Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2010
- 122 participants
- 165 discussions
Dear all,
I would like to do the following:
For a user FreeRADIUS should check the user name, password, and the MAC
address. The MAC address can be one of many in a list stored in a
database. So, this is not about a single user logging in on only one
device.
I have taken a look at the rad(group)check table, but it seems that ALL
attributes should check out alright for the user to be authenticated.
So, I cannot just simply add a list of all possible user/MAC
combinations.
How can I best achieve this? Any help would be appreciated.
Best regards,
Aaeron Jansen
3
5
12 Jul '10
Hello All freeradius users
I have been trying to get my freeradius to do authentication against a passwd-like file using the passwd module.
I'm running FreeRadius 2.1.8 on a Debian 4.0 Server used lenny-backports for the installation.
My specific configuration to get this working looks like this
Passwd module file
filename = /etc/tac-plus/passwd
format = *User-Name:User-Password
hashsize = 0
delimiter = :
authtype = pap
the password file looks like this /etc/tac-plus/passwd
jmd:TLw0SiK4QfQxg:159:20::/home/jmd:/bin/bash
users file
DEFAULT NAS-IP-Address == 172.31.254.4
Cisco-AVPair += 'Wireless-WCS:role0=SuperUsers',
Cisco-AVPair += 'Wireless-WCS:task0=Users and Groups',
Cisco-AVPair += 'Wireless-WCS:task1=Audit Trails',
There is no problem in stating the freeradius server
The debug output look like this when I try to do an authentication using radtest command
rad_recv: Access-Request packet from host 127.0.0.1 port 40466, id=179, length=55
User-Name = "jmd"
User-Password = "password"
NAS-IP-Address = 172.31.254.4
NAS-Port = 0
Thu Jul 8 15:02:10 2010 : Info: +- entering group authorize {...}
Thu Jul 8 15:02:10 2010 : Info: ++[preprocess] returns ok
Thu Jul 8 15:02:10 2010 : Info: ++[chap] returns noop
Thu Jul 8 15:02:10 2010 : Info: ++[mschap] returns noop
Thu Jul 8 15:02:10 2010 : Info: [suffix] No '@' in User-Name = "jmd", looking up realm NULL
Thu Jul 8 15:02:10 2010 : Info: [suffix] No such realm "NULL"
Thu Jul 8 15:02:10 2010 : Info: ++[suffix] returns noop
Thu Jul 8 15:02:10 2010 : Info: [eap] No EAP-Message, not doing EAP
Thu Jul 8 15:02:10 2010 : Info: ++[eap] returns noop
Thu Jul 8 15:02:10 2010 : Info: [files] users: Matched entry DEFAULT at line 49
Thu Jul 8 15:02:10 2010 : Info: ++[files] returns ok
Thu Jul 8 15:02:10 2010 : Info: ++[expiration] returns noop
Thu Jul 8 15:02:10 2010 : Info: ++[logintime] returns noop
Thu Jul 8 15:02:10 2010 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Thu Jul 8 15:02:10 2010 : Info: ++[pap] returns noop
Thu Jul 8 15:02:10 2010 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Thu Jul 8 15:02:10 2010 : Info: Failed to authenticate the user.
Thu Jul 8 15:02:10 2010 : Info: Using Post-Auth-Type Reject
Thu Jul 8 15:02:10 2010 : Info: +- entering group REJECT {...}
Thu Jul 8 15:02:10 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> jmd
Thu Jul 8 15:02:10 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11
Thu Jul 8 15:02:10 2010 : Info: ++[attr_filter.access_reject] returns updated
Thu Jul 8 15:02:10 2010 : Info: Delaying reject of request 19 for 1 seconds
Thu Jul 8 15:02:10 2010 : Debug: Going to the next request
Thu Jul 8 15:02:10 2010 : Debug: Waking up in 0.9 seconds.
Thu Jul 8 15:02:11 2010 : Info: Sending delayed reject for request 19
Sending Access-Reject of id 179 to 127.0.0.1 port 40466
Thu Jul 8 15:02:11 2010 : Debug: Waking up in 4.9 seconds.
Radtest command:
radtest jmd password localhost 0 secret
I have no clue of what I'm doing wrong !!
Please help me
Best regards
Jan Madsen
2
6
I have accounting and SQL set up (probably broken). I see the debug showing
it updating table radacct but the table remains empty.
