Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2011
- 121 participants
- 144 discussions
Hi,
I came across a bug when rlm_python executes python code that tries to load a dynamic (shared) module. This bug seems to have been discussed 2 or 3 times on this list, but no really satisfying solution appears to have been found so far (as far as I know), so I thought I might raise the subject again and perhaps try to contribute in finding a solution.
In short, I think the solution to this problem is explained here, but I don't know how to implement it in freeRADIUS : http://docs.python.org/release/2.5.2/ext/link-reqs.html
Here is my setup :
- running a perfectly standard Debian Lenny (2.6.26-2-amd64)
- installed the latest freeradius package from the lenny-backports (2.1.8+dfsg-1~bpo50+1)
- the python debian package is the one installed with Debian Lenny (2.5.2-3)
Here is my config:
----------------------------------------------
#######
# /etc/freeradius/modules/python
#######
python python_test {
mod_instantiate = radiusd_test
func_instantiate = instantiate
}
#######
# /etc/freeradius/radiusd.conf
#######
...
instantiate {
python_test
}
...
#######
# /usr/lib/python2.5/site-packages/radiusd_test.py
#######
def instantiate(p):
radiusd.radlog(radiusd.L_DBG, "THIS WORKS")
import random # this crashes
radiusd.radlog(radiusd.L_DBG, "THIS IS NEVER REACHED !")
----------------------------------------------
Here is the output of "freeradius -X" :
----------------------------------------------
FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Apr 26 2010 at 21:49:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
...
Module: Linked to module rlm_python
Module: Instantiating python_test
python_init done
python python_test {
mod_instantiate = "radiusd_test"
func_instantiate = "instantiate"
}
THIS WORKS
rlm_python:EXCEPT:<type 'exceptions.ImportError'>: /usr/lib/python2.5/lib-dynload/math.so: undefined symbol: PyExc_ValueError
/etc/freeradius/modules/python[24]: Instantiation failed for module "python_test"
----------------------------------------------
The module is properly loaded, the "instantiate" function gets called, and the first log message is output. In fact, any 100% pure python code works fine. The bug happens when a python module gets loaded dynamically : importing any module located in /usr/lib/python2.5/lib-dynload/*.so will crash.
>From what I understand, here's what happens:
1) rlm_python was built against libpython2.5.a, but for optimization purposes, the linker stripped out all the symbols that were not used by rlm_python itself (including, for example, PyExc_ValueError). This behavior is platform-dependent, which probably explains why everything works fine on centos, for example.
2) when the radiusd_test module runs, it tries to import the "random" module, which itself tries to import the "math" module, which is in lib-dynload, and gets loaded dynamically.
3) unfortunately, python fails to load that module because it uses the PyExc_ValueError symbol and it does not know where it is defined (it is located in /usr/lib/libpython2.5.so.1, but unfortunately, the "math" module does not know that.
As I said, I believe that the solution to this problem is clearly explained here: http://docs.python.org/release/2.5.2/ext/link-reqs.html
As it's just a few paragraphs, I'll quote it here, for your convenience:
----------------------------------------------
While the configure script shipped with the Python sources will correctly build Python to export the symbols needed by dynamically linked extensions, this is not automatically inherited by applications which embed the Python library statically, at least on Unix. This is an issue when the application is linked to the static runtime library (libpython.a) and needs to load dynamic extensions (implemented as.so files).
The problem is that some entry points are defined by the Python runtime solely for extension modules to use. If the embedding application does not use any of these entry points, some linkers will not include those entries in the symbol table of the finished executable. Some additional options are needed to inform the linker not to remove these symbols.
Determining the right options to use for any given platform can be quite difficult, but fortunately the Python configuration already has those values. To retrieve them from an installed Python interpreter, start an interactive interpreter and have a short session like this:
>>> import distutils.sysconfig
>>> distutils.sysconfig.get_config_var('LINKFORSHARED')
'-Xlinker -export-dynamic'
The contents of the string presented will be the options that should be used. If the string is empty, there's no need to add any additional options. The LINKFORSHARED definition corresponds to the variable of the same name in Python's top-level Makefile.
----------------------------------------------
I think the short-term solution to this bug is to modify "src/modules/rlm_python/configure.in" and make it use the LINKFORSHARED linker options when linking rlm_python against libpython2.5.a., This could be done by adding a line such as:
PY_OTHER_LDFLAGS=`sed -n -e 's/^LINKFORSHARED=\(.*\)/\1/p' $PY_MAKEFILE`
just under this one:
PY_OTHER_LIBS=`sed -n -e 's/^LIBS=\(.*\)/\1/p' $PY_MAKEFILE`
and then using $PY_OTHER_LDFLAGS somewhere... the thing is, I have no idea where, because I am new to all these dynamic modules and embedded interpreters . I tried this though:
python_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $PY_OTHER_LDFLAGS -lpython${PY_VERSION} -lm"
and recompiled the debian package (dpkg-buildpackage), but the problem was not fixed.
Can someone tell me where to add those options exactly ? I can try recompiling as many times as necessary.
Apparently, at least one person complains about the fact that you have to link against the static python runtime library (libpython2.5.a) even when you plan to use dynamic modules, and he has opened a bug report here:
http://bugs.python.org/issue4434
Basically, if I understand correctly, his idea is to have the python fellows declare the proper dependencies in every *.so file, so that the libpython2.5.so.1 file gets loaded automatically when the "math" module (or any other dynamic module) gets loaded. Maybe that's the ideal solution, I really don't know. But it seems to me that we should try to fix freeRADIUS so that it works around this bug before python dependencies are fixed (it make take a while or even never happen). So I thing the only short-medium-term solution is to use LINKFORSHARED linker options.
Thanks for reading this huge message. I hope we can beat this bug.
Aurelien Geron
3
8
Dear experts,
I setup mac_auth as in the freeradius wiki and its not working, am
unable to debug further.
requesting for help!
It correctly sets Auth-Type to CSID. but authorized_macs.authorize]
returns noop
I have pasted debug output and the relevant files below.
## Debug output of radiusd:
rad_recv: Access-Request packet from host 158.144.55.107 port 3072,
id=62, length=175
User-Name = "TEST\\test"
NAS-IP-Address = 158.144.55.107
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01544553545c74657374
Message-Authenticator = 0x1b88a63d48cd003d10945139139bbcac
+- entering group authorize {...}
++[control] returns notfound
Found Auth-Type = CSID
+- entering group CSID {...}
++? if (Chap-Password)
? Evaluating (Chap-Password) -> FALSE
++? if (Chap-Password) -> FALSE
++- entering else else {...}
+++[ok] returns ok
++- else else returns ok
+- entering group post-auth {...}
++? if (control:Auth-Type == 'CSID')
? Evaluating (control:Auth-Type == 'CSID') -> TRUE
++? if (control:Auth-Type == 'CSID') -> TRUE
++- entering if (control:Auth-Type == 'CSID') {...}
[authorized_macs] expand: %{Calling-Station-ID} -> 001a734337c9
+++[authorized_macs.authorize] returns noop
+++? if (!ok)
? Evaluating !(ok) -> TRUE
+++? if (!ok) -> TRUE
+++- entering if (!ok) {...}
++++[reject] returns reject
+++- if (!ok) returns reject
++- if (control:Auth-Type == 'CSID') returns reject
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
###### cat sites-available/default
authorize {
#eap
update control {
Auth-Type = 'CSID'
}
}
authenticate {
Auth-Type CSID {
if(Chap-Password){
update control {
Cleartext-Password := "%{User-Name}"
}
chap
}
else{
ok
}
}
}
post-auth {
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
if(!ok){
reject
}
}
}
##### cat modules/file
files authorized_macs {
key = "%{Calling-Station-ID}"
usersfile = ${confdir}/authorized_macs
compat = no
}
#### cat {confdir}/authorized_macs
001a734337c9 Reply-Message = "OK"
Thank you for helping!
--
+----------------------------------+--------------------------------------+
Nagaraj Panyam | Office tel: +91-22-22782126
Dept of High Energy Physics | Office fax: +91-22-22804610
Tata Instt. of Fundamental Research| Home tel : +91-22-22804936
Mumbai - 400 005, INDIA | **Email** : pn(a)tifr.res.in
+----------------------------------+--------------------------------------+
4
12
Hi All,
since a couple of days/weeks i try to setup freeradius.
Now i need your help, please.
I setup debian lenny with freeradius, md5, eap and users file
The wlan router is a linksys wrt 54gl with dd-wrt, wpa enterprise setting
the notebook is an open suse 11.0, wpa enterprise, and fix lan setting
Here is the response from the freeradius:
rad_recv: Access-Request packet from host 192.168.0.11 port 2051, id=0,
length=155
Cleaning up request 0 ID 0 with timestamp +326
User-Name = "testing"
NAS-IP-Address = 192.168.0.11
Called-Station-Id = "001c10a2d0a4"
Calling-Station-Id = "0018dee18589"
NAS-Identifier = "001c10a2d0a4"
NAS-Port = 45
Framed-MTU = 1400
State = 0x3e3194d13e30905601a93fde307ac9f6
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201001604101edbf55e6b60c293194f897089813ad6
Message-Authenticator = 0x7d0de8fe533832512c77f3bb10a3ecaf
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testing", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 22
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testing at line 95
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [testing/<via Auth-Type = EAP>] (from client private-network port
45 cli 0018dee18589)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.0.11 port 2051
EAP-Message = 0x03010004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 0 with timestamp +326
Ready to process requests.
what did i forgot?
