql-voip): Connected new DB handle, #18
rlm_sql (pgsql-voip): starting 19
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #19
rlm_sql (pgsql-voip): Connected new DB handle, #19
rlm_sql (pgsql-voip): starting 20
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #20
rlm_sql (pgsql-voip): Connected new DB handle, #20
rlm_sql (pgsql-voip): starting 21
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #21
rlm_sql (pgsql-voip): Connected new DB handle, #21
rlm_sql (pgsql-voip): starting 22
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #22
rlm_sql (pgsql-voip): Connected new DB handle, #22
rlm_sql (pgsql-voip): starting 23
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #23
rlm_sql (pgsql-voip): Connected new DB handle, #23
rlm_sql (pgsql-voip): starting 24
rlm_sql (pgsql-voip): Attempting to connect rlm_sql_postgresql #24
rlm_sql (pgsql-voip): Connected new DB handle, #24
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 1.2.3.4 port 60513, id=144,
length=206
Acct-Multi-Session-Id = "1291717568337"
Cisco-Attr-130 =
0x683332332d63616c6c696e672d656e74657270726973652d69643d656e74504258
Calling-Station-Id = "81609000"
NAS-Identifier = "intraswitch"
NAS-IP-Address = 1.2.3.4
3GPP2-Prepaid-acct-Capability = 0x010600000002
3GPP2-Session-Termination-Capability = 1
h323-conf-id = "h323-conf-id=1291717568337"
Vendor-Specific = 0x00000009
Event-Timestamp = "Dec 7 2010 11:26:08 CET"
User-Name = "081609000"
User-Password = "12345"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "081609000", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 081609000
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Voip-database-tp3295546p3295546.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
6
33
Hi,
I came across a bug when rlm_python executes python code that tries to load a dynamic (shared) module. This bug seems to have been discussed 2 or 3 times on this list, but no really satisfying solution appears to have been found so far (as far as I know), so I thought I might raise the subject again and perhaps try to contribute in finding a solution.
In short, I think the solution to this problem is explained here, but I don't know how to implement it in freeRADIUS : http://docs.python.org/release/2.5.2/ext/link-reqs.html
Here is my setup :
- running a perfectly standard Debian Lenny (2.6.26-2-amd64)
- installed the latest freeradius package from the lenny-backports (2.1.8+dfsg-1~bpo50+1)
- the python debian package is the one installed with Debian Lenny (2.5.2-3)
Here is my config:
----------------------------------------------
#######
# /etc/freeradius/modules/python
#######
python python_test {
mod_instantiate = radiusd_test
func_instantiate = instantiate
}
#######
# /etc/freeradius/radiusd.conf
#######
...
instantiate {
python_test
}
...
#######
# /usr/lib/python2.5/site-packages/radiusd_test.py
#######
def instantiate(p):
radiusd.radlog(radiusd.L_DBG, "THIS WORKS")
import random # this crashes
radiusd.radlog(radiusd.L_DBG, "THIS IS NEVER REACHED !")
----------------------------------------------
Here is the output of "freeradius -X" :
----------------------------------------------
FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Apr 26 2010 at 21:49:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
...
Module: Linked to module rlm_python
Module: Instantiating python_test
python_init done
python python_test {
mod_instantiate = "radiusd_test"
func_instantiate = "instantiate"
}
THIS WORKS
rlm_python:EXCEPT:<type 'exceptions.ImportError'>: /usr/lib/python2.5/lib-dynload/math.so: undefined symbol: PyExc_ValueError
/etc/freeradius/modules/python[24]: Instantiation failed for module "python_test"
----------------------------------------------
The module is properly loaded, the "instantiate" function gets called, and the first log message is output. In fact, any 100% pure python code works fine. The bug happens when a python module gets loaded dynamically : importing any module located in /usr/lib/python2.5/lib-dynload/*.so will crash.
>From what I understand, here's what happens:
1) rlm_python was built against libpython2.5.a, but for optimization purposes, the linker stripped out all the symbols that were not used by rlm_python itself (including, for example, PyExc_ValueError). This behavior is platform-dependent, which probably explains why everything works fine on centos, for example.