root@ubuntu:/usr/local/etc/raddb# radiusd -X
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jun 21 2010
at 14:47:46
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file
/usr/local/etc/raddb/sites-available/dynamic-clients
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
realm WiMax.com {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client dynamic {
ipaddr = 192.168.0.0
netmask = 16
require_message_authenticator = no
dynamic_clients = "dynamic_client_server"
lifetime = 86400
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server dynamic_client_server {
modules {
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_always
Module: Instantiating ok
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
} # modules
} # server
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "root"
password = "unl0ck"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/usr/local/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = BINARY
'%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = BINARY
'%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct
SET acctstoptime = '%S', acctsessiontime
= unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND
nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <=
'%S'"
accounting_update_query = " UPDATE radacct
SET framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32
|
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO
radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress,
nasportid, nasporttype, acctstarttime,
acctsessiontime, acctauthentic, connectinfo_start,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, servicetype, framedprotocol,
framedipaddress, acctstartdelay,
xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S',
INTERVAL (%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}',
'', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}'
<< 32 | '%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctstoptime,
acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, acctstopdelay, xascendsessionsvrkey)
VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct
SET acctstarttime = '%S', acctstartdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO
radacct (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay)
VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0})
SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}',
'', '%{Connect-Info}',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}'
<< 32 | '%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Acct-Terminate-Cause}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM
radusergroup WHERE username = BINARY '%{SQL-User-Name}'
ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid,
username, nasipaddress, nasportid,
framedipaddress, callingstationid,
framedprotocol FROM radacct
WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to root@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Instantiating attr_filter.access_challenge
attr_filter attr_filter.access_challenge {
attrsfile = "/usr/local/etc/raddb/attrs.access_challenge"
key = "%{User-Name}"
}
Module: Instantiating handled
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_wimax
Module: Instantiating wimax
wimax {
delete_mppe_keys = yes
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.60.50 port 49154, id=22,
length=163
server dynamic_client_server {
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
} # server dynamic_client_server
- Added client 192.168.60.50 with shared secret unl0ck
rad_recv: Access-Request packet from host 192.168.60.50 port 49154, id=22,
length=163
User-Name = "KeepAliveUserNameAndPassword"
NAS-IP-Address = 192.168.60.50
NAS-Port-Type = 27
NAS-Port = 0
Calling-Station-Id = "\000\000\000\000\000"
NAS-Identifier = "001001001000032000"
WiMAX-GMT-Timezone-offset = 0
Acct-Session-Id = "KeepAliveSessionId"
User-Password = "KeepAliveUserNameAndPassword"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-00-00-00-00-00
++[wimax] returns ok
[suffix] No '@' in User-Name = "KeepAliveUserNameAndPassword", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> KeepAliveUserNameAndPassword
[sql] sql_set_user escaped user --> 'KeepAliveUserNameAndPassword'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = BINARY
'KeepAliveUserNameAndPassword' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = BINARY
'KeepAliveUserNameAndPassword' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = BINARY
'KeepAliveUserNameAndPassword' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> KeepAliveUserNameAndPassword
[sql] sql_set_user escaped user --> 'KeepAliveUserNameAndPassword'
[sql] expand: %{User-Password} -> KeepAliveUserNameAndPassword
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES
( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'KeepAliveUserNameAndPassword',
'KeepAliveUserNameAndPassword',
'Access-Accept', '2010-07-08 16:11:46')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'KeepAliveUserNameAndPassword',
'KeepAliveUserNameAndPassword', 'Access-Accept',
'2010-07-08 16:11:46')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
expand: %{User-Name} -> KeepAliveUserNameAndPassword
expand: %{EAP-MSK} ->
++[reply] returns noop
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
++[wimax] returns noop
Sending Access-Accept of id 22 to 192.168.60.50 port 49154
WiMAX-IP-Technology = CMIP4
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = 0x
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.60.50 port 49155,
id=14, length=135
User-Name = "KeepAliveUserNameAndPassword"
NAS-IP-Address = 192.168.60.50
NAS-Port-Type = 27
NAS-Port = 0
Calling-Station-Id = "\000\000\000\000\000"
NAS-Identifier = "001001001000032000"
WiMAX-GMT-Timezone-offset = 0
Acct-Status-Type = Stop
Acct-Session-Id = "KeepAliveSessionId"
+- entering group preacct {...}
++[preprocess] returns ok
expand: %{Acct-Session-Time} ->
... expanding second conditional
expand: %{Acct-Delay-Time} ->
... expanding second conditional
expand: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}
-> 1278619906 - 0 - 0
expand: %{expr: %l - %{%{Acct-Session-Time}:-0} -
%{%{Acct-Delay-Time}:-0}} -> 1278619906
++[request] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
192.168.60.50,NAS-IP-Address = 192.168.60.50,Acct-Session-Id =
"KeepAliveSessionId",User-Name = "KeepAliveUserNameAndPassword"'
[acct_unique] Acct-Unique-Session-ID = "3e3e3f7489ea6051".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "KeepAliveUserNameAndPassword", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp ->
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> KeepAliveUserNameAndPassword
rlm_radutmp: Logout for NAS Extreme 5000 port 0, but no Login record
++[radutmp] returns ok
[sql] expand: %{User-Name} -> KeepAliveUserNameAndPassword
[sql] sql_set_user escaped user --> 'KeepAliveUserNameAndPassword'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Input-Octets} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Output-Octets} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Delay-Time} ->
[sql] ... expanding second conditional
[sql] expand: UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'
-> UPDATE radacct SET acctstoptime =
'2010-07-08 16:11:46', acctsessiontime = '',
acctinputoctets = '0' << 32 |
'0', acctoutputoctets = '0' << 32 |
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: stop packet with zero session length. [user '%{User-Name}',
nas '%{NAS-IP-Address}'] -> stop packet with zero session length. [user
'KeepAliveUserNameAndPassword', nas '192.168.60.50']
[sql] stop packet with zero session length. [user
'KeepAliveUserNameAndPassword', nas '192.168.60.50']
rlm_sql (sql): Released sql socket id: 3
++[sql] returns noop
++? if (noop)
? Evaluating (noop) -> TRUE
++? if (noop) -> TRUE
++- entering if (noop) {...}
+++[ok] returns ok
++- if (noop) returns ok
[attr_filter.accounting_response] expand: %{User-Name} ->
KeepAliveUserNameAndPassword
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 14 to 192.168.60.50 port 49155
Finished request 1.
Cleaning up request 1 ID 14 with timestamp +25
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 22 with timestamp +25
Ready to process requests.
David Peterson
2
3
Hi all!
I've just upgraded from 1.1.6 to 2.1.9. On the old server I'm used
Start/Stop and Interim-Update in acct_users file to execute some script
in this way:
DEFAULT Acct-Status-Type == Start
Exec-Program = "/usr/local/etc/raddb/aaa_pdsn.sh"
DEFAULT Acct-Status-Type == Interim-Update
Exec-Program = "/usr/local/etc/raddb/aaa_pdsn.sh"
DEFAULT Acct-Status-Type == Stop
Exec-Program = "/usr/local/etc/raddb/aaa_pdsn.sh"
But when I try it on the new server it seems it doesnt work.
exec is enabled:
Optimus# less /usr/local/etc/raddb/sites-enabled/default
...
post-auth {
# main_pool
# reply_log
# sql
# sql_log
# ldap
exec
# wimax
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
What is the best way to make it work?
3
2
Dear list,
I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
First of all, on the pptpd server's side (which I know it's not your
"jurisdiction", so I'll be fast here), I have the require-mschap-v2 and
require-mppe options enabled.