Normally i expect that the router or whom ever will generate a wpa key and
the wlan router and the notebook should comunicate now.?
Do you have any hints for me or do you need more information about the
setup?
thx
Chris
--
View this message in context: http://freeradius.1045715.n5.nabble.com/authentication-work-but-i-got-no-ac…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
2
1
I've been testing EAP-TTLS/MSCHAPv2 authentication with a network
device. FreeRADIUS keeps complaining about EAP sessions not finishing
with the link to the certificate compatibility wiki link, however the
authentication process completes successfully. Looking at the packet
exchanges more carefully it appears that the supplicant is not
incrementing the Packet Identifier. Every EAP packet sent by the
device uses an packet identifier of 0.
Digging through the RFCs I didn't find a requirement that the Packet
Identifier be incremented, only the note that it is used to correlate
requests and responses. This is obviously probably more difficult if
it never changes.
Is it a requirement that the NAS increment or change this value? It
would definitely seem to be the preferred choice. Or is the server a
bit too aggressive in detecting incomplete EAP sessions in this case?
rad_recv: Access-Request packet from host 66.242.65.10 port 28461,
id=0, length=90
User-Name = "anonymous"
NAS-IP-Address = 192.168.4.48
NAS-Port = 5
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1020
EAP-Message = 0x0201000f01616e6f6e796d6f757300
Message-Authenticator = 0x8509fb9d5f2dbeb7f8d46ab44db4053a
Wed Jan 5 12:20:12 2011 : Info: server canopy {
Wed Jan 5 12:20:12 2011 : Info: # Executing section authorize from
file /etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authorize {...}
Wed Jan 5 12:20:12 2011 : Info: expand: %{User-Name} -> anonymous
Wed Jan 5 12:20:12 2011 : Info: ++[reply] returns notfound
Wed Jan 5 12:20:12 2011 : Info: ++[preprocess] returns ok
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP packet type response
id 1 length 15
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] No EAP Start, assuming
it's an on-going EAP conversation
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns updated
Wed Jan 5 12:20:12 2011 : Info: Found Auth-Type = eap_canopy
Wed Jan 5 12:20:12 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authenticate {...}
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP Identity
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] processing type tls
Wed Jan 5 12:20:12 2011 : Info: [tls] Flushing SSL sessions (of #0)
Wed Jan 5 12:20:12 2011 : Info: [tls] Initiate
Wed Jan 5 12:20:12 2011 : Info: [tls] Start returned 1
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns handled
Wed Jan 5 12:20:12 2011 : Info: } # server canopy
Sending Access-Challenge of id 0 to 66.242.65.10 port 28461
User-Name = "anonymous"
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x349732523495276465a22536fa36099e
Wed Jan 5 12:20:12 2011 : Info: Finished request 9.
Wed Jan 5 12:20:12 2011 : Debug: Going to the next request
Wed Jan 5 12:20:12 2011 : Debug: Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 66.242.65.10 port 28461,
id=0, length=161
Wed Jan 5 12:20:12 2011 : Info: Cleaning up request 9 ID 0 with timestamp +54
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! EAP session for state
0x3497325234952764 did not finish!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "anonymous"
State = 0x349732523495276465a22536fa36099e
NAS-IP-Address = 192.168.4.48
NAS-Port = 5
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1020
EAP-Message =
0x0202004415800000003a16030100350100003103017484d895bc503fb0c4c912ab6232d60da4629c843adb37f0faf3e30207d0cc4f00000a0035002f00040005000a0100
Message-Authenticator = 0x6b3d2a6441e0c787a2fd93770babab19
Wed Jan 5 12:20:12 2011 : Info: server canopy {
Wed Jan 5 12:20:12 2011 : Info: # Executing section authorize from
file /etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authorize {...}
Wed Jan 5 12:20:12 2011 : Info: expand: %{User-Name} -> anonymous
Wed Jan 5 12:20:12 2011 : Info: ++[reply] returns notfound
Wed Jan 5 12:20:12 2011 : Info: ++[preprocess] returns ok
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP packet type response
id 2 length 68
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Continuing tunnel setup.
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns ok
Wed Jan 5 12:20:12 2011 : Info: Found Auth-Type = eap_canopy
Wed Jan 5 12:20:12 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authenticate {...}
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Request found, released
from the list
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP/ttls
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] processing type ttls
Wed Jan 5 12:20:12 2011 : Info: [ttls] Authenticate
Wed Jan 5 12:20:12 2011 : Info: [ttls] processing EAP-TLS
Wed Jan 5 12:20:12 2011 : Debug: TLS Length 58
Wed Jan 5 12:20:12 2011 : Info: [ttls] Length Included
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_verify returned 11
Wed Jan 5 12:20:12 2011 : Info: [ttls] (other): before/accept
initialization
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: before/accept
initialization
Wed Jan 5 12:20:12 2011 : Info: [ttls] <<< TLS 1.0 Handshake [length
0035], ClientHello
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 read
client hello A
Wed Jan 5 12:20:12 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length
004a], ServerHello
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 write
server hello A
Wed Jan 5 12:20:12 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length
06ab], Certificate
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 write
certificate A
Wed Jan 5 12:20:12 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length
0004], ServerHelloDone
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 write
server done A
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 flush data
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: Need to read
more data: SSLv3 read client certificate A
Wed Jan 5 12:20:12 2011 : Debug: In SSL Handshake Phase
Wed Jan 5 12:20:12 2011 : Debug: In SSL Accept mode
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_process returned 13
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns handled
Wed Jan 5 12:20:12 2011 : Info: } # server canopy
Sending Access-Challenge of id 0 to 66.242.65.10 port 28461
User-Name = "anonymous"
EAP-Message =
0x010303f815c000000708160301004a0200004603014d24b65c4dbdb63d3c79b319ba6a424ccf269a207ef66b8106ef2344c06569522056e4abbc8e95315b66f0618a78ce9a1ea6c20108ff0671f3835cc086cf08060500350016030106ab0b0006a70006a40003523082034e308202b7a003020102020101300d06092a864886f70d01010505003081c0310b30090603550406130255533111300f06035504081308496c6c696e6f69733121301f060355040a13184d6f746f726f6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312230200603550403131943
EAP-Message =
0x616e6f707920414141205365727665722044656d6f2043413133303106092a864886f70d0109011624746563686e6963616c2d737570706f72744063616e6f7079776972656c6573732e636f6d301e170d3031303130313030303030305a170d3439313233313233353935395a3081c9310b30090603550406130255533111300f06035504081308496c6c696e6f69733121301f060355040a13184d6f746f726f6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312b30290603550403132243616e6f707920414141205365727665722044656d6f2043657274
EAP-Message =
0x696669636174653133303106092a864886f70d0109011624746563686e6963616c2d737570706f72744063616e6f7079776972656c6573732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c32657829c0a23f3e456cbcb0128a00d9c180e00b857bcaecd388d159b14c017ff8e104968a1ab43622449c88cfcd301a5e78b3d54cbde59a1792118a2865b4359912727d8eff49120fdef4f16a0dd6d57298d4d8154c3cf5d7eaf0c2ff6d2464820206d9b1ce8eea199790cbffadc6da11ea78fa49717944f82a6e2f79396bd0203010001a34d304b30090603551d1304023000301d0603551d0e04160414c02f761f28
EAP-Message =
0xade55e9451ed89078a0a74230811b8301f0603551d23041830168014eb8c22114d8cc6f0968ff7e23373b77b2eb56940300d06092a864886f70d010105050003818100bbb34e7519ee8671fafa40eddaa5a35aeaf5d3c693f9edb171649daa0d4e1344517235eec07129b379c54ef5cc7bf973104e1ff809539c92b7609dcf54017f5943a86f09a4ec427954b926789b27a2aa13202128eca10f06f5f87935112e776441859d9c65d21b225c4e68189151445c0bd5ecddb60b737747dd693cc7baba4100034c30820348308202b1a003020102020100300d06092a864886f70d01010505003081c0310b30090603550406130255533111300f06035504
EAP-Message = 0x08130849
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x349732523594276465a22536fa36099e
Wed Jan 5 12:20:12 2011 : Info: Finished request 10.
