Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2011
- 114 participants
- 133 discussions
10 Jun '11
Can you please add your mailing list to this service http://markmail.org/
It's way better and pleasure to read list there.
I'm not working with them, just simple user which just discovered this
pleasant way to read mailing lists.
Sincerely.
Denis.
2
1
Hi all,
I would like to get some help, as I have not been able to rpmbuild
freeradius-2.1.11 form sources using git 2.1.x branch.
I already rpmbuild 2.1.10 with no problems, but may be redhat spec
included in 2.1.11 needs some changes .
I have been able to build/install/test 2.1.11 binary with default
settings to /usr/local, but I can't create installable RPMs for
upgrade my CentOS/RedHat servers to 2.1.11
Here is the script i use to create build environment, followed with
errors at the end of the rpmbuild.
Best regards,
Fred
#####################################
#!/bin/sh
#
RPMBUILDDIR="RPMBUILD"
SOURCE=freeradius-server
GITVERSION=v2.1.x
if [ -d ${SOURCE} ] ; then
echo -n "Removing ${SOURCE} ... "
rm -rf $SOURCE
echo "DONE !"
fi
echo "GITVERSION : ${GITVERSION}"
git clone git://git.freeradius.org/freeradius-server.git
cd freeradius-server
git fetch origin ${GITVERSION}:${GITVERSION}
git checkout v2.1.x
cd ..
VERSION=`cat ${SOURCE}/VERSION`
TARGET=${SOURCE}-${VERSION}
PATCH=freeradius-${VERSION}.spec.diff
echo "VERSION : ${VERSION}"
echo "TARGET : ${TARGET}"
echo "PATCH : ${PATCH}"
echo "RPMBUILDDIR : ${RPMBUILDDIR}"
cp ${SOURCE}/redhat/freeradius.spec .
if [ -f $PATCH ] ; then
echo -n "Appplying ${PATCH} ... "
patch < $PATCH
echo " Done !"
else
echo "FATAL : $PATCH not found, please create it !"
exit 1
fi
echo -n "Moving freeradius.spec to freeradius.${VERSION}.spec ... "
mv freeradius.spec freeradius.${VERSION}.spec
echo "Done !"
if [ -d ${TARGET} ] ; then
echo -n "${TARGET} already exist, removing ... "
rm -rf ${TARGET}
echo "${TARGET} removed !"
fi
echo -n "Moving ${SOURCE} to ${TARGET} ... "
mv ${SOURCE} ${TARGET}
echo "Done !"
echo "Building ${TARGET}.tar ... "
tar cvf ${TARGET}.tar ${TARGET} > /dev/null
echo "${TARGET}.tar done "
echo "building ${TARGET}.tar.bz2 ... "
bzip2 -f ${TARGET}.tar > /dev/null
echo "${TARGET}.tar.bz2 done"
if ! [ -d ${RPMBUILDDIR} ] ; then
for i in BUILD RPMS SOURCES SPECS SRPMS
do
DIR="${RPMBUILDDIR}/$i"
echo -n "Creating $DIR ... "
mkdir -p ${DIR}
echo "Done with code $?"
done
fi
cp ${TARGET}.tar.bz2 ${RPMBUILDDIR}/SOURCES
cp freeradius-${VERSION}.spec ${RPMBUILDDIR}/SPECS/
cd ${RPMBUILDDIR}
rpmbuild -v -ba SPECS/freeradius-${VERSION}.spec
#./configure --prefix=/usr \
# --exec-prefix=/usr \
# --sysconfdir=/etc/raddb/ \
# --localstatedir=/var/
################################################
Traitement des fichiers: freeradius-2.1.11-1
Provides: config(freeradius) = 2.1.11-1 libfreeradius-eap-2.1.11.so
libfreeradius-radius-2.1.11.so rlm_acct_unique-2.1.11.so
rlm_acctlog-2.1.11.so rlm_always-2.1.11.so rlm_attr_filter-2.1.11.so
rlm_attr_rewrite-2.1.11.so rlm_chap-2.1.11.so rlm_checkval-2.1.11.so
rlm_copy_packet-2.1.11.so rlm_counter-2.1.11.so rlm_dbm-2.1.11.so
rlm_detail-2.1.11.so rlm_digest-2.1.11.so
rlm_dynamic_clients-2.1.11.so rlm_eap-2.1.11.so rlm_eap_gtc-2.1.11.so
rlm_eap_leap-2.1.11.so rlm_eap_md5-2.1.11.so
rlm_eap_mschapv2-2.1.11.so rlm_eap_peap-2.1.11.so
rlm_eap_sim-2.1.11.so rlm_eap_tls-2.1.11.so rlm_eap_ttls-2.1.11.so
rlm_exec-2.1.11.so rlm_expiration-2.1.11.so rlm_expr-2.1.11.so