As for freeradius itself, a summarized sites-enabled/default reads:
authorize {
preprocess
pap
mschap
ldap
auth_log
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
eap
}
My modules/ldap contains all the necessary information, and my
modules/mschap has the options use_mppe, require_encryption and
require_strong enabled, like most tutorials state.
As for the results, radtest works fine (querying LDAP etc), but through
pptd it always fails with this error:
----------------
rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "dgomes"
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =
0x48003ac4b88e3cc4c6b5819eb258c434e27a000000000000000002a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
Calling-Station-Id = "193.136.136.200"
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[ldap] performing user authorization for dgomes
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt ->
ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
gold.ipfn.ist.utl.pt:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
with filter (cn=dgomes)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user dgomes authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t -> Thu Jul 8 14:08:34 2010
++[auth_log] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> dgomes
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
------------------
I know that the error should be enough for me to fix it (since it's
quite explanatory), but after trying many different configurations and
searching through dozens of old mailing lists posts, I still haven't
managed it...
So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even a requirement for me here, since both services are on the
same machine, so there's not even the need for safe connections. So long
as it works, I really don't care about any particular configuration!
Thanks in advance,
Daniel Gomes
4
12
Hm, I've done it but now when I'm running radiusd -X it shows:
Module: Checking accounting {...} for more modules to load
/usr/local/etc/raddb/sites-enabled/default[325]: Failed to load module
"exe_module".
/usr/local/etc/raddb/sites-enabled/default[323]: Errors parsing
accounting section.
After that I've tried also to create a file named exe_module in
/raddb/modules with:
exe_module {
wait = yes
program = "/usr/local/etc/raddb/aaa_pdsn.sh"
input_pairs = request
output_pairs = reply
shell_escape = yes
output = none
}
but than radiusd -X shows:
Module: Checking accounting {...} for more modules to load
/usr/local/etc/raddb/modules/exec_module[1]: Failed to link to module
'rlm_exe_module': file not found
/usr/local/etc/raddb/sites-enabled/default[325]: Failed to load module
"exe_module".
/usr/local/etc/raddb/sites-enabled/default[323]: Errors parsing
accounting section.
09.07.2010 13:13, Toure Mamadou написав(ла):
> Hi,
> First: create an exec module in radiusd.conf
> For exemple :
> exec exe_module {
> wait = yes
> program = "path to your prograù"
> input_pairs = request
> output_pairs = reply
> shell_escape = yes
> output = none
>
> }
>
> Second: edit the site-available/default to add the module name to accounting
> section.
>
> accounting {
> exe_module
> ..........
> #
> # Create a 'detail'ed log of the packets.
> # Note that accounting requests which are proxied
> # are also logged in the detail file.
> detail
> ...........
> }
>
> Hoppe it'll helpe
> Regards.
>
> -----Message d'origine-----
> De : freeradius-users-bounces+mamadou.toure=vipnet.ci(a)lists.freeradius.org
> [mailto:freeradius-users-bounces+mamadou.toure=vipnet.ci@lists.freeradius.or
> g] De la part de Eugen Vakulenko
> Envoyé : vendredi 9 juillet 2010 08:53
> À : freeradius-users(a)lists.freeradius.org
> Objet : Scripts executing in acct_users file
>
> Hi all!
>
> I've just upgraded from 1.1.6 to 2.1.9. On the old server I'm used
> Start/Stop and Interim-Update in acct_users file to execute some script
> in this way:
>
> DEFAULT Acct-Status-Type == Start
> Exec-Program = "/usr/local/etc/raddb/aaa_pdsn.sh"
> DEFAULT Acct-Status-Type == Interim-Update
> Exec-Program = "/usr/local/etc/raddb/aaa_pdsn.sh"
> DEFAULT Acct-Status-Type == Stop
> Exec-Program = "/usr/local/etc/raddb/aaa_pdsn.sh"
>
> But when I try it on the new server it seems it doesnt work.
> exec is enabled:
>
> Optimus# less /usr/local/etc/raddb/sites-enabled/default
> ...
> post-auth {
>
> # main_pool
> # reply_log
> # sql
> # sql_log
> # ldap
> exec
> # wimax
> Post-Auth-Type REJECT {
> attr_filter.access_reject
> }
> }
>
> What is the best way to make it work?
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
3
6
Hi
I have a freeradius server and it authenticate user in users file but I want to use Active directory.Is server must join any domain for using Active Directory ?Thanks.
_________________________________________________________________
Windows Live Hotmail: Arkadaşlarınız Facebook'taki güncellemelerinizi doğrudan Hotmail®'den alır.
http://www.microsoft.com/windows/windowslive/see-it-in-action/social-networ…
1
0
Hello,
I just flashed a linksys with dd-wrt and now I'm trying to setup a
freeradius server on a Fedora system. For the life of me, I can't figure out
what to do next on the system. I've installed freeradius by running - "sudo
yum install freeradius" on my Fedora, but what do I do next? The online wiki
hasn't been too helpful with fedora-specific info.
I'm hoping to setup a dialupadmin interface and manage things from there. I
don't want to hold hands here, but could someone give me a hint on what I
should be looking into next ?
Puzzled,
Abraham V.
3
6
Re: PEAP/MSCHAPv2, Post-Auth-Type REJECT {} of inner-tunnel is neverentered for access reject
by Fads Afds 09 Jul '10
by Fads Afds 09 Jul '10
09 Jul '10
Dear Alan,
Thanks for your prompt reply and helpful information.
I tried to get the error-message of inner-tunnel by running sql query in "Post-Auth-Type Reject {} of default. The message field in radpostauth table is empty. The query seems cannot access %{inner.control:My-Err-Message} attribute.
My question is: Can sql in default (outer session) access innner-server control attribute when the login is rejected? If the answer is no, would you hint me how I can get & log the error message of inner-session?
Thanks again.