Wed Jan 5 12:20:12 2011 : Debug: Going to the next request
Wed Jan 5 12:20:12 2011 : Debug: Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 66.242.65.10 port 28461,
id=0, length=99
Wed Jan 5 12:20:12 2011 : Info: Cleaning up request 10 ID 0 with timestamp +54
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! EAP session for state
0x3497325235942764 did not finish!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "anonymous"
State = 0x349732523594276465a22536fa36099e
NAS-IP-Address = 192.168.4.48
NAS-Port = 5
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1020
EAP-Message = 0x020300061500
Message-Authenticator = 0x869522bac614c2e3093e89644c53dc6a
Wed Jan 5 12:20:12 2011 : Info: server canopy {
Wed Jan 5 12:20:12 2011 : Info: # Executing section authorize from
file /etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authorize {...}
Wed Jan 5 12:20:12 2011 : Info: expand: %{User-Name} -> anonymous
Wed Jan 5 12:20:12 2011 : Info: ++[reply] returns notfound
Wed Jan 5 12:20:12 2011 : Info: ++[preprocess] returns ok
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP packet type response
id 3 length 6
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Continuing tunnel setup.
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns ok
Wed Jan 5 12:20:12 2011 : Info: Found Auth-Type = eap_canopy
Wed Jan 5 12:20:12 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authenticate {...}
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Request found, released
from the list
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP/ttls
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] processing type ttls
Wed Jan 5 12:20:12 2011 : Info: [ttls] Authenticate
Wed Jan 5 12:20:12 2011 : Info: [ttls] processing EAP-TLS
Wed Jan 5 12:20:12 2011 : Info: [ttls] Received TLS ACK
Wed Jan 5 12:20:12 2011 : Info: [ttls] ACK handshake fragment handler
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_verify returned 1
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_process returned 13
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns handled
Wed Jan 5 12:20:12 2011 : Info: } # server canopy
Sending Access-Challenge of id 0 to 66.242.65.10 port 28461
User-Name = "anonymous"
EAP-Message =
0x010403241580000007086c6c696e6f69733121301f060355040a13184d6f746f726f6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312230200603550403131943616e6f707920414141205365727665722044656d6f2043413133303106092a864886f70d0109011624746563686e6963616c2d737570706f72744063616e6f7079776972656c6573732e636f6d301e170d3031303130313030303030305a170d3439313233313233353935395a3081c0310b30090603550406130255533111300f06035504081308496c6c696e6f69733121301f060355040a
EAP-Message =
0x13184d6f746f726f6c6120536f6c7574696f6e732c20496e632e31223020060355040b131943616e6f707920576972656c6573732042726f616462616e64312230200603550403131943616e6f707920414141205365727665722044656d6f2043413133303106092a864886f70d0109011624746563686e6963616c2d737570706f72744063616e6f7079776972656c6573732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c0a0b87b37f1cab947267e48f511647106226ab3567a8c786eb048cd14d620a59af65c2efb8c7abd4438573a6984093cf44531efa8b5c776e2c8b88d1a2be829283d709a984b7e4ac9
EAP-Message =
0x1ea9fcf413b20379285b7ead840b68e0c586b5bf2ade8e8dc0d6822b31bcfaf9f15abc23d47991b99f8c7024ac0d3618cff88ea93e3ef10203010001a350304e300c0603551d13040530030101ff301d0603551d0e04160414eb8c22114d8cc6f0968ff7e23373b77b2eb56940301f0603551d23041830168014eb8c22114d8cc6f0968ff7e23373b77b2eb56940300d06092a864886f70d0101050500038181000360b68c65dde686acea14798fe0e4029fbda711f2045a40be3f76cd787312e9bcb022578026481262cc20b501ce55680dc88696e25d99d01d78f56d9f72473387c959208584dba1f7d29b2e9b2bca043d7454bc11d29cf395d9b15e
EAP-Message =
0x501c5d3f10d8f9089544be01959ef9c6bc226f2b4042cf2db63d06918ea3c735fa891cd316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x349732523693276465a22536fa36099e
Wed Jan 5 12:20:12 2011 : Info: Finished request 11.
Wed Jan 5 12:20:12 2011 : Debug: Going to the next request
Wed Jan 5 12:20:12 2011 : Debug: Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 66.242.65.10 port 28461,
id=0, length=301
Wed Jan 5 12:20:12 2011 : Info: Cleaning up request 11 ID 0 with timestamp +54
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! EAP session for state
0x3497325236932764 did not finish!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "anonymous"
State = 0x349732523693276465a22536fa36099e
NAS-IP-Address = 192.168.4.48
NAS-Port = 5
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1020
EAP-Message =
0x020400d01580000000c616030100861000008200806052251474e233df35b01e90a43892c2833489b2ac9d76b100f6c8a9c688586f7c4376c0ea704a68f593890d70beb86cca62eff2a3a00531bd58161c54db97dae680455d79d681d836da7d28dfd0c5f05ea7f16047526a173c7f336f1c4904313db71029a1a86df32ba82622bd7f4ffa9d1daa4b88cefce8adbaecb91d3639291403010001011603010030fc814716449d1366ced44cd691c760d23d77a919163b3e83226282d94e3bb860c2938036a236d260363f827a75e48337
Message-Authenticator = 0x180e7f18caa6a2932c7df9968425f0ac
Wed Jan 5 12:20:12 2011 : Info: server canopy {
Wed Jan 5 12:20:12 2011 : Info: # Executing section authorize from
file /etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authorize {...}
Wed Jan 5 12:20:12 2011 : Info: expand: %{User-Name} -> anonymous
Wed Jan 5 12:20:12 2011 : Info: ++[reply] returns notfound
Wed Jan 5 12:20:12 2011 : Info: ++[preprocess] returns ok
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP packet type response
id 4 length 208
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Continuing tunnel setup.
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns ok
Wed Jan 5 12:20:12 2011 : Info: Found Auth-Type = eap_canopy
Wed Jan 5 12:20:12 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authenticate {...}
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Request found, released
from the list
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP/ttls
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] processing type ttls
Wed Jan 5 12:20:12 2011 : Info: [ttls] Authenticate
Wed Jan 5 12:20:12 2011 : Info: [ttls] processing EAP-TLS
Wed Jan 5 12:20:12 2011 : Debug: TLS Length 198
Wed Jan 5 12:20:12 2011 : Info: [ttls] Length Included
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_verify returned 11
Wed Jan 5 12:20:12 2011 : Info: [ttls] <<< TLS 1.0 Handshake [length
0086], ClientKeyExchange
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 read
client key exchange A
Wed Jan 5 12:20:12 2011 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec
[length 0001]
Wed Jan 5 12:20:12 2011 : Info: [ttls] <<< TLS 1.0 Handshake [length
0010], Finished
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 read finished A
Wed Jan 5 12:20:12 2011 : Info: [ttls] >>> TLS 1.0 ChangeCipherSpec
[length 0001]
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 write
change cipher spec A
Wed Jan 5 12:20:12 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length
0010], Finished
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 write finished A
Wed Jan 5 12:20:12 2011 : Info: [ttls] TLS_accept: SSLv3 flush data
Wed Jan 5 12:20:12 2011 : Debug: SSL: adding session
56e4abbc8e95315b66f0618a78ce9a1ea6c20108ff0671f3835cc086cf080605 to
cache
Wed Jan 5 12:20:12 2011 : Info: [ttls] (other): SSL negotiation
finished successfully
Wed Jan 5 12:20:12 2011 : Debug: SSL Connection Established
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_process returned 13
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns handled
Wed Jan 5 12:20:12 2011 : Info: } # server canopy
Sending Access-Challenge of id 0 to 66.242.65.10 port 28461
User-Name = "anonymous"
EAP-Message =
0x0105004515800000003b14030100010116030100301424f225e78255e13ca118b19c0741d52c6605608b43cba7e33ec19ed7b362f2ad107a1297dd55d26f400cc6ad9d612e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x349732523792276465a22536fa36099e
Wed Jan 5 12:20:12 2011 : Info: Finished request 12.
Wed Jan 5 12:20:12 2011 : Debug: Going to the next request
Wed Jan 5 12:20:12 2011 : Debug: Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 66.242.65.10 port 28461,
id=0, length=252
Wed Jan 5 12:20:12 2011 : Info: Cleaning up request 12 ID 0 with timestamp +54
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! EAP session for state
0x3497325237922764 did not finish!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "anonymous"
State = 0x349732523792276465a22536fa36099e
NAS-IP-Address = 192.168.4.48
NAS-Port = 5
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1020
EAP-Message =
0x0205009f158000000095170301009027f7fc953ec398362d2865c00dff24abe16326d4babc2080ebd9ffadd2ff577c401300c3b1ad3e6707880f3b156afca840797dc17605c07e2a339f0a017bac5036b081d71a4aa0f0cc397c27135a224da1be245b7456c5b1e569b24386ca2e2cfedfba5041d26a882307f7dfcc8f8cf4628d0ca11cbba6dc574523077723829df80fb27b0935ec431c77d350f981ee4c
Message-Authenticator = 0x414201600d229c940acaa76321d47521
Wed Jan 5 12:20:12 2011 : Info: server canopy {
Wed Jan 5 12:20:12 2011 : Info: # Executing section authorize from
file /etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authorize {...}
Wed Jan 5 12:20:12 2011 : Info: expand: %{User-Name} -> anonymous
Wed Jan 5 12:20:12 2011 : Info: ++[reply] returns notfound
Wed Jan 5 12:20:12 2011 : Info: ++[preprocess] returns ok
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP packet type response
id 5 length 159
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Continuing tunnel setup.