2) when the radiusd_test module runs, it tries to import the "random" module, which itself tries to import the "math" module, which is in lib-dynload, and gets loaded dynamically.
3) unfortunately, python fails to load that module because it uses the PyExc_ValueError symbol and it does not know where it is defined (it is located in /usr/lib/libpython2.5.so.1, but unfortunately, the "math" module does not know that.
As I said, I believe that the solution to this problem is clearly explained here: http://docs.python.org/release/2.5.2/ext/link-reqs.html
As it's just a few paragraphs, I'll quote it here, for your convenience:
----------------------------------------------
While the configure script shipped with the Python sources will correctly build Python to export the symbols needed by dynamically linked extensions, this is not automatically inherited by applications which embed the Python library statically, at least on Unix. This is an issue when the application is linked to the static runtime library (libpython.a) and needs to load dynamic extensions (implemented as.so files).
The problem is that some entry points are defined by the Python runtime solely for extension modules to use. If the embedding application does not use any of these entry points, some linkers will not include those entries in the symbol table of the finished executable. Some additional options are needed to inform the linker not to remove these symbols.
Determining the right options to use for any given platform can be quite difficult, but fortunately the Python configuration already has those values. To retrieve them from an installed Python interpreter, start an interactive interpreter and have a short session like this:
>>> import distutils.sysconfig
>>> distutils.sysconfig.get_config_var('LINKFORSHARED')
'-Xlinker -export-dynamic'
The contents of the string presented will be the options that should be used. If the string is empty, there's no need to add any additional options. The LINKFORSHARED definition corresponds to the variable of the same name in Python's top-level Makefile.
----------------------------------------------
I think the short-term solution to this bug is to modify "src/modules/rlm_python/configure.in" and make it use the LINKFORSHARED linker options when linking rlm_python against libpython2.5.a., This could be done by adding a line such as:
PY_OTHER_LDFLAGS=`sed -n -e 's/^LINKFORSHARED=\(.*\)/\1/p' $PY_MAKEFILE`
just under this one:
PY_OTHER_LIBS=`sed -n -e 's/^LIBS=\(.*\)/\1/p' $PY_MAKEFILE`
and then using $PY_OTHER_LDFLAGS somewhere... the thing is, I have no idea where, because I am new to all these dynamic modules and embedded interpreters . I tried this though:
python_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $PY_OTHER_LDFLAGS -lpython${PY_VERSION} -lm"
and recompiled the debian package (dpkg-buildpackage), but the problem was not fixed.
Can someone tell me where to add those options exactly ? I can try recompiling as many times as necessary.
Apparently, at least one person complains about the fact that you have to link against the static python runtime library (libpython2.5.a) even when you plan to use dynamic modules, and he has opened a bug report here:
http://bugs.python.org/issue4434
Basically, if I understand correctly, his idea is to have the python fellows declare the proper dependencies in every *.so file, so that the libpython2.5.so.1 file gets loaded automatically when the "math" module (or any other dynamic module) gets loaded. Maybe that's the ideal solution, I really don't know. But it seems to me that we should try to fix freeRADIUS so that it works around this bug before python dependencies are fixed (it make take a while or even never happen). So I thing the only short-medium-term solution is to use LINKFORSHARED linker options.
Thanks for reading this huge message. I hope we can beat this bug.
Aurelien Geron
3
8
Thanks to a lot of work by Phil Mayers, the server now has support for
Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP.
The code is in the "v2.1.x" branch, and in the "stable" branch. It
will be in 2.1.11, and all later versions of the server.
The documentation is in doc/SoH.txt, and in raddb/sites-available/soh.
The EAP configuration in eap.conf can also be updated to enable SoH on
the server side.
See http://git.freeradius.org/ for information on git.
Alan DeKok.
5
22
Hi all,
We just upgraded from freeRADIUS 1.1.7 to 2.1.10, and we're having issues getting freeRADIUS to work with a thread pool (see debug logs below). The thread pool config was working in version 1.1.7.