After your reply, I include:
1. The warning message:
2. sql query for radpostauth
3. content of authorize section of file /etc/raddb/sites-available/default
4. radiusd -X debug message for access-reject case
------------Alan's reply ---------------------------------------
Fads Afds wrote:
> Hi Fellows,
>
> I have configured FreeRadius 2.1.8 running on SLES 11 for PEAP/MSCHAPv2. MySQL is used for user database. I have tested using "eapol_test" and win/XP SP3 supplicant.
> Accounting data can be received & stored to radacct table.
> Inner-server can successfully accept user with accumulated session time quota not exceeded and reject user with accumulated session time quota exceeded.
> My problem:
> I expect to store accept or reject log with rejecting message to radpostauth table.
> For access-accept case, sql inside post-auth {} of inner-tunnl is invoked and logging message is written to radpostauth table as expected.
> For access-reject cases (username not existed in db, wrong username, accumulated session time quota exceeded, etc), Post-Auth-Type REJECT {} of inner-tunnel is never entered. What is wrong? Any help? Thanks in advance.
The server does not currently run the "Post-Auth-Type Reject" when in
the inner tunnel. Instead, it is run in the default virtual server,
outside of the tunnel.
Alan DeKok.
-
-----------Alan's reply ends ------------------------------
-------------1. The warning message -------
[sql] WARNING: Unknown module "inner.control" in string expansion "%{inner.control:My-Err-Message}',
-------------1. ends --------------------------
------2. sql query for radpostauth ------------------
postauth_query = "INSERT INTO ${postauth_table} \
(ID, username, password, nas_ip, auth_result, reply_message, authdate) \
VALUES (NULL, \
'%{User-Name}', \
aes_encrypt('NA', 'abc123456def'), \
'%{NAS-IP-ADDRESS}', \
'%{reply:Packet-Type}', \
'%{inner.control:My-Err-Message}', \
'%S')"
-----------------2. ends -----------------------------
-----3. content of Post-Auth-Type Reject{} section of file /etc/raddb/sites-available/default ---------------
Post-Auth-Type REJECT {
sql
reply_log
attr_filter.access_reject
}
----3. ends ------------------------------------------
----4. radiusd -X message for rejected case------------------------------
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=159, length=168
User-Name = "visit04"
NAS-IP-Address = 158.182.118.234
NAS-Port = 1
NAS-Identifier = "158.182.118.234"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "34159EE8BD35"
Called-Station-Id = "000B8609D780"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0201000c0176697369743034
Aruba-Essid-Name = "BU-Guest"
Aruba-Location-Id = "SRH-S906"
Message-Authenticator = 0x5fbf723681bafb64473bda5fb613e4b4
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "visit04", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 159 to 158.182.118.234 port 43514
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2451839f24539a76dd46fbeb200155bb
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=160, length=310
User-Name = "visit04"
NAS-IP-Address = 158.182.118.234
NAS-Port = 1
NAS-Identifier = "158.182.118.234"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "34159EE8BD35"
Called-Station-Id = "000B8609D780"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0202008819800000007e16030100790100007503014c36b96bd9a767fea76af8ea1ad3b3fe170ef44198d94e94e1d7f4d45eb7d95300003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100
State = 0x2451839f24539a76dd46fbeb200155bb
Aruba-Essid-Name = "BU-Guest"
Aruba-Location-Id = "SRH-S906"
Message-Authenticator = 0x807c6e2d452be6f72076f30aae603e1e
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "visit04", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 136
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0079], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 004a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084d], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 160 to 158.182.118.234 port 43514
EAP-Message = 0x0103040019c0000008aa160301004a0200004603014c36b97de42d2baf0dfe1eaffecf9e25722e8e8bc582f3a8297b4a4096de4ea420747bba71baba01650b81ddf7414a3fb3d5ac2e003f9d20859ffc9ec61dd8fe59002f00160301084d0b0008490008460003a8308203a43082028ca003020102020101300d06092a864886f70d010104050030818c310b300906035504061302434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321484b425520477565
EAP-Message = 0x737420434120636572742028363462697420736572766572293020170d3130303632343033353835305a180f32303530303631343033353835305a308182310b300906035504061302434e310b300906035504081302484b310d300b060355040a1304484b4255312e302c06035504031325484b42552047756573742073657276657220636572746966696361746520283634626974293127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7649ee337738ce465aec9a12a375bd4d76fc3c2f50ac701065d1433
EAP-Message = 0x22c38dd78776d5ad0cb747a32f6b512dce6d26cccffefd49cf1517670305c6cb6eee0b70c86cb259383ca439bf011e8d8689cd17c41e99498256f13e6f14282b8eeef46f95e742d40254b69d7270d1d349e8cd41cff1dc98ea38fb494ea6007aed1575391d69e9f1c230fea9125f09a28d544282e9520e4c5987f54ff43f94567991d6172f98bfd3a200aeb07e60345e40caff2f1f34c52e77707e3321a774bc7601827ccbd723e044ee635de38dc174e37aea2640f5dbacb3454bd89bd2e03b81031365232fe8f014c069983950f75aa8fdcce7a9ee52d57dc7fec1512a57fabb3b993b0203010001a317301530130603551d25040c300a06082b0601
EAP-Message = 0x0505070301300d06092a864886f70d01010405000382010100192613ffaf84004131ad7ce0d3da7b42d8a594371b96058ea7dc28554921dfd279076ad03cbf83ab81d7d3ac909202e97a3c22fdad6eee38f2961ef4e9cc9398c5e4bd8a0f41c9174d4fa44a1e77e95c887c065197300ea90c8ffc1d32c898c4e137b6a74834c769d7be8008fea4b3ca9c5a33505b588fd93fa440584d00f8c0c11d62bd886037289e5f27cec1039a4c311a04a7cf75b9ed578b840c66993dea65d31adf591ffc290d98d6565e70a1d3d45ae3f0c877c5104d1def8c23a79f38c92731165bfb2a84759f2c6c07e15ff75e4fe6f99e67dac4fc5ca7bf6cbdf849c44b77f6