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns ok
Wed Jan 5 12:20:12 2011 : Info: Found Auth-Type = eap_canopy
Wed Jan 5 12:20:12 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authenticate {...}
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Request found, released
from the list
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP/ttls
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] processing type ttls
Wed Jan 5 12:20:12 2011 : Info: [ttls] Authenticate
Wed Jan 5 12:20:12 2011 : Info: [ttls] processing EAP-TLS
Wed Jan 5 12:20:12 2011 : Debug: TLS Length 149
Wed Jan 5 12:20:12 2011 : Info: [ttls] Length Included
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_verify returned 11
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_process returned 7
Wed Jan 5 12:20:12 2011 : Info: [ttls] Session established.
Proceeding to decode tunneled attributes.
Wed Jan 5 12:20:12 2011 : Info: [ttls] Got tunneled request
User-Name = "0a-00-3e-90-ff-93"
MS-CHAP-Challenge = 0x55d8506d7436ba417bfaa01c8b21a04e
MS-CHAP2-Response =
0xdd00c29e28c10e95bc0d708eed268ed9c633000000000000000006ce1ccccaa7956d849fd0aab90379270368a733b58f443b
FreeRADIUS-Proxied-To = 127.0.0.1
Wed Jan 5 12:20:12 2011 : Info: [ttls] Sending tunneled request
User-Name = "0a-00-3e-90-ff-93"
MS-CHAP-Challenge = 0x55d8506d7436ba417bfaa01c8b21a04e
MS-CHAP2-Response =
0xdd00c29e28c10e95bc0d708eed268ed9c633000000000000000006ce1ccccaa7956d849fd0aab90379270368a733b58f443b
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-IP-Address = 192.168.4.48
NAS-Port = 5
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1020
server inner-tunnel {
Wed Jan 5 12:20:12 2011 : Info: # Executing section authorize from
file /etc/raddb/sites-enabled/inner-tunnel
Wed Jan 5 12:20:12 2011 : Info: +- entering group authorize {...}
Wed Jan 5 12:20:12 2011 : Info: ++[chap] returns noop
Wed Jan 5 12:20:12 2011 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type = mschap'
Wed Jan 5 12:20:12 2011 : Info: ++[mschap] returns ok
Wed Jan 5 12:20:12 2011 : Info: [suffix] No '@' in User-Name =
"0a-00-3e-90-ff-93", looking up realm NULL
Wed Jan 5 12:20:12 2011 : Info: [suffix] No such realm "NULL"
Wed Jan 5 12:20:12 2011 : Info: ++[suffix] returns noop
Wed Jan 5 12:20:12 2011 : Info: ++[control] returns noop
Wed Jan 5 12:20:12 2011 : Info: [eap] No EAP-Message, not doing EAP
Wed Jan 5 12:20:12 2011 : Info: ++[eap] returns noop
Wed Jan 5 12:20:12 2011 : Info: ++- entering policy redundant {...}
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand:
%{Stripped-User-Name} ->
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] ... expanding second conditional
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand: %{User-Name}
-> 0a-00-3e-90-ff-93
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand:
%{%{User-Name}:-DEFAULT} -> 0a-00-3e-90-ff-93
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand:
%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
0a-00-3e-90-ff-93
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] sql_set_user escaped user
--> '0a-00-3e-90-ff-93'
Wed Jan 5 12:20:12 2011 : Debug: rlm_sql (sqlmain): Reserving sql socket id: 10
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand: SELECT id,
username, attribute, value, op FROM radcheck WHERE
username = BINARY '%{SQL-User-Name}' ORDER BY id -> SELECT
id, username, attribute, value, op FROM radcheck
WHERE username = BINARY '0a-00-3e-90-ff-93' ORDER BY id
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] User found in radcheck table
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand: SELECT id,
username, attribute, value, op FROM radreply WHERE
username = BINARY '%{SQL-User-Name}' ORDER BY id -> SELECT
id, username, attribute, value, op FROM radreply
WHERE username = BINARY '0a-00-3e-90-ff-93' ORDER BY id
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand: SELECT
groupname FROM radusergroup WHERE username =
BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
BINARY '0a-00-3e-90-ff-93' ORDER BY priority
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand: SELECT id,
groupname, attribute, Value, op FROM radgroupcheck
WHERE groupname = '%{Sql-Group}' ORDER BY id ->
SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'Canopy_SM' ORDER
BY id
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] User found in group Canopy_SM
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand: SELECT id,
groupname, attribute, value, op FROM radgroupreply
WHERE groupname = '%{Sql-Group}' ORDER BY id ->
SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'Canopy_SM' ORDER
BY id
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand: SELECT id,
groupname, attribute, Value, op FROM radgroupcheck
WHERE groupname = '%{Sql-Group}' ORDER BY id ->
SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'Canopy_Res1536'
ORDER BY id
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] User found in group Canopy_Res1536
Wed Jan 5 12:20:12 2011 : Info: [sqlmain] expand: SELECT id,
groupname, attribute, value, op FROM radgroupreply
WHERE groupname = '%{Sql-Group}' ORDER BY id ->
SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'Canopy_Res1536'
ORDER BY id
Wed Jan 5 12:20:12 2011 : Debug: rlm_sql (sqlmain): Released sql socket id: 10
Wed Jan 5 12:20:12 2011 : Info: +++[sqlmain] returns ok
Wed Jan 5 12:20:12 2011 : Info: ++- policy redundant returns ok
Wed Jan 5 12:20:12 2011 : Info: ++[expiration] returns noop
Wed Jan 5 12:20:12 2011 : Info: ++[logintime] returns noop
Wed Jan 5 12:20:12 2011 : Info: [pap] WARNING: Auth-Type already set.
Not setting to PAP
Wed Jan 5 12:20:12 2011 : Info: ++[pap] returns noop
Wed Jan 5 12:20:12 2011 : Info: Found Auth-Type = MSCHAP
Wed Jan 5 12:20:12 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
Wed Jan 5 12:20:12 2011 : Info: +- entering group MS-CHAP {...}
Wed Jan 5 12:20:12 2011 : Info: [mschap] Creating challenge hash with
username: 0a-00-3e-90-ff-93
Wed Jan 5 12:20:12 2011 : Info: [mschap] Told to do MS-CHAPv2 for
0a-00-3e-90-ff-93 with NT-Password
Wed Jan 5 12:20:12 2011 : Info: [mschap] adding MS-CHAPv2 MPPE keys
Wed Jan 5 12:20:12 2011 : Info: ++[mschap] returns ok
Wed Jan 5 12:20:12 2011 : Auth: Login OK: [0a-00-3e-90-ff-93] (from
client MTC WAN port 5 via TLS tunnel)
Wed Jan 5 12:20:12 2011 : Info: WARNING: Empty post-auth section.
Using default return values.
Wed Jan 5 12:20:12 2011 : Info: # Executing section post-auth from
file /etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
Wed Jan 5 12:20:12 2011 : Info: [ttls] Got tunneled reply code 2
Motorola-Canopy-VLLEARNEN = Enable
Motorola-Canopy-VLFRAMES = All
Motorola-Canopy-VLAGETO = 1440
Motorola-Canopy-VLSMMGPASS = Enable
Motorola-Canopy-BCASTMIR = 200
Motorola-Canopy-HPENABLE = Disable
Motorola-Canopy-ULBR = 512
Motorola-Canopy-ULBL = 1024
Motorola-Canopy-DLBR = 1536
Motorola-Canopy-DLBL = 3072
MS-CHAP2-Success =
0xdd533d35413832393633423538373533334437443036333545454243353939443343384237424435434344
MS-MPPE-Recv-Key = 0xbeb5c2f487f5d04afdd79d7a34333156
MS-MPPE-Send-Key = 0x654709eb0ed4833cfba23373b26ec90d
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Wed Jan 5 12:20:12 2011 : Info: [ttls] Got tunneled Access-Accept
Wed Jan 5 12:20:12 2011 : Info: [ttls] Got MS-CHAP2-Success,
tunneling it to the client in a challenge.
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns handled
Wed Jan 5 12:20:12 2011 : Info: } # server canopy
Sending Access-Challenge of id 0 to 66.242.65.10 port 28461
User-Name = "anonymous"
EAP-Message =
0x0106005f1580000000551703010050e31a54aa3f505e5dbd650217d16a5934079d8429ae74d54eaf4f71737d6738e4e87adfd2cdec2d815c71ccac52ac3b8fad73bcf6f6c17ac8e2ba97b734c77a285c4a15322756d40f6b294c001d5bf285
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x349732523091276465a22536fa36099e
Wed Jan 5 12:20:12 2011 : Info: Finished request 13.
Wed Jan 5 12:20:12 2011 : Debug: Going to the next request
Wed Jan 5 12:20:12 2011 : Debug: Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 66.242.65.10 port 28461,
id=0, length=99
Wed Jan 5 12:20:12 2011 : Info: Cleaning up request 13 ID 0 with timestamp +54
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! EAP session for state
0x3497325230912764 did not finish!