Were there major changes on how threads were implemented from 1.1.7 to 2.1.10? Why might we be having this issue?
Debug log with thread pool:
>radiusd -fxx -l stdout
FreeRADIUS Version 2.1.10, for host i586-wrs-linux-gnu, built on Nov 25 2010 at 01:29:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log"
libdir = "/usr/lib"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 1
retry_count = 2
default_fallback = no
dead_time = 600
wake_all_if_all_dead = no
}
radiusd: #### Loading Clients ####
client 0.0.0.0/0 {
require_message_authenticator = no
secret = "siren123"
shortname = "this_Shelf"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/radiusd.conf
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/radiusd.conf
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/radiusd.conf
pap {
encryption_scheme = "crypt"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/radiusd.conf
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/radiusd.conf
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf
detail {
detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/radiusd.conf
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
}
Thread spawned new child 1. Total threads in pool: 1
Thread 1 waiting to be assigned a request
Thread spawned new child 2. Total threads in pool: 2
Thread 2 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread 3 waiting to be assigned a request
Thread spawned new child 4. Total threads in pool: 4
Thread 4 waiting to be assigned a request
Thread spawned new child 5. Total threads in pool: 5
Thread 5 waiting to be assigned a request
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
bind_address = *
WARNING: The directive 'bind_address' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.
Debug log without thread pool (commented out in radiusd.conf):
> radiusd -fxx -l stdout
FreeRADIUS Version 2.1.10, for host i586-wrs-linux-gnu, built on Nov 25 2010 at 01:29:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log"
libdir = "/usr/lib"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 1
retry_count = 2
default_fallback = no
dead_time = 600
wake_all_if_all_dead = no
}
radiusd: #### Loading Clients ####
client 0.0.0.0/0 {
require_message_authenticator = no
secret = "siren123"
shortname = "this_Shelf"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/radiusd.conf
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/radiusd.conf
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/radiusd.conf
pap {
encryption_scheme = "crypt"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/radiusd.conf
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/radiusd.conf
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf
detail {
detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/radiusd.conf
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
bind_address = *
WARNING: The directive 'bind_address' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
Thanks,
Keven
----------
Keven Smith-Worthylake
Software Designer, SI23
GENBAND
3500 Carling Ave
Ottawa, ON, Canada, K2H 8E9
office
keven.smithworthylake(a)genband.com
www.genband.com
2
5
Hi
I have problem with EAP
CAN YOU help me
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x90d4d2dd94c2cb92 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=97,
length=144
User-Name = "12"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021600061900
State = 0x90d4d2dd94c2cb924b3cdc7780b3dc35
Message-Authenticator = 0xfa9a966f33ce0c76a0d15f303480f4ea
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[sql] expand: %{User-Name} -> 12
[sql] sql_set_user escaped user --> '12'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '12' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radreply WHERE username = '12' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'12' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 97 to 172.16.15.1 port 1027
EAP-Message =
0x0117002b19001703010020674bd0fe9ec9f56973ac49079d2029c578bad4ad1dac11d67968154832aa91fb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x90d4d2dd95c3cb924b3cdc7780b3dc35
Finished request 21.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=98,
length=181
User-Name = "12"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0217002b19001703010020f8c94f58aabcbdadb5aa695270bfa559530931a394827ef3894bfc31d1f7f4a5
State = 0x90d4d2dd95c3cb924b3cdc7780b3dc35
Message-Authenticator = 0x54cf580c0926a0e3575707db7ec6e193
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[sql] expand: %{User-Name} -> 12
[sql] sql_set_user escaped user --> '12'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '12' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radreply WHERE username = '12' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'12' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[eap] EAP packet type response id 23 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - 12
[peap] Got inner identity '12'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02170007013132
server {
PEAP: Setting User-Name to 12
Sending tunneled request
EAP-Message = 0x02170007013132
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "12"
server inner-tunnel {
No such virtual server "inner-tunnel"
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 98 to 172.16.15.1 port 1027
EAP-Message =
0x0118002b190017030100201edf1da3f3138e40f27c63d735a7bff7351f5abfac971a15b3d4c2369596858c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x90d4d2dd96cccb924b3cdc7780b3dc35
Finished request 22.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=99,
length=181
User-Name = "12"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0218002b190017030100203bfebde9a8e41dc51e361c135f24a7d001553e501d1989e8273c42570d62bff4
State = 0x90d4d2dd96cccb924b3cdc7780b3dc35
Message-Authenticator = 0xcad2dc0f9ca9a3aab35ea19c0b9b6356
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[sql] expand: %{User-Name} -> 12
[sql] sql_set_user escaped user --> '12'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '12' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM
radreply WHERE username = '12' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'12' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
[eap] EAP packet type response id 24 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Sending Access-Reject of id 99 to 172.16.15.1 port 1027
EAP-Message = 0x04180004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 23.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 21 ID 97 with timestamp +108
Cleaning up request 22 ID 98 with timestamp +108
Cleaning up request 23 ID 99 with timestamp +108
Ready to process requests.