EAP-Message = 0x614977256b1dcde1b92a76f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2451839f25529a76dd46fbeb200155bb
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=161, length=180
User-Name = "visit04"
NAS-IP-Address = 158.182.118.234
NAS-Port = 1
NAS-Identifier = "158.182.118.234"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "34159EE8BD35"
Called-Station-Id = "000B8609D780"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020300061900
State = 0x2451839f25529a76dd46fbeb200155bb
Aruba-Essid-Name = "BU-Guest"
Aruba-Location-Id = "SRH-S906"
Message-Authenticator = 0xc129a38994a204510116e4a413e3fd4f
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "visit04", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 161 to 158.182.118.234 port 43514
EAP-Message = 0x010403fc1940d8d084a884e20a2a165c46af33618c22000498308204943082037ca003020102020900a00b0c8b6ee723bb300d06092a864886f70d010105050030818c310b300906035504061302434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321484b425520477565737420434120636572742028363462697420736572766572293020170d3130303632343033353833335a180f32303530303631343033353833335a30818c310b30090603550406
EAP-Message = 0x1302434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321484b4255204775657374204341206365727420283634626974207365727665722930820122300d06092a864886f70d01010105000382010f003082010a0282010100c001917da3c962085a616702fa98c2bd794c7edfa3a1f038258e018a126e736e3a61ae5120b956ab0566a9258b889d66e616e2d702b1a0f5ec79b1b484a9a9ec5ff3ba49d31895a6073ac132c9aa28f3e9906d0a6e3c24e852
EAP-Message = 0x621586b8db41ce111ebf2befc143a5cc9d562d020594fe407135ec1c068dd0303eca75e5c5dd9cab898af3e870072ea3eca78602644eea0bac0c5619925b56aba1b1c1fc4c48fded87cdcf44d1b99a2c1f534e8b88e4a35f9d1ffa8a50cdb402743516a0cbce2a4796459501875ec225357d4a362202e15ee12a0154f018e5b84a5e5884c268d3154ed41f7b78ea2f6df852e07bdd50a55c26467bcaf75c41d393bc78b27fb5170203010001a381f43081f1301d0603551d0e04160414c134ca58d9d8f09b9207417630a08266b192ef523081c10603551d230481b93081b68014c134ca58d9d8f09b9207417630a08266b192ef52a18192a4818f3081
EAP-Message = 0x8c310b300906035504061302434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321484b42552047756573742043412063657274202836346269742073657276657229820900a00b0c8b6ee723bb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000d81bb75569e9ce10ee1cc274ce224d6d175d681f14079bdb2953b179dc9e15eedecd08f8d61f1759f3bb4c97458573e0b9b6b6be66954fc48d713a54ad949e99d806a
EAP-Message = 0x400957b5cd394c74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2451839f26559a76dd46fbeb200155bb
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=162, length=180
User-Name = "visit04"
NAS-IP-Address = 158.182.118.234
NAS-Port = 1
NAS-Identifier = "158.182.118.234"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "34159EE8BD35"
Called-Station-Id = "000B8609D780"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020400061900
State = 0x2451839f26559a76dd46fbeb200155bb
Aruba-Essid-Name = "BU-Guest"
Aruba-Location-Id = "SRH-S906"
Message-Authenticator = 0x840c9d88dbf3256afd4525a35ea49bd4
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "visit04", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 162 to 158.182.118.234 port 43514
EAP-Message = 0x010500c4190012c062cd3163799ab42c262a3b39ee4aadeba8ca0584
be4afc188b998b5b79ebc112998a4791842e212835761d44b5202634a16bdc8886be5a2a6ddef1be
58fd73726f412c140197da3a29fc44aa1b67361c18f9f72312826067f64edc638e6a8b5511cd2c9e
d88cb6de9ef5c6c909025dc37b4abdc9fdc643561bb06b1e07e30de728a7e8a4dc07dda92896b897
6fedf2623b70b61a7757012cb421a8c76616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2451839f27549a76dd46fbeb200155bb
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 158.182.118.234 port 43514, id=163, le
ngth=512
User-Name = "visit04"
NAS-IP-Address = 158.182.118.234
NAS-Port = 1
NAS-Identifier = "158.182.118.234"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "34159EE8BD35"
Called-Station-Id = "000B8609D780"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0205015019800000014616030101061000010201003bf0a1c7ffabbf
d264a9ed58e54032fa600764768552751ec7f53062cd5a9ebaa52c46c6d6473f0ca33765d222a337
0309fd496e403f48ffa250620d87d7e2b53adff292a0fe7aa59ce6c6a894c9a9f251310c58d2798e
462eaef1dd00f79a31fb4074edfeb033e90924c3f8d236a5155f28b1a3f99c6ec692afccca487db4
4f9a9044c7d837eebf3da89c3f8f4f441b1e7f89b8eb9ae31e4ace331184697e1becff07f91fae76
6b7db43ab8665fbf2fee0a1e60dc06b4da5372041ed4c3f0e8644c5833201b9fa612988d54f2909f
6a0c4378a46a93fb1c589f62dfe98b51d639aa10afc5cdfe22
EAP-Message = 0x4c6390331da2262fadc0868cc2a68da17c72dc060fbeb7d814030100
0101160301003054624df5fcb87f023583a20ff07bded2d37e6bade2f35680bb627a67a08c3715fb
e34c1eab20dd678bebe49473239609
State = 0x2451839f27549a76dd46fbeb200155bb
Aruba-Essid-Name = "BU-Guest"
Aruba-Location-Id = "SRH-S906"
Message-Authenticator = 0x305bb4b0e144e78dc6a57741b74fcc54
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "visit04", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
SSL: adding session 747bba71baba01650b81ddf7414a3fb3d5ac2e003f9d20859ffc9ec61d
d8fe59 to cache
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 163 to 158.182.118.234 port 43514
EAP-Message = 0x0106004119001403010001011603010030eb029049a915c4eed9864c
22405237450831a8c271e7d0df2892e87916cd8c988d2f45f0d8295ee9b3a28fecb0b9cb26
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2451839f20579a76dd46fbeb200155bb
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 159 with timestamp +1
Cleaning up request 1 ID 160 with timestamp +1
Cleaning up request 2 ID 161 with timestamp +1
Cleaning up request 3 ID 162 with timestamp +1
Cleaning up request 4 ID 163 with timestamp +1
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=0, length=118