rlm_fastusers-2.1.11.so rlm_files-2.1.11.so rlm_ippool-2.1.11.so
rlm_linelog-2.1.11.so rlm_logintime-2.1.11.so rlm_mschap-2.1.11.so
rlm_otp-2.1.11.so rlm_pam-2.1.11.so rlm_pap-2.1.11.so
rlm_passwd-2.1.11.so rlm_policy-2.1.11.so rlm_preprocess-2.1.11.so
rlm_radutmp-2.1.11.so rlm_realm-2.1.11.so rlm_sql-2.1.11.so
rlm_sql_log-2.1.11.so rlm_sqlcounter-2.1.11.so rlm_sqlippool-2.1.11.so
rlm_unix-2.1.11.so rlm_wimax-2.1.11.so
Requires(interp): /bin/sh /bin/sh /bin/sh /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires(pre): /bin/sh glibc-common shadow-utils
Requires(post): /bin/sh /sbin/chkconfig
Requires(preun): /bin/sh /sbin/chkconfig
Requires(postun): /bin/sh
Requires: /bin/sh /usr/bin/perl config(freeradius) = 2.1.11-1
libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1)
libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.2) libc.so.6(GLIBC_2.2.3)
libc.so.6(GLIBC_2.3) libc.so.6(GLIBC_2.3.4) libc.so.6(GLIBC_2.4)
libcrypt.so.1 libcrypt.so.1(GLIBC_2.0) libcrypto.so.6 libdl.so.2
libfreeradius-eap-2.1.11.so libfreeradius-radius-2.1.11.so
libgdbm.so.2 libltdl.so.3 libnsl.so.1 libpam.so.0
libpam.so.0(LIBPAM_1.0) libpthread.so.0 libpthread.so.0(GLIBC_2.0)
libpthread.so.0(GLIBC_2.1) libpthread.so.0(GLIBC_2.2) libreadline.so.5
libresolv.so.2 libssl.so.6 libtermcap.so.2 rlm_acct_unique-2.1.11.so
rlm_acctlog-2.1.11.so rlm_always-2.1.11.so rlm_attr_filter-2.1.11.so
rlm_attr_rewrite-2.1.11.so rlm_chap-2.1.11.so rlm_checkval-2.1.11.so
rlm_copy_packet-2.1.11.so rlm_counter-2.1.11.so rlm_dbm-2.1.11.so
rlm_detail-2.1.11.so rlm_digest-2.1.11.so
rlm_dynamic_clients-2.1.11.so rlm_eap-2.1.11.so rlm_eap_gtc-2.1.11.so
rlm_eap_leap-2.1.11.so rlm_eap_md5-2.1.11.so
rlm_eap_mschapv2-2.1.11.so rlm_eap_peap-2.1.11.so
rlm_eap_sim-2.1.11.so rlm_eap_tls-2.1.11.so rlm_eap_ttls-2.1.11.so
rlm_exec-2.1.11.so rlm_expiration-2.1.11.so rlm_expr-2.1.11.so
rlm_fastusers-2.1.11.so rlm_files-2.1.11.so rlm_ippool-2.1.11.so
rlm_linelog-2.1.11.so rlm_logintime-2.1.11.so rlm_mschap-2.1.11.so
rlm_otp-2.1.11.so rlm_pam-2.1.11.so rlm_pap-2.1.11.so
rlm_passwd-2.1.11.so rlm_policy-2.1.11.so rlm_preprocess-2.1.11.so
rlm_radutmp-2.1.11.so rlm_realm-2.1.11.so rlm_sql-2.1.11.so
rlm_sql_log-2.1.11.so rlm_sqlcounter-2.1.11.so rlm_sqlippool-2.1.11.so
rlm_unix-2.1.11.so rlm_wimax-2.1.11.so rtld(GNU_HASH)
Obsoletes: freeradius-devel freeradius-libs
Traitement des fichiers: freeradius-utils-2.1.11-1
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: /bin/sh /usr/bin/perl freeradius = 2.1.11-1 libc.so.6
libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.2)
libc.so.6(GLIBC_2.3) libc.so.6(GLIBC_2.3.4) libc.so.6(GLIBC_2.4)
libcrypto.so.6 libfreeradius-eap-2.1.11.so
libfreeradius-radius-2.1.11.so libgdbm.so.2 libnsl.so.1 libpcap >=
0.9.4 libpcap.so.0.9.4 libpthread.so.0 libpthread.so.0(GLIBC_2.0)
libresolv.so.2 libssl.so.6 perl(DBI) perl(Fcntl) perl(Getopt::Long)
perl(Getopt::Std) perl(POSIX) perl(strict) perl(warnings)
rtld(GNU_HASH)
Traitement des fichiers: freeradius-ldap-2.1.11-1
Provides: config(freeradius-ldap) = 2.1.11-1 rlm_ldap-2.1.11.so
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: config(freeradius-ldap) = 2.1.11-1 freeradius = 2.1.11-1
libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1)
libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.3.4) libc.so.6(GLIBC_2.4)
libfreeradius-radius-2.1.11.so libldap_r-2.3.so.0 libnsl.so.1
libpthread.so.0 libpthread.so.0(GLIBC_2.0) libresolv.so.2
rlm_ldap-2.1.11.so rtld(GNU_HASH)
Traitement des fichiers: freeradius-krb5-2.1.11-1