Wed Jan 5 12:20:12 2011 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Wed Jan 5 12:20:12 2011 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "anonymous"
State = 0x349732523091276465a22536fa36099e
NAS-IP-Address = 192.168.4.48
NAS-Port = 5
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1020
EAP-Message = 0x020600061500
Message-Authenticator = 0xf0f5a88ff1fa628b41a033a2ece3f5d2
Wed Jan 5 12:20:12 2011 : Info: server canopy {
Wed Jan 5 12:20:12 2011 : Info: # Executing section authorize from
file /etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authorize {...}
Wed Jan 5 12:20:12 2011 : Info: expand: %{User-Name} -> anonymous
Wed Jan 5 12:20:12 2011 : Info: ++[reply] returns notfound
Wed Jan 5 12:20:12 2011 : Info: ++[preprocess] returns ok
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP packet type response
id 6 length 6
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Continuing tunnel setup.
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns ok
Wed Jan 5 12:20:12 2011 : Info: Found Auth-Type = eap_canopy
Wed Jan 5 12:20:12 2011 : Info: # Executing group from file
/etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: +- entering group authenticate {...}
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Request found, released
from the list
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] EAP/ttls
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] processing type ttls
Wed Jan 5 12:20:12 2011 : Info: [ttls] Authenticate
Wed Jan 5 12:20:12 2011 : Info: [ttls] processing EAP-TLS
Wed Jan 5 12:20:12 2011 : Info: [ttls] Received TLS ACK
Wed Jan 5 12:20:12 2011 : Info: [ttls] ACK handshake is finished
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_verify returned 3
Wed Jan 5 12:20:12 2011 : Info: [ttls] eaptls_process returned 3
Wed Jan 5 12:20:12 2011 : Info: [ttls] Using saved attributes from
the original Access-Accept
Motorola-Canopy-VLLEARNEN = Enable
Motorola-Canopy-VLFRAMES = All
Motorola-Canopy-VLAGETO = 1440
Motorola-Canopy-VLSMMGPASS = Enable
Motorola-Canopy-BCASTMIR = 200
Motorola-Canopy-HPENABLE = Disable
Motorola-Canopy-ULBR = 512
Motorola-Canopy-ULBL = 1024
Motorola-Canopy-DLBR = 1536
Motorola-Canopy-DLBL = 3072
Wed Jan 5 12:20:12 2011 : Info: [ttls] Saving response in the cache
Wed Jan 5 12:20:12 2011 : Info: [eap_canopy] Freeing handler
Wed Jan 5 12:20:12 2011 : Info: ++[eap_canopy] returns ok
Wed Jan 5 12:20:12 2011 : Auth: Login OK: [anonymous] (from client
MTC WAN port 5)
Wed Jan 5 12:20:12 2011 : Info: WARNING: Empty post-auth section.
Using default return values.
Wed Jan 5 12:20:12 2011 : Info: # Executing section post-auth from
file /etc/raddb/sites-enabled/canopy
Wed Jan 5 12:20:12 2011 : Info: } # server canopy
Sending Access-Accept of id 0 to 66.242.65.10 port 28461
User-Name = "anonymous"
Motorola-Canopy-VLLEARNEN = Enable
Motorola-Canopy-VLFRAMES = All
Motorola-Canopy-VLAGETO = 1440
Motorola-Canopy-VLSMMGPASS = Enable
Motorola-Canopy-BCASTMIR = 200
Motorola-Canopy-HPENABLE = Disable
Motorola-Canopy-ULBR = 512
Motorola-Canopy-ULBL = 1024
Motorola-Canopy-DLBR = 1536
Motorola-Canopy-DLBL = 3072
MS-MPPE-Recv-Key =
0xdd9e15596bfac7dd8c66fd557f61357419e77e8ecccac8e9f6a3355d982ce8ab
MS-MPPE-Send-Key =
0x8d0293fbc4e5971e8b045d16916a67d912a1f68872c049d85794c76c4e523259
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
Wed Jan 5 12:20:12 2011 : Info: Finished request 14.
Wed Jan 5 12:20:12 2011 : Debug: Going to the next request
Wed Jan 5 12:20:12 2011 : Debug: Waking up in 2.9 seconds.
Wed Jan 5 12:20:15 2011 : Info: Cleaning up request 14 ID 0 with timestamp +54
Wed Jan 5 12:20:15 2011 : Info: Ready to process requests.
Compared to a different string of requests generated using
wpa_supplicant the id is obviously incremented (skipping the first
five packets):
rad_recv: Access-Request packet from host 172.17.0.138 port 55717,
id=6, length=316
User-Name = "anonymous(a)wisper-wireless.com"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
Connect-Info = "CONNECT 11Mbps 802.11b"
NAS-Port-Type = Wireless-802.16
Service-Type = Framed-User
EAP-Message =
0x020600a0150017030100203de4af49c951500431261fcd0f815bd5a18f05d0549a0ce4af46b54f2b0d59fd17030100708c00bea3cc199c88da3b652504a95d94b52bc4ee1fda8b284bfa8d5eefc11dc66b33dd975c9faf53b1300d96b900e17558935821f276bca430f73605d2c75d3982f50eaf7e26e1b3fa81faef891962505583b278adf9f6de430f4c81e084ed55575b8c38dd655187d8319b15050b17f3
State = 0xdf91ccf8da97d9cc64d8d4a9a5b4db83
Message-Authenticator = 0x55b6786727aeeca2723a076f66fb9a9f
3
4
Hi list,
we have a freeradius server with enabled tls and an own CA. We prove the validity of the cert issuer like it is aoutlined in the example below.
check_cert_issuer = "/C=DE/ST=somewhere/L=someplace/O=AnyCompany"
No we want to change our CA and want to use two CAs for a couple of weeks. Is it possible to configure that?
Thanks
Stephan
3
2
Thanks to a lot of work by Phil Mayers, the server now has support for
Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP.
The code is in the "v2.1.x" branch, and in the "stable" branch. It
will be in 2.1.11, and all later versions of the server.
The documentation is in doc/SoH.txt, and in raddb/sites-available/soh.
The EAP configuration in eap.conf can also be updated to enable SoH on
the server side.
See http://git.freeradius.org/ for information on git.
Alan DeKok.
5
22
Hi,
I installed freeradius2-2.1.7-7.el5.x86_64 and set it up for MAC_auth as
explained in this freeradius wiki page <http://wiki.freeradius.org/Mac-Auth>
But its not working. I am attaching the output of radiusd -X, and the
policy.conf files
I went through the output myself, I notice these:
a) it has not executed "rewrite_calling_station", going by the mac
format in the debug output.
b) The wifi client has a window which prompts for username/password
(not expected in simple mac_auth)
Can someone point out what mistake I am doing?
Thanks a lot.