THANK YOU WITH BEST REGARDS
AMIN AHOORA
3
4
Help me
i read full documentation of this server but problem remain
i send you with last email in sql module log
and i this maybe occurs with my sql configuration but in file mode module i
have same problem
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Nov
14 2010 at 03:05:12
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/modules/files
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client 127.0.0.1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "aminahooradkpw"
nastype = "other"
}
client 10.10.10.2 {
require_message_authenticator = no
secret = "aminahooradkpw"
shortname = "SingleRouter"
nastype = "mikrotik"
}
client 192.168.137.2 {
require_message_authenticator = no
secret = "aminahooradkpw"
shortname = "SingleRouter"
nastype = "mikrotik"
}
client 172.16.15.1 {
require_message_authenticator = no
secret = "dkpw"
shortname = "wireless"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/radiusd.conf
pap {
encryption_scheme = "crypt"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/radiusd.conf
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/radiusd.conf
mschap {
use_mppe = no
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
check_cert_cn = "%{User-Name}"
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/radiusd.conf
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
bind_address = *
WARNING: The directive 'bind_address' is deprecated, and will be removed in
future versions of FreeRADIUS. Please edit the configuration files to use
the directive 'listen'.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=176,
length=127
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02110007013130
Message-Authenticator = 0x04fff75e7f186f6ea10588cb2241d5d2
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 17 length 7
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 176 to 172.16.15.1 port 1027
EAP-Message = 0x011200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9cb3b165fbd692931fddb1e7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=177,
length=222
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0212005419800000004a16030100450100004103014d150aea2b4d30a28baa51de77dde94e3089e861c19507aeb18d51fae369150b00001a002f000500040035000a000900030008003300390016001500140100
State = 0x9ca1a80e9cb3b165fbd692931fddb1e7
Message-Authenticator = 0x03f021f9c6cb610f8043acacd690bb14
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 18 length 84
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 74
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0045], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 177 to 172.16.15.1 port 1027
EAP-Message =
0x0113040019c00000089b160301002a0200002603014d0d79121f619ae704fedcbf9402c4aed6108b549489614209008236d368e5b700002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039313131323130323732355a170d3130313131323130323732355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ed4b1ec73b577eb4dd302dc0192331e6e40993f78258093329b68770e5e928e1461a574ce4132402dd833efec617ff947bc6da7606f3ea98e628113ad6cc
EAP-Message =
0xabe291939f4b51566ff040429e307a26bea0beaea5ba59ddafe252c9eaee68ec220f0bf86d147dd1d20ba2257c168b0b9b1a4ca74417142b6a9c860552aa014cfd2ac15ec28ad1803eda7fe54e31bcf5fe774c9445337d94fa53a3638936a1edba4cedc9d7715919fade13eba12d84de71550a214ce20f985919cd4e4a3fc555f0117a0137eb93edeb98ff973367e1535737d76a62692870da46bbacd24c1f47a6f95594688a6c76a660e371d0ee68a6714389ee571e02283028d71161aad17aadef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007348a9f7eb447a0a18