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000a0174696d6531
Message-Authenticator = 0x92f180fdc088db77ec99a79a3853e8df
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 44979
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x916bee87916af76dd5fdb5b529c56e9d
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=1, length=235
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0201006d198000000063160301005e0100005a03014c36b9940675bc
6559c07769a84fd3181a44bc79b9976f0ae1362e9afe4bb177000032003900380035008800870084
00160013000a00330032002f00450044004100050004001500120009001400110008000600030201
00
State = 0x916bee87916af76dd5fdb5b529c56e9d
Message-Authenticator = 0x8be06fd650f109fc2ad4ec626bcf639c
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 109
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 99
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005e], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 004a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084d], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 44979
EAP-Message = 0x0102040019c000000abc160301004a0200004603014c36b9948fd417
c358d194f7f033ae8cc5ff244d77ca8166fc6881b774d94ef32044540d0f50e26d1444cb5ce1d6f3
d574fbc20b1cddb9a708567434fa1bebc167003901160301084d0b0008490008460003a8308203a4
3082028ca003020102020101300d06092a864886f70d010104050030818c310b3009060355040613
02434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a13
04484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e
6564752e686b312a302806035504031321484b425520477565
EAP-Message = 0x73742043412063657274202836346269742073657276657229302017
0d3130303632343033353835305a180f32303530303631343033353835305a308182310b30090603
5504061302434e310b300906035504081302484b310d300b060355040a1304484b4255312e302c06
035504031325484b4255204775657374207365727665722063657274696669636174652028363462
6974293127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564
752e686b30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7649e
e337738ce465aec9a12a375bd4d76fc3c2f50ac701065d1433
EAP-Message = 0x22c38dd78776d5ad0cb747a32f6b512dce6d26cccffefd49cf151767
0305c6cb6eee0b70c86cb259383ca439bf011e8d8689cd17c41e99498256f13e6f14282b8eeef46f
95e742d40254b69d7270d1d349e8cd41cff1dc98ea38fb494ea6007aed1575391d69e9f1c230fea9
125f09a28d544282e9520e4c5987f54ff43f94567991d6172f98bfd3a200aeb07e60345e40caff2f
1f34c52e77707e3321a774bc7601827ccbd723e044ee635de38dc174e37aea2640f5dbacb3454bd8
9bd2e03b81031365232fe8f014c069983950f75aa8fdcce7a9ee52d57dc7fec1512a57fabb3b993b
0203010001a317301530130603551d25040c300a06082b0601
EAP-Message = 0x0505070301300d06092a864886f70d01010405000382010100192613
ffaf84004131ad7ce0d3da7b42d8a594371b96058ea7dc28554921dfd279076ad03cbf83ab81d7d3
ac909202e97a3c22fdad6eee38f2961ef4e9cc9398c5e4bd8a0f41c9174d4fa44a1e77e95c887c06
5197300ea90c8ffc1d32c898c4e137b6a74834c769d7be8008fea4b3ca9c5a33505b588fd93fa440
584d00f8c0c11d62bd886037289e5f27cec1039a4c311a04a7cf75b9ed578b840c66993dea65d31a
df591ffc290d98d6565e70a1d3d45ae3f0c877c5104d1def8c23a79f38c92731165bfb2a84759f2c
6c07e15ff75e4fe6f99e67dac4fc5ca7bf6cbdf849c44b77f6
EAP-Message = 0x614977256b1dcde1b92a76f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x916bee879069f76dd5fdb5b529c56e9d
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=2, length=132
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0x916bee879069f76dd5fdb5b529c56e9d
Message-Authenticator = 0xd8afe5a5dd1ff493ea23d2bdcdf9ccde
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 44979
EAP-Message = 0x010303fc1940d8d084a884e20a2a165c46af33618c22000498308204
943082037ca003020102020900a00b0c8b6ee723bb300d06092a864886f70d010105050030818c31
0b300906035504061302434e310b300906035504081302484b310c300a0603550407130365647531
0d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f744066726775
6573742e686b62752e6564752e686b312a302806035504031321484b425520477565737420434120
636572742028363462697420736572766572293020170d3130303632343033353833335a180f3230
3530303631343033353833335a30818c310b30090603550406
EAP-Message = 0x1302434e310b300906035504081302484b310c300a06035504071303
656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440
667267756573742e686b62752e6564752e686b312a302806035504031321484b4255204775657374
204341206365727420283634626974207365727665722930820122300d06092a864886f70d010101
05000382010f003082010a0282010100c001917da3c962085a616702fa98c2bd794c7edfa3a1f038
258e018a126e736e3a61ae5120b956ab0566a9258b889d66e616e2d702b1a0f5ec79b1b484a9a9ec
5ff3ba49d31895a6073ac132c9aa28f3e9906d0a6e3c24e852
EAP-Message = 0x621586b8db41ce111ebf2befc143a5cc9d562d020594fe407135ec1c
068dd0303eca75e5c5dd9cab898af3e870072ea3eca78602644eea0bac0c5619925b56aba1b1c1fc
4c48fded87cdcf44d1b99a2c1f534e8b88e4a35f9d1ffa8a50cdb402743516a0cbce2a4796459501
875ec225357d4a362202e15ee12a0154f018e5b84a5e5884c268d3154ed41f7b78ea2f6df852e07b
dd50a55c26467bcaf75c41d393bc78b27fb5170203010001a381f43081f1301d0603551d0e041604
14c134ca58d9d8f09b9207417630a08266b192ef523081c10603551d230481b93081b68014c134ca
58d9d8f09b9207417630a08266b192ef52a18192a4818f3081
EAP-Message = 0x8c310b300906035504061302434e310b300906035504081302484b31
0c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d
0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321
484b42552047756573742043412063657274202836346269742073657276657229820900a00b0c8b
6ee723bb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000d81
bb75569e9ce10ee1cc274ce224d6d175d681f14079bdb2953b179dc9e15eedecd08f8d61f1759f3b
b4c97458573e0b9b6b6be66954fc48d713a54ad949e99d806a
EAP-Message = 0x400957b5cd394c74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x916bee879368f76dd5fdb5b529c56e9d
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=3, length=132
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0x916bee879368f76dd5fdb5b529c56e9d