Nagaraj
--
+----------------------------------+--------------------------------------+
Nagaraj Panyam | Office tel: +91-22-22782126
Dept of High Energy Physics | Office fax: +91-22-22804610
Tata Instt. of Fundamental Research| Home tel : +91-22-22804936
Mumbai - 400 005, INDIA | **Email** : pn(a)tifr.res.in
+----------------------------------+--------------------------------------+
ad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=57, length=185
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200001301544553545c746573742d31383034
Message-Authenticator = 0x8012a54d51c5aa3c6a6a96aa75aa18cd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 57 to xx.xx.xx.xx port 3072
EAP-Message = 0x010100160410bcac0552383c8987ceeedb8259d7512e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f1c20b7f17369eba55349056
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=58, length=184
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0xf1c30f25f1c20b7f17369eba55349056
Message-Authenticator = 0x9a186d278c1f81fb746473363ed32079
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 58 to xx.xx.xx.xx port 3072
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f0c1167f17369eba55349056
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=59, length=308
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0202008219800000007816030100730100006f03014d2465745b05fc2eeed27aa497d088ce5d8db0996b6a4a9486280ddf78927653000018002f00350005000ac009c00ac013c01400320038001300040100002e00000013001100000e746573745c746573742d31383034000a00080006001700180019000b00020100ff01000100
State = 0xf1c30f25f0c1167f17369eba55349056
Message-Authenticator = 0xc79d3a7230dc27da64618790895b12f4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 130
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 120
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0073], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 59 to xx.xx.xx.xx port 3072
EAP-Message = 0x0103040019c0000008a216030100310200002d03014d24658e440cdb90c5cf5817264cd7a51def1ffe8a170d51d4916929ded259cf00002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message = 0x74686f72697479301e170d3131303130333131343735385a170d3132303130333131343735385a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e9ce0d20797f9d5a1d956453494dc3093fd6e4a816c41e0f287b56ac6000101537f12d02201a3a31a9e50dd8ed5f99a0d914e3389fca43
EAP-Message = 0x4ab5fa7821da3d5bc3492570e61024827d03917ab768326078804225ab57136d89997c5746ac5441671265cfe93ad9d36b72351d39f88b879b164502b5f20fd66efd76dec45e7d77597c25266ffc1d10ff38aa4c8e2de86e0d114183c4833e02f39e003d001b9a1921c7e61b3d6f6063237aca41a18e6a9bbdcd268685df6d66c1d644474a3be69e3a771554e6caceb9f9a930b9375a970ace830edf4b21baaccf669a462b18f2cb108dbeb6849ec0d6582cdded75442a6532f18a8ccf5066fa1c90394aeded6d1e590203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009985
EAP-Message = 0x10e2b6a56e12676ab2c5cd1621418113f71ab254589459d5f509782e85c692446a86a0fac92cc5b60613e165251fc20bbe76c2cb969f934c4be73577fc59b9a3a639b2ba7f05712c1c07c4fd5b89358b2475002bb87fc880dd7239aa3bd46984338818ec7290c30ed5046b986c56f412602492b508550a5eaa12a437988f609701a051d12ba2ec9507cfe6f58f44f0167054d21f7971af197bf3145dded0906a85c58db37364565caf20d110893a26a9908a1008aff0fba755e5812d73731e7de519949d80f37e02024b1eeb2b557d91e2443462f1d716122a82089a282de906089eacaece3013ee68ed21175b263a80a2febe033d2e86fa626a819a45
EAP-Message = 0xf60004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f3c0167f17369eba55349056
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=60, length=184
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0xf1c30f25f3c0167f17369eba55349056
Message-Authenticator = 0x261da0e043b9bfb64e89e09348b83a45
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 60 to xx.xx.xx.xx port 3072
EAP-Message = 0x010403fc1940a003020102020900b703e3654b392aed300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303130333131343735385a170d3132303130333131343735385a308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c5f36f8fe6bc13068e2daaadac4acac248ce11a0d13c5cab7b8b7dbd8084681e4cb9a9d3145b4e43b6462d71d4426a0aeaa641a0f9a5662cd522d345d87e3ab405c91692c2b5d4613c828191acc54b3e6e2421603eef58c716b2801eef3b79ad38943efab044f9ef
EAP-Message = 0x6952c7b635961ed24273e357186d1070ff869f5747993caa0e7bf944f3c4e88e64c411fe3f60bb35b835a931d851cecea15e05d06b46b9f581aaed78e88392fb4cf9fec4f75e03384bc4af1e345dc82339a0fc7cd2f6047def8e61a0cd4e2d8206aa708cb5f6ab123f5e41735cd97fe41b8a49960c7597ed51066249e4e88bd910fc9385f828568573edada97b2fff45a57671f476c7992b0203010001a381fb3081f8301d0603551d0e041604145209f0d910b833d8c2bf21013979a67fbcc16c093081c80603551d230481c03081bd80145209f0d910b833d8c2bf21013979a67fbcc16c09a18199a48196308193310b300906035504061302465231
EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900b703e3654b392aed300c0603551d13040530030101ff300d06092a864886f70d010105050003820101001837a0d066840811146ee1438a22673ee350f09c19e284ff5da1e1725b8019bb089f4eac597f0381be89dfccfb98375c86128b2833bfe61122d3c8530da1d3fe8efe2cf6164c2560eda60d
EAP-Message = 0x93a5a16694df2a56
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f2c7167f17369eba55349056
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=61, length=184
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0xf1c30f25f2c7167f17369eba55349056
Message-Authenticator = 0x47f450d8911252a7359fb4aca48d6de0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 61 to xx.xx.xx.xx port 3072
EAP-Message = 0x010500bc1900adf270039788633910428185442e7440ff8ee7c3c78d36f887e5137eeb0e7c3656e0c266b7fdbf30222d944164df65826d7ff08636f9272aa22ffe9123ead878173bb5b40938fc6600ea8c4a907a469a9542ae8aaedcf93a6a69edac75135e899d231022c6656be3091333a11e31943a7e306170683a98a2f3fd51f109e31d9b7706eca3748f7707d09d0e9b52d254ca8d86d1aacacd188fd789a6a5dba4f1fbde15f7d0063786469fce43fae316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f5c6167f17369eba55349056
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xx.xx.xx.xx port 3072, id=62, length=184
User-Name = "TEST\\test-1804"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 0
Called-Station-Id = "001f1fd74ce9"
Calling-Station-Id = "001a734337c9"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0xf1c30f25f5c6167f17369eba55349056
Message-Authenticator = 0xd8967a29a74719843bd5e7b6a8640645
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "TEST\test-1804", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 62 to xx.xx.xx.xx port 3072
EAP-Message = 0x010600061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1c30f25f4c5167f17369eba55349056
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 57 with timestamp +39
Cleaning up request 1 ID 58 with timestamp +39
Cleaning up request 2 ID 59 with timestamp +39
Cleaning up request 3 ID 60 with timestamp +39
Cleaning up request 4 ID 61 with timestamp +39
Cleaning up request 5 ID 62 with timestamp +39
Ready to process requests.
# -*- text -*-
##
## policy.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id$
##
#
# Policies are virtual modules, similar to those defined in the
# "instantate" section of radiusd.conf.
#
# Defining a policy here means that it can be referenced in multiple
# places as a *name*, rather than as a series of conditions to match,
# and actions to take.
#
# Policies are something like subroutines in a normal language, but
# they cannot be called recursively. They MUST be defined in order.
# If policy A calls policy B, then B MUST be defined before A.
#
policy {
#
# Forbid all EAP types.
#
forbid_eap {
if (EAP-Message) {
reject
}
}
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# If so, then there MUST be an outer EAP message.
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
#
# Forbid all attempts to login via realms.
#
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
#
# If you want the server to pretend that it is dead,
# then use the "do_not_respond" policy.
#
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
#
# The following policies are for the Chargeable-User-Identity
# (CUI) configuration.
#
#
# The client indicates it can do CUI by sending a CUI attribute
# containing one zero byte
#
cui_authorize {
update request {
Chargeable-User-Identity:='\\000'
}
}
#
# Add a CUI attribute based on the User-Name, and a secret key
# known only to this server.
#
cui_postauth {
if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity) {
update outer.reply {
Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
else {
if (Chargeable-User-Identity) {
update reply {
Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
}
}
}
}
#
# If there is a CUI attribute in the reply, add it to the DB.
#
cui_updatedb {
if (reply:Chargeable-User-Identity) {
cui
}
}
#
# Rewrite called station id attribute into a standard format.
#
rewrite_calling_station_id {
if(request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"
}
}
else {
noop
}
}
#
# If we had stored a CUI for the User, add it to the request.
#
cui_accounting {
#
# If the CUI isn't in the packet, see if we can find it
# in the DB.
#
if (!Chargeable-User-Identity) {
update control {
Chargable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
}
}
#
# If it exists now, then write out when we last saw
# this CUI.
#
if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
cui
}
}
}
1
0
Hi,
I had a working FreeRadius 1.1.6 installation and running XP Pro SP3
with EAP/TLS on an Ethernet-Port. I use Linksys switches as
authenticators. I think since end December (after I went into the xmas
holidays) the Radius-Auth stopped working. I changed nothing at the
Freeradius-Server. I suspect an MS-Update, major-security updates are
rolled out automatically here. But I don't know which one.
I made a debug with radiusd -X -A. The conversation looks normal, but at
the end, I miss the "Login OK" Statement, it looks like the conversation
is not finished and falls asleep. I don't see an error. Can anyone look
over it please to give me a hint, where to look?