EAP-Message =
0x1a35b4290a56356ef5bdd344c898ae5782513d75d21362e94f76c6adc2c9f119f49e142c786edcc26ffb9e1b9f67013c32f5b289c6963372be252bf780766be2861ec76e3b5afdbe6ff3486bf7ad65079b41c000c72d105b8c95d0bdf2c24553f9578d71beb518892510fc3205ef923fb02ed4ac3d282d8cfa9d173ba5cc3e47949ed06ef6fbc8328a86ff45c50061f0d0d5e41d7712a92a927497e5c9f7c6f5d07ead4e9ffe1a866ffa134d5f5aeae24fb6c9b350a025a0db619e6a2edabac6ef7e80b72ac02c87feea8f951c4ddd3292e087a52a8265e99dcd4cde088847424f21879c6d20f04e412363885aaec4973e7815fcfc53230004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9db2b165fbd692931fddb1e7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=178,
length=144
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021300061900
State = 0x9ca1a80e9db2b165fbd692931fddb1e7
Message-Authenticator = 0x1137081fd9ba42765a28a148ee37c3da
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 19 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 178 to 172.16.15.1 port 1027
EAP-Message =
0x011403fc194000dcdbb13f82d4ce56300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313131323130323732355a170d3130313131323130323732355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4a62d9a3d9c2555520f25042b2a8b08ba1e61f07eee939363de3239d5d522b79938a269dae2eb5881c9e60fba117d1dcdbc83407a13bdde6a5d1ffd630e9613c34fad618dee5733d6ebc5df0ed3a641705baaa7250ce6a558ccef6f7def5f18f99bcc908f5a0e708f158ee77ecddc
EAP-Message =
0x8969bdf71edf554961b83f8c719cb533f47a592d81e16e77b201ed464f09be9125da469bbb0e43bc76e23bc01f2eb78c7cca22e50382a384908b7fb1f416503d37b1c955303a144ca270259872f80c44ce20cf11a44e297ca763ac058de9cb83656ec62943d728f2c5499524542f3dbb61051d7e0a9a92d7fe883670624e751d7ec9fedc674cf73f4822361b8f263d2a650203010001a381fb3081f8301d0603551d0e041604146f2687e7262e22aecd2188eb6efb02eba39839fd3081c80603551d230481c03081bd80146f2687e7262e22aecd2188eb6efb02eba39839fda18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900dcdbb13f82d4ce56300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100647c9fcfe32740d5d6df5d621dd28948d3b5ba585446ce00a3f175f3fb60177f372d72b57463fd28220023dcc8873bd56b4bc89c39acdb8e334aaf6ac6009a784d7c780bd79366113bfbdb7d3af852bd2b9d
EAP-Message = 0x5759f29e94ec8aef
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9eb5b165fbd692931fddb1e7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=179,
length=144
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021400061900
State = 0x9ca1a80e9eb5b165fbd692931fddb1e7
Message-Authenticator = 0x312e182ce06032e4516f6d50a6c4c129
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 20 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 179 to 172.16.15.1 port 1027
EAP-Message =
0x011500b51900bf21a0b69a3e67caac09ed7c1cfbe98ac4b9e2d992a78310ee9b777b568fc84698be69b725c44305c38668cbfdf2fc4d2bd20a0a2ccca4a713772ac2d5867ce172062d8dba01d5fae9b313874d1eb94c2489edd82862b33ef58e0e0558093917fed55cb1a9b0f8fe70811709ca05d6ed1549e6377527c4a2c68c3ff021ae6f52fa1ba9e4832dad7a71d1f6775fdecb48936a9fff5e5e0910dc5645e144ad54538828a11e269616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9fb4b165fbd692931fddb1e7
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=180,
length=476