Message-Authenticator = 0xea8dbecd0bbfd3fd3a2ecfa044306feb
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 44979
EAP-Message = 0x010402d6190012c062cd3163799ab42c262a3b39ee4aadeba8ca0584
510b5f850ecbe4afc188b998b5b79ebc112998a4791842e212835761d44b5202634a16bdc8886be5
a2a6ddef1becbbaa64117a58fd73726f412c140197da3a29fc44aa1b67361c18f9f72312826067f6
4edc638e6a8b5511cd2c9eff129e700e0d88cb6de9ef5c6c909025dc37b4abdc9fdc643561bb06b1
e07e30de728a7e8a4dc07dda92896b8975d7907b85b66fedf2623b70b61a7757012cb421a8c76616
0301020d0c00020900808fcc5daaf65ec4b9ed53a13aa5563c3a857d7b01a0935ce18302cbbd8117
bdcee617438d810d33e6737c2b63ad1b1e728d85e9aa9c155d
EAP-Message = 0x84c5499240de4a0574ca81181dd71a196f1dccceee978f8380d16b7e
6019d903f2d5ed2428b8649b958dbd4a5c52b8f99989c064eb651266552a0b7eab32727454b2eee7
89c78aee3b000102008006712a5b381bc117e45cbd7fab4a3f79b5de212697b11ea7050ea92387e2
bd8f55f1fcaed363ad2e59ac6ba4e20a502f5d9e320a4e67aa8a59c032fa7b1fa7c88ebf4f45a365
e247503763959d230aeba6d365560776fb3f1a37c7768df257ec6b8e874bbcc8725cc5cc3aabbf5a
a607b1ddb9aadc912084a35431ffd12d72280100567b7a139ef0b540f469f3152ea29b1279ce2c0b
e37d8b0589af62c0feabc70a4b75e169fbe19eaed05d94fd35
EAP-Message = 0x0487fa6a7fb0deb69a9441ff459df22b562e61aea5b6d6a925ebddd2
734c0f91be9589c39f74308377167856c63654257d3b82c3e1cd1dc2078af6428cd457be9f4f16f7
8a57f6726e9008ae8a91446703c2409b24f8c1dc43824cec7d78baeb1c4bdedd15e6e7d646c11261
1e5f2fca452578637f56d7f8bc7fb70a5046bc5855a58c1a478b3a0d815d5a7a679dcda704ee07e0
f998917389ac127708a67b52b700b8d6fcd2e2b07b12255a72e7daa1641063f71fd4071d842283ac
dcf4f8cbafeb53d34c08874d672b4d0ed135e0948d32e316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x916bee87926ff76dd5fdb5b529c56e9d
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=4, length=334
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400d01980000000c6160301008610000082008033eddf5661f7ab
ee16b84267fd8caedf21933f4765a74e0225225c1a0f0fa34073f798a1c6fb78d1d8cce2a7233f96
c0e46dee307cbcc4fafbfeefed0cee3d4ace2cda38f588d621182cf7784b5cfadf4ae002cb1229fe
3c25cf8a84d651b9f1a48d5c653f24078908b3f76eabcbaf0336110ea6b5ce43bce7e9806b21f497
e11403010001011603010030c0fad5b2a8620a03c368f400561a18aa1ef9c47c812975c1200ee4d9
1b6f7ab876a8328439a8d6c46b92a9d9675d5ab6
State = 0x916bee87926ff76dd5fdb5b529c56e9d
Message-Authenticator = 0xcb67ce8cdef834a019f0bc172be79567
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
SSL: adding session 44540d0f50e26d1444cb5ce1d6f3d574fbc20b1cddb9a708567434fa1b
ebc167 to cache
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 44979
EAP-Message = 0x010500411900140301000101160301003023d4aff3b00678962d4461
db9937f233d330e52eb786e7f491bf95a2ff34e61403a6af4475b47928a9a9dc5ed504a7db
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x916bee87956ef76dd5fdb5b529c56e9d
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=5, length=132
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0x916bee87956ef76dd5fdb5b529c56e9d
Message-Authenticator = 0x6368b75534fe339b5807873da362c3ad
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 5 to 127.0.0.1 port 44979
EAP-Message = 0x0106002b19001703010020875473c93e0b7cb56d652eb5fe471f11d9
35542130e98f57a3704a1b29200490
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x916bee87946df76dd5fdb5b529c56e9d
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=6, length=222
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600601900170301002031960254e6cb92dd55e739f57bf9821c52
1ba47d45a525945bf075364b02362c1703010030430376a22471040f6ae116593bc609d44298483d
275e06234fb07925c512cc8e21911dc9580157366992019cd0648de2
State = 0x916bee87946df76dd5fdb5b529c56e9d
Message-Authenticator = 0xba24b8aee8858b6bfe01e4a0996df0d7
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - time1
[peap] Got tunnled request
EAP-Message = 0x0206000a0174696d6531
server (null) {
PEAP: Got tunneled identity of time1
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to time1
Sending tunneled request
EAP-Message = 0x0206000a0174696d6531
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail
-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20100709
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan
ds to /var/log/radius/radacct/127.0.0.1/auth-detail-20100709
[auth_log] expand: %t -> Fri Jul 9 13:54:28 2010
++[auth_log] returns ok
[sql] expand: %{User-Name} -> time1
[sql] sql_set_user escaped user --> 'time1'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: (SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' and attribute != 'Cleartext-Password') UNION (SEL
ECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck
WHERE username = '%{SQL-User-Name}' and attribute = 'Cleartext-Password') ORDER
BY id -> (SELECT id, username, attribute, value, op FROM radcheck WHERE usern
ame = 'time1' and attribute != 'Cleartext-Password') UNION (SELECT id, username,
attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHERE username =
'time1' and attribute = 'Cleartext-Password') ORDER BY id
rlm_sql_mysql: query: (SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'time1' and attribute != 'Cleartext-Password') UNION (SELECT
id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHE
RE username = 'time1' and attribute = 'Cleartext-Password') ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radrepl
y WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id, username, attribute, value, op FROM radreply WHERE usern
ame = 'time1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'time1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE user
name = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'time1' ORDER BY prior
ity
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHE
RE username = 'time1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++? if (!(control:Cleartext-Password))