TIA
Alex
Debug:
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=101
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
EAP-Message = 0x0217001701686f73742f6866732d3038303830362d3032
Message-Authenticator = 0xcd421dbdb5fcc2e7692fe75fcbfd5892
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_eap: EAP packet type response id 23 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message = 0x011800060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x793054942f9417f5a0886c08dd4a0e4e
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=183
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
State = 0x793054942f9417f5a0886c08dd4a0e4e
EAP-Message =
0x021800570d800000004d16030100480100004403014d219685836869e950cfbb8e7ae7a18a95c8871d059171695d24fd163d12cec600001600040005000a0009006400620003000600130012006301000005ff01000100
Message-Authenticator = 0x714b3ff58781c8329f0cebcbf99bc3e2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_eap: EAP packet type response id 24 length 87
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0048], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ed5], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message =
0x0119040a0dc000000feb160301004a0200004603014d2195c9e75e9057262ca89fcdd70206a44718c85887fd8a1ee0267568b1cee120013b9c1ff336b6d8838eeb017dbf377c9c69f6e387eeda5ee9daedd8336849600004001603010ed50b000ed1000ece00075c3082075830820540a003020102020162300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543
EAP-Message =
0x656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3037303831333038333434385a170d3132303831313038333434385a308189310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312730250603550403131e7261646975732e76657277616c74756e672e6b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082
EAP-Message =
0x020a02820201009d061598c850223454cb70a58cae0a1ac2db0b6a963d25c96c632b1eb2a9177e3e8a066fa9c3596c4a1b035def3b6c589a12209a6d7ab7aa4144de890803c34cb5239cdb3b7266426049d475ed3e354fe494dee46a17e7478065c7332f6ac621d9b754d46812dc4ffda7a39bf33987fbe6951a591aee791c9468cc70f5a821683640675bafea24fe5291d6750c30a1b0a4c52cbeb6a18ce514038432f3dc83ce12657de67976dff9a7643b7ad340240e5e69385355b64d3e77f4bb0dfbc8fd63258a308c2a6e82f9c0c92e7e4ccadf848cc3bb57d592dcf46930c794fa0b338c9db103b9a7162352ff8cac3b680d64ec0b865bf74778
EAP-Message =
0x839cd1530d79ba553a2bd9ffb112534cd758bb3b3dba26037ed1c158089af8903e9f5b684061ddd413fb192cfc5024c03b177184101d68bc7111ccdcb6bee8c98d1642bbc547e8211dab2fd5d45488da089a17edaa9b4dd4357d4adcb0e33553210a5ad0e84edc9f9a769297649672d5f78e2f3687e99c411abea88e0363fe1afb7dcf05a8838ef07cec88337f903a94a6207893b5e9ff80441a12b6847ff008eb8c257878f6711a8f8c053315d4ae87b36661cdee73a3cbaca92d14f480804c7476d36665c417db9c954795423ca49de599eb3ed3a6cc55f03bad529359b0a55e5bffa9cf65b3034d48c263c491b24ad9f9f74b6ea9cea17710efc22b
EAP-Message = 0xc0d77f58b0a5d3589ab19f13f90203010001a38201a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdd9f396cf15641e0754754ce9e335224
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=102
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
State = 0xdd9f396cf15641e0754754ce9e335224
EAP-Message = 0x021900060d00
Message-Authenticator = 0x575c7e249430d63e09b6143649ca5d05
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_eap: EAP packet type response id 25 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 8
modcall: leaving group authenticate (returns handled) for request 8
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message =
0x011a040a0dc000000feb308201a230090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e0416041442a94a9f048871b178d41a5d00a5668e78c045ff3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543
EAP-Message =
0x656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301d0603551d1104163014811273632d6974406b682d6265726c696e2e646530160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038202010027ddc002c4835bb38b2152a1b93fc65419a91436bcd3e9e4f37b0eaf35498333305a12229d454d797f8cd3e678f0e73467237638ddec
EAP-Message =
0x79c4e1f00fc72f18d51dc7658843c2855f5dcb3cc13b10730a5d9f99992e4924d9e28e1f7d12d285d815c734f8c63815124e5cc49d15777d233f7e3b1133c0773d3703e10a70203dc3557185bf629d1d2482d548d3b56f6ca28b7555b971c00899395a5c23a1378f495acbfe162b6929e63bd5c3bb20bb4268d9269235451378e34fde7df5a9392595a3d8c8d889e90a7dc934dce6d61b5cdec3f6652de92ba8786f4a0dffb00a0306873ecd695681eef4ec7cd5861dace26b6504f1ad1899f199ce4a121a3a37197ffe8145e4aee40b6a3fd627088908db8650557b984d447f3c65a6a697672bd242e260493073ee5532d2f4e3c6907332808995a54f
EAP-Message =
0xa0c690bd3bdc09c2872280185e5a1e4b999241374ceaf16233fd91b124a65652bfd76cdc0735a06c4fb0197a919ad53d4f2953194e5c8def3884a10e95905dbe338dd2fdb9b997114a023866731016ed5195940ff9f8b1c85994c3fc52e6226d93e8bdebefed24376bae1c923813ea1b7c1d8bc5547a82258696ee03b2ee3b03bff43f28bd340219aaa58bfd28d6767c54269fe907b196157db92c807c693e3f01c81af0145b66af36ae839b4d8add58891ee3a64428c285942cc38c151b113084e252c094f196ab2927078fd100076c3082076830820550a003020102020900890d6f61ac0ce005300d06092a864886f70d01010505003081aa310b30
EAP-Message = 0x09060355040613024445310f300d0603550408130642
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x805e028e859aa0f88cfd562748aaba95
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=102
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
State = 0x805e028e859aa0f88cfd562748aaba95
EAP-Message = 0x021a00060d00
Message-Authenticator = 0xb2e0f50abf1596f8862ed87864157eda
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "mschap" returns noop for request 9
rlm_eap: EAP packet type response id 26 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 9
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 9
modcall: leaving group authenticate (returns handled) for request 9
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message =
0x011b040a0dc000000feb65726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3035303930353038303532355a170d3135303930333038303532355a3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048
EAP-Message =
0x664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100c4e58d7b46104aaed067a7f4e2c0bce5fd30388b52102731e8ae991947c14547ca41753f07ee2f50c4374b00950c83165fce3e38cdf4b4749dce3641ce01e450a7f1e53de6997ac4a19b93cc212b2cfb5425c7b1421b89951478dadba32ce7c00421c9791d1af1b38e9ce04141c724d866
EAP-Message =
0xfb11c06bd13a626f830825d002beccae484fcaa3840fdab94afdd1e454155451678ecb4ae36c1628afce08a8622736e5f29360512174ffa60a3a713794d781efa85d83c6df6cc78262910cb757c515450569cd668cdb29a709e3f8d52dde54c69e2b84b0be385347948e360e4095499957b42d0a918cbc647a2377c0c26e0925f386d520f0bc2f25b206a93075e9382d590f4724352edc61a0e497dece898c31ca22c4320d02b55bb519c90f228fcbd6f1d72057245e35a3170a354b207ef1f2a61585256e493bff8b363075452e21cbb5cb26167d8d1201c41911569768a99eea5cff0fb0458e5615e42e8aec5417f2493f5b81cf7b9cdb4ad1995c0c
EAP-Message =
0x8bced370d073ee8eefb21f833372027c4fcb84c23c73d1b44df6f5ca34e0d9f674900f9ddf1340179016868a3697a807624dd8f0ff7aea8460241df0a8a74eb8b0151171395155db1fd0b87be63c7047fda731126880bf2228332a38f11ac024cb944d68ce72da5f43d73609e82f92486f4eaad235b104ae3c93061600b3a54e895841eac966309ad0c18cccf17453210f450203010001a382018d30820189301d0603551d0e04160414b939b6ce8a52912eaece162418b1f4d8303d042e3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d06
EAP-Message = 0x0355040813064265726c696e310f300d060355040713
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b3d2f0a12aec39a8b4f8e2aec32085
Finished request 9
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=102
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
State = 0xb6b3d2f0a12aec39a8b4f8e2aec32085
EAP-Message = 0x021b00060d00
Message-Authenticator = 0xf2d26dcc1e1b911c078c3a416ea3c8a1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_eap: EAP packet type response id 27 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 10
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 10
modcall: leaving group authorize (returns updated) for request 10
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 10
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 10
modcall: leaving group authenticate (returns handled) for request 10
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message =
0x011c03f50d8000000feb064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005300f0603551d130101ff040530030101ff301106096086480186f842010104040302010630090603551d1204023000302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d11041630
EAP-Message =
0x14811273632d6974406b682d6265726c696e2e6465300b0603551d0f040403020106300d06092a864886f70d0101050500038202010060f0ab4236cda26ba7ceaedfd61052c52b73e1e028ffe29171395f9074e4beee7eab73afc427c17cd0f37e96c7af6eda553a92b2b426f723c283c8ea027f3ab17c93d1ffa7c8a29fedbc83f11f8731a140393c56aceffae318f7ebbca367fed9280513ce2cfad1257c59f056e3898e928f968baa6c3cc094ca50b9072674b8fa43ab0e31c4a7a54eb8f96ad4d275011a449807c3abe4865d8f837ee4d8db0c081af218c00a878d4c7e30268282034b35a666b8295eb53ee41bcda9345a7d48fdb7dc306180df06
EAP-Message =
0xec546e826d73d7dd62bf449c6eb948aa85c808893b308a32636cb151b044b839fc382f8623863d7ac78b7bf3e0f2c1ac4c8a69b9184e58733d966120ce334ab7212f23b85a8e8d5b2ada0f4cc7cb981fafd3585c398b351a06870271c71e537b4010a7d2914151b076a5f4094d1ab64e46a93dbba7456fa75be4006a172f6824219fad1b4c95322c6b9a1703515545ebbdae485fa994ac81fb8d308cdb58038d6c95c15d29f0a317e03877225eebe3647f28dc2361d7fb1894231e475805ec5e95ab5a37c96c70b000695caee3562f474af69b11fc67ccf54e9f0f1d1adc2c9038d56a9fa3454320444843fe38e00de285cb9120b24416fa909c259b52
EAP-Message =
0xd069e64d0d9faa37c336f8bd3a8128a8f5e244029a5ded25e10bfc551dc08730e133a4e4b744cf3d8c038d38b1692c1d4876f92d109efcf136355c2216030100bd0d0000b50301020500af00ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e64650e0000
EAP-Message = 0x00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e1a3a059b60b96d74ce260c86a0c5
Finished request 10
Going to the next request
Waking up in 6 seconds...
5
9
Hi,
I am running freeradius (2.1.8) with rlm_perl (5.10.1, USE_ITHREADS) on a
Debian-Lenny system.
The problem is radius fails with segfault – periodically and intermittently.
I have no way to reliably reproduce the problem – it happens only in
production, and it is impossible to reliably predict when or backtrace why.
It seems that I am running into some kind of memory allocation error.