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x021501501980000001461603010106100001020100498a4854d4465ef574b4954c3c8ee6b9ae2d8ee5cf9aa79e64d7bc3cf81f0be4ad0a50782e0af7e23c14ba838680fbaf95cd58afe9d8d95d8f0a17cc7278f9841fa2334fab620dee7d4f97675b0d3f729104e25cd46051d0731ead475a45a4d22b9e60f5db2026ffe3a73facda7e5f45715de1560ca853fcf80c89dbf0b8608c5743d86ee6d02605dce1061a91b92be6c1602070ae49b93d48dbef5f41cdd81bf1a0dcbc647f2a3c5658035530d44e222a7659ad7d6a5492d5c39ab5bc75b7cc2b689af8cf9092b92833509df984b19f32d98d5345ad77717505760bdd5ed9295a3ce1da0aff0012
EAP-Message =
0xc119bae4349284a4ad2e9fb29ba4effba1c5e1697194040f1403010001011603010030333c379e1cebfa25f09bdd6df6ea7960b7cfbe9e378b62b682c6d05f0afc08e1b6ae003652ebe60bac4709d46ad0e4ae
State = 0x9ca1a80e9fb4b165fbd692931fddb1e7
Message-Authenticator = 0xf40facdf859bf71c40af155b112cbf50
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 21 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 180 to 172.16.15.1 port 1027
EAP-Message =
0x0116004119001403010001011603010030fb7d3c24d1c65b12dfa94d1ecdc6ddcc9d646faa4ecd36827418b2332203481407386ca214b13d7ab1b8cf9662552c07
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e98b7b165fbd692931fddb1e7
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=181,
length=144
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x021600061900
State = 0x9ca1a80e98b7b165fbd692931fddb1e7
Message-Authenticator = 0x2f0dd64255b0a8380e6a9b4871dfbdab
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 181 to 172.16.15.1 port 1027
EAP-Message =
0x0117002b190017030100207a938b37cd6503d215e4414cb1fd370240a2498818dfa70c7edc86e56bac80a1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e99b6b165fbd692931fddb1e7
Finished request 5.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=182,
length=181
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0217002b19001703010020e7748073d57a68c015f4fe8d1273a2e1212cff4a26e245f4d62330ca0ddca5e2
State = 0x9ca1a80e99b6b165fbd692931fddb1e7
Message-Authenticator = 0xf80a05119c3182a4c5097b214aeb7c37
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 23 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - 10
[peap] Got inner identity '10'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02170007013130
server {
PEAP: Setting User-Name to 10
Sending tunneled request
EAP-Message = 0x02170007013130
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "10"
server inner-tunnel {
No such virtual server "inner-tunnel"
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 182 to 172.16.15.1 port 1027
EAP-Message =
0x0118002b19001703010020e922ee925838ed77c8b562883e7b7212c98e7180a9a9876b938d9d36de040ecd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ca1a80e9ab9b165fbd692931fddb1e7
Finished request 6.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.16.15.1 port 1027, id=183,
length=181
User-Name = "10"
NAS-IP-Address = 172.16.15.1
NAS-Identifier = "aminahoora.home.ir"
Framed-MTU = 1496
Called-Station-Id = "40-4a-03-ad-0b-b0"
Calling-Station-Id = "00-22-41-7d-9f-91"
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0218002b1900170301002023f62825916276e5903af5875752449fa84f8fbba2c38c0814de3f094d11738e
State = 0x9ca1a80e9ab9b165fbd692931fddb1e7
Message-Authenticator = 0x4271c9b17c0f2c3e8603ec2c6bbbc268
# Executing section authorize from file /usr/local/etc/raddb/radiusd.conf
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry 10 at line 204
++[files] returns ok
[eap] EAP packet type response id 24 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Sending Access-Reject of id 183 to 172.16.15.1 port 1027
EAP-Message = 0x04180004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 7.
Going to the next request
Waking up in 4.6 seconds.