?? Evaluating (control:Cleartext-Password) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(control:Cleartext-Password)) -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
expand: %{reply:acct_expiration} -> 29991231
expand: %D -> 20100709
?? Evaluating ("%{reply:acct_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") ) ->
FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
?? Evaluating (reply:1st_login_date) -> TRUE
?? Evaluating (reply:ticket_expiration) -> TRUE
expand: %{reply:1st_login_date} -> 20100601
?? Evaluating ("%{reply:1st_login_date}" != "29991231") -> TRUE
expand: %{reply:ticket_expiration} -> 20100830
expand: %D -> 20100709
?? Evaluating ("%{reply:ticket_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") ) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{
User-Name}''
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNam
e='time1'
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='time1'}'
[noreset_time_counter] sql_xlat
[noreset_time_counter] expand: %{User-Name} -> time1
[noreset_time_counter] sql_set_user escaped user --> 'time1'
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='time1' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='time
1'
[noreset_time_counter] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/
sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='
time1'
[noreset_time_counter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[noreset_time_counter] expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct W
HERE UserName='time1'} -> 205
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user time1, check_item=20, counter=205
++[noreset_time_counter] returns reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++- entering if (reject) {...}
+++[control] returns reject
++- if (reject) returns reject
Invalid user (rlm_sqlcounter: Maximum never usage time reached): [time1/<via Aut
h-Type = EAP>] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunne
l)
} # server inner-tunnel
[peap] Got tunneled reply code 3
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Reply-Message = "Your maximum never usage time has been reached"
[peap] Got tunneled reply RADIUS code 3
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Reply-Message = "Your maximum never usage time has been reached"
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 6 to 127.0.0.1 port 44979
EAP-Message = 0x0107003b190017030100300a7bc9169f55617f8b9404f23c70a22ec0
351e07fa46e1f17ec51bf9edddc23df774d9da16c92de9e5a5eb8ae95eaace
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x916bee87976cf76dd5fdb5b529c56e9d
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 44979, id=7, length=222
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0207006019001703010020e87fc62cb04cb5a8db18300f4f10d851de
97490da264270001365b5b2474578517030100309b29d0ffe622d696ca430fd4b2c7a86c0040aaa1
70818dc976eeb7338151522559da71fff0361565af9fb778cccf58b8
State = 0x916bee87976cf76dd5fdb5b529c56e9d
Message-Authenticator = 0x0132e061daaf8f9d3ae6d187066d3f04
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
SSL: Removing session 44540d0f50e26d1444cb5ce1d6f3d574fbc20b1cddb9a708567434fa
1bebc167 from the cache
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [time1/<via Auth-Type = EAP>] (from client localhost port 0 cli
02-00-00-00-00-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[sql] expand: %{User-Name} -> time1
[sql] sql_set_user escaped user --> 'time1'
[sql] WARNING: Unknown module "inner.control" in string expansion "%{inner.contr
ol:My-Err-Message}',
'%S')"
[sql] expand: INSERT INTO radpostauth (ID, username,
password, nas_ip, auth_result, reply_message, authdate)
VALUES (NULL, '%{User-Name}',
aes_encrypt('NA', 'abc123456def'), '%{NAS-IP-ADD
RESS}', '%{reply:Packet-Type}',
'%{inner.control:My-Err-Message}',
'%S') -> INSERT INTO radpostauth (ID, username, passw
ord, nas_ip, auth_result, reply_message, authdate) VAL
UES (NULL, 'time1', aes_enc
rypt('NA', 'abc123456def'), '127.0.0.1',
'Access-Reject', '',
'2010-07-09 13:54:28')
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(ID, username, password, nas_ip, auth_result, reply_message, authdate)
VALUES (NULL, 'time1',
aes_encrypt('NA', 'abc123456def'),
'127.0.0.1', 'Access-Reject',
'', '2010-
07-09 13:54:28')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth (ID, us
ername, password, nas_ip, auth_result, reply_message, authdate)
VALUES (NULL, 'time1',
aes_encrypt('NA', 'abc123456def'), '127.0.0.1',
'Access-Reject', '',
'2010-07-09 13:54:28')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detai
l-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/reply-detail-20100709
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d exp
ands to /var/log/radius/radacct/127.0.0.1/reply-detail-20100709
[reply_log] expand: %t -> Fri Jul 9 13:54:28 2010
++[reply_log] returns ok
[attr_filter.access_reject] expand: %{User-Name} -> time1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 12
Sending Access-Reject of id 7 to 127.0.0.1 port 44979
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 5 ID 0 with timestamp +24
Cleaning up request 6 ID 1 with timestamp +24
Cleaning up request 7 ID 2 with timestamp +24
Cleaning up request 8 ID 3 with timestamp +24
Cleaning up request 9 ID 4 with timestamp +24
Cleaning up request 10 ID 5 with timestamp +24
Cleaning up request 11 ID 6 with timestamp +24
----4. ends -------------------------
2
1
Re: Radius authenticate user but user still getting invalid credential message
by Alan DeKok 08 Jul '10
by Alan DeKok 08 Jul '10
08 Jul '10
Toure Mamadou wrote:
> Hi,
> All i've reboot my NAS. And since my user is getting invalid username and
> password allthougth I can that they are authenticated in the radius log.
If the RADIUS server is returning Access-Accept, then the issue isn't
with the RADIUS server.
Alan DeKok.
1
0