Coredump type #3 (see below) is the most "popular" one; coredumps with
backtrace going into perl seem to be rather random (it fails in different
parts of libperl.so) - again, see below.
I understand that freeradius has a newer version available - but I am
hesitant to upgrade a production server without a very good reason. And I
could not find such reason for an upgrade after reading the CHANGELOG for
2.1.10. But maybe I am wrong?
Any ideas?
Thank you!
PS:
bt for coredump #1:
#0 0xb47d1ab6 in mysql_st_execute (sth=0xaf13a1a8, imp_sth=0xadf537a8) at
dbdimp.c:3209
#1 0xb47da215 in XS_DBD__mysql__st_execute (my_perl=0xb831a08,
cv=0xb1e16858) at mysql.xsi:588
#2 0xb70740ab in XS_DBI_dispatch () from
/opt/server/lib/perl5/i686-linux-thread-multi/auto/DBI/DBI.so
#3 0xb76a841e in Perl_pp_entersub () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#4 0xb76a6841 in Perl_runops_standard () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#5 0xb7641500 in Perl_call_sv () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#6 0xb7642284 in Perl_call_pv () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#7 0xb72026ad in rlmperl_call () from /opt/server/radius/lib/rlm_perl.so
#8 0x08063524 in modcall ()
#9 0x0805ffe7 in indexed_modcall ()
#10 0x080602fc in module_accounting ()
#11 0x0804e9d1 in rad_accounting ()
#12 0x0806df65 in radius_handle_request ()
#13 0x080661d0 in request_handler_thread ()
#14 0xb759c4c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#15 0xb734384e in clone () from /lib/i686/cmov/libc.so.6
bt for coredump #2:
#0 0xb7690c80 in Perl_pad_undef () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#1 0xb764db67 in Perl_cv_undef () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#2 0xb76dcf5a in Perl_sv_clear () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#3 0xb76dd288 in Perl_sv_free2 () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#4 0xb76dd391 in Perl_sv_free () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#5 0xb76dcd57 in Perl_sv_clear () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#6 0xb76dd288 in Perl_sv_free2 () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#7 0xb70af022 in XS_Sys__Syslog_closelog_xs () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/auto/Sys/Syslog/Syslog.so
#8 0xb76c941e in Perl_pp_entersub () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#9 0xb76c7841 in Perl_runops_standard () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#10 0xb7662500 in Perl_call_sv () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#11 0xb7663284 in Perl_call_pv () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#12 0xb72236ad in rlmperl_call () from /opt/server/radius/lib/rlm_perl.so
#13 0x08063524 in modcall ()
#14 0x0805ffe7 in indexed_modcall ()
#15 0x0806037c in module_authenticate ()
#16 0x0804f908 in rad_authenticate ()
#17 0x0806df65 in radius_handle_request ()
#18 0x080661d0 in request_handler_thread ()
#19 0xb75bd4c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#20 0xb736484e in clone () from /lib/i686/cmov/libc.so.6
bt for coredump #3:
#0 0xb77a2424 in __kernel_vsyscall ()
#1 0xb72d6640 in raise () from /lib/i686/cmov/libc.so.6
#2 0xb72d8018 in abort () from /lib/i686/cmov/libc.so.6
#3 0xb731348d in ?? () from /lib/i686/cmov/libc.so.6
#4 0x00000005 in ?? ()
#5 0xb583f614 in ?? ()
#6 0x00000400 in ?? ()
#7 0xb73e97c8 in ?? () from /lib/i686/cmov/libc.so.6
#8 0x00000017 in ?? ()
#9 0xbfd8b66b in ?? ()
#10 0x00000020 in ?? ()
#11 0xb73e97e1 in ?? () from /lib/i686/cmov/libc.so.6
#12 0x00000002 in ?? ()
#13 0xb73e985c in ?? () from /lib/i686/cmov/libc.so.6
#14 0x00000023 in ?? ()
#15 0xb73e97e5 in ?? () from /lib/i686/cmov/libc.so.6
#16 0x00000004 in ?? ()
#17 0xb583fb43 in ?? ()
#18 0x00000008 in ?? ()
#19 0xb73e97eb in ?? () from /lib/i686/cmov/libc.so.6
#20 0x00000005 in ?? ()
#21 0xb72eb388 in vfprintf () from /lib/i686/cmov/libc.so.6
#22 0xb7319764 in ?? () from /lib/i686/cmov/libc.so.6
#23 0x00000002 in ?? ()
#24 0xb73e97c8 in ?? () from /lib/i686/cmov/libc.so.6
#25 0xbfd8b66b in ?? ()
#26 0xb73e985c in ?? () from /lib/i686/cmov/libc.so.6
#27 0xb583fb43 in ?? ()
#28 0xb73e985c in ?? () from /lib/i686/cmov/libc.so.6
#29 0x3079d6d0 in ?? ()
#30 0x61346564 in ?? ()
#31 0x00383132 in ?? ()
#32 0xb7401ff4 in ?? () from /lib/i686/cmov/libc.so.6
#33 0xb7403160 in ?? () from /lib/i686/cmov/libc.so.6
#34 0x0de4a218 in ?? ()
#35 0xb583fb78 in ?? ()
#36 0xb731b966 in free () from /lib/i686/cmov/libc.so.6
Backtrace stopped: frame did not save the PC
bt for coredump #4:
#0 0xb7673132 in Perl_av_fetch () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#1 0xb708c788 in DD_dump () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/auto/Data/Dumper/Dumper.so
#2 0xb708d77f in DD_dump () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/auto/Data/Dumper/Dumper.so
#3 0xb7090219 in XS_Data__Dumper_Dumpxs () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/auto/Data/Dumper/Dumper.so
#4 0xb767541e in Perl_pp_entersub () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#5 0xb7673841 in Perl_runops_standard () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#6 0xb760e500 in Perl_call_sv () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#7 0xb760f284 in Perl_call_pv () from
/opt/server/lib/perl5/5.10.1/i686-linux-thread-multi/CORE/libperl.so
#8 0xb71cf6ad in rlmperl_call () from /opt/server/radius/lib/rlm_perl.so
#9 0x08063524 in modcall ()
#10 0x0805ffe7 in indexed_modcall ()
#11 0x0806037c in module_authenticate ()
#12 0x0804f908 in rad_authenticate ()
#13 0x0806df65 in radius_handle_request ()
#14 0x080661d0 in request_handler_thread ()
#15 0xb75694c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#16 0xb731084e in clone () from /lib/i686/cmov/libc.so.6
4
3
Hi all,
We just upgraded from freeRADIUS 1.1.7 to 2.1.10, and we're having issues getting freeRADIUS to work with a thread pool (see debug logs below). The thread pool config was working in version 1.1.7.
Were there major changes on how threads were implemented from 1.1.7 to 2.1.10? Why might we be having this issue?
Debug log with thread pool:
>radiusd -fxx -l stdout
FreeRADIUS Version 2.1.10, for host i586-wrs-linux-gnu, built on Nov 25 2010 at 01:29:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log"
libdir = "/usr/lib"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 1
retry_count = 2
default_fallback = no
dead_time = 600
wake_all_if_all_dead = no
}
radiusd: #### Loading Clients ####
client 0.0.0.0/0 {
require_message_authenticator = no
secret = "siren123"
shortname = "this_Shelf"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/radiusd.conf
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/radiusd.conf
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/radiusd.conf
pap {
encryption_scheme = "crypt"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/radiusd.conf
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/radiusd.conf
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf
detail {
detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/radiusd.conf
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
}
Thread spawned new child 1. Total threads in pool: 1
Thread 1 waiting to be assigned a request
Thread spawned new child 2. Total threads in pool: 2
Thread 2 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread 3 waiting to be assigned a request
Thread spawned new child 4. Total threads in pool: 4
Thread 4 waiting to be assigned a request
Thread spawned new child 5. Total threads in pool: 5
Thread 5 waiting to be assigned a request
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
bind_address = *
WARNING: The directive 'bind_address' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.
Debug log without thread pool (commented out in radiusd.conf):
> radiusd -fxx -l stdout
FreeRADIUS Version 2.1.10, for host i586-wrs-linux-gnu, built on Nov 25 2010 at 01:29:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log"
libdir = "/usr/lib"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
log_stripped_names = no
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 1
retry_count = 2
default_fallback = no
dead_time = 600
wake_all_if_all_dead = no
}
radiusd: #### Loading Clients ####
client 0.0.0.0/0 {
require_message_authenticator = no
secret = "siren123"
shortname = "this_Shelf"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/radiusd.conf
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/radiusd.conf
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/radiusd.conf
pap {
encryption_scheme = "crypt"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/radiusd.conf
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/radiusd.conf
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf
detail {
detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/radiusd.conf
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
bind_address = *
WARNING: The directive 'bind_address' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
Thanks,
Keven
----------
Keven Smith-Worthylake
Software Designer, SI23
GENBAND
3500 Carling Ave
Ottawa, ON, Canada, K2H 8E9
office
keven.smithworthylake(a)genband.com
www.genband.com
2
5