#################################################################################
and this is my radius configuration file
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
#user = freerad
#group = freerad
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
#listen {
# ipaddr = 172.16.15.1
# port = 1812
# type = auth
# virtual_server = one
# }
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = before
lower_pass = before
nospace_user = before
nospace_pass = before
checkrad = ${sbindir}/checkrad
#security {
# max_attributes = 200
# reject_delay = 1
# status_server = no
#}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
mschap {
authtype = MS-CHAP
use_mppe = no
#require_encryption = yes
#require_strong = yes
# authtype = MS-CHAP
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
#$INCLUDE ${confdir}/sql.conf
$INCLUDE ${confdir}/eap.conf
$INCLUDE ${confdir}/modules/files
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
instantiate {
}
authorize {
#preprocess
chap
mschap
#sql
files
eap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
acct_unique
}
accounting {
#detail
#sql
}
session {
#sql
}
post-auth {
#sql
}
THANK YOU WITH BEST REGARDS
AMIN AHOORA
5
10
Greetings,
I have set up the buffered-sql server to handle importing accounting
packets from my backup radius once a day. I transfer the detail file (via
ftp) from the backup server to the newer server and put it in place for the
buffered-sql to use it, but it doesn't seem to read the file.
I though, from the description in the documentation, it would run ever X
seconds. I've set mine to 60 seconds for testing.
Am I doing something wrong?
wm
3
8
Dears,
I noticed wrong record inserted to radacct table with as
below:
RadAcctId = 5653
AcctSessionId = 2000D19
AcctUniqueId = 3a4ec8ee9b364898
..
..
AcctStartTime = 2010-12-30 12:24:59
AcctStopTime = 2010-11-24 04:10:55
AcctSessionTime = 10800
AccStatusType = Interim-Update
...
...
The AcctStopTime value older than AcctStartTime value, and the new session
overwriting on the old record.
I just found this problem in 1 record from all our records.
AcctSessionId values are repeated on my freeradius, is it normal?
Regards,
Moayad
2
1
Hi All,
So today I thought I'd try my hand at "nicely" reloading the freeradius
config using signals rather than hard restarting the daemon.
I added new config to the hints file and to the users file.
Wed Dec 29 14:49:11 2010 : Info: Received HUP signal.
Wed Dec 29 14:49:11 2010 : Info: Received HUP.
Wed Dec 29 14:49:11 2010 : Info: Module: Reloaded module "suffix"
Wed Dec 29 14:49:11 2010 : Info: Module: Reloaded module "auth_log"
Wed Dec 29 14:49:11 2010 : Info: Module: Reloaded module "files"
Wed Dec 29 14:49:11 2010 : Info: Module: Reloaded module "detail"
Wed Dec 29 14:49:11 2010 : Info: Module: Reloaded module
"attr_filter.access_reject"
Wed Dec 29 14:49:11 2010 : Info: Module: Reloaded module
"attr_filter.accounting_response"
Wed Dec 29 14:49:11 2010 : Info: Module: Reloaded module "pap"
Wed Dec 29 14:49:11 2010 : Info: Loaded virtual server status
Wed Dec 29 14:49:11 2010 : Info: Loaded virtual server <default>
Ok, so that looks good.
However freeradius continued to act as if the configuration changes had not
been made.
I then went back and did a hard stop and start of freeradius, and now it is
clearly using the new configs.
Am I missing something? This should have just worked that simply, right?
(before anyone asks the obvious, no I am not running in debug mode. I don't
have any more detail on what it was thinking at the time)
Phil P
5
6
Hi All,
I'm a starter to freeRadius and request you to provide your inputs on my below queries. I'm trying to simulate a ISP flow, where based on vendorspecific AVPs (stored in the DB from Acct-Start msg)should trigger a COA msg as shown:
NAS(RadClient here) RadiusServer
-------------- Acct Start --------------->
<----------- Ack Acct Start ----------------
(Based on the Vendor-Specific-AVP)
<------------- CoA --------------------------
----------- CoA ack ----------------->
Request to provide your inputs and help me on the below query:
1. Is there any configurations that would help in triggering the CoA msg upon the Acct Start msg processed results Or other helpful documents/links shared earlier with the forum would be helpful on this, as I could n't get the information from freeRadius search page.
thanks
Raj
________________________________
"DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
3
8