Provides: config(freeradius-krb5) = 2.1.11-1 rlm_krb5-2.1.11.so
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: config(freeradius-krb5) = 2.1.11-1 freeradius = 2.1.11-1
libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1.3)
libc.so.6(GLIBC_2.4) libcom_err.so.2 libfreeradius-radius-2.1.11.so
libk5crypto.so.3 libkrb5.so.3 libkrb5.so.3(krb5_3_MIT) libnsl.so.1
libpthread.so.0 libresolv.so.2 rlm_krb5-2.1.11.so rtld(GNU_HASH)
Traitement des fichiers: freeradius-perl-2.1.11-1
Provides: rlm_perl-2.1.11.so
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: freeradius = 2.1.11-1 libc.so.6 libc.so.6(GLIBC_2.0)
libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.3.4) libc.so.6(GLIBC_2.4)
libcrypt.so.1 libdl.so.2 libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1)
libfreeradius-radius-2.1.11.so libm.so.6 libnsl.so.1 libperl.so
libpthread.so.0 libpthread.so.0(GLIBC_2.0) libresolv.so.2 libutil.so.1
perl(:MODULE_COMPAT_5.8.8) rlm_perl-2.1.11.so rtld(GNU_HASH)
Traitement des fichiers: freeradius-python-2.1.11-1
Provides: rlm_python-2.1.11.so
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: freeradius = 2.1.11-1 libc.so.6 libc.so.6(GLIBC_2.0)
libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.2)
libc.so.6(GLIBC_2.3) libc.so.6(GLIBC_2.3.4) libc.so.6(GLIBC_2.4)
libdl.so.2 libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1)
libfreeradius-radius-2.1.11.so libm.so.6 libm.so.6(GLIBC_2.0)
libnsl.so.1 libpthread.so.0 libpthread.so.0(GLIBC_2.0)
libpthread.so.0(GLIBC_2.1) libpthread.so.0(GLIBC_2.2) libresolv.so.2
libutil.so.1 libutil.so.1(GLIBC_2.0) rlm_python-2.1.11.so
rtld(GNU_HASH)
Traitement des fichiers: freeradius-mysql-2.1.11-1
Provides: config(freeradius-mysql) = 2.1.11-1 rlm_sql_mysql-2.1.11.so
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: config(freeradius-mysql) = 2.1.11-1 freeradius = 2.1.11-1
libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1.3) libcrypt.so.1
libcrypto.so.6 libm.so.6 libmysqlclient_r.so.15
libmysqlclient_r.so.15(libmysqlclient_15) libnsl.so.1 libpthread.so.0
libssl.so.6 libz.so.1 rlm_sql_mysql-2.1.11.so rtld(GNU_HASH)
Traitement des fichiers: freeradius-postgresql-2.1.11-1
Provides: config(freeradius-postgresql) = 2.1.11-1 rlm_sql_postgresql-2.1.11.so
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: config(freeradius-postgresql) = 2.1.11-1 freeradius =
2.1.11-1 libc.so.6 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1.3)
libc.so.6(GLIBC_2.3.4) libc.so.6(GLIBC_2.4) libpq.so.4
rlm_sql_postgresql-2.1.11.so rtld(GNU_HASH)
Traitement des fichiers: freeradius-unixODBC-2.1.11-1
Provides: rlm_sql_unixodbc-2.1.11.so
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: freeradius = 2.1.11-1 libc.so.6 libc.so.6(GLIBC_2.0)
libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.3.4) libc.so.6(GLIBC_2.4)
libodbc.so.1 rlm_sql_unixodbc-2.1.11.so rtld(GNU_HASH)
Traitement des fichiers: freeradius-debuginfo-2.1.11-1
Provides: libfreeradius-eap-2.1.11.so.debug
libfreeradius-radius-2.1.11.so.debug rlm_acct_unique-2.1.11.so.debug
rlm_acctlog-2.1.11.so.debug rlm_always-2.1.11.so.debug
rlm_attr_filter-2.1.11.so.debug rlm_attr_rewrite-2.1.11.so.debug
rlm_chap-2.1.11.so.debug rlm_checkval-2.1.11.so.debug
rlm_copy_packet-2.1.11.so.debug rlm_counter-2.1.11.so.debug
rlm_dbm-2.1.11.so.debug rlm_detail-2.1.11.so.debug
rlm_digest-2.1.11.so.debug rlm_dynamic_clients-2.1.11.so.debug
rlm_eap-2.1.11.so.debug rlm_eap_gtc-2.1.11.so.debug
rlm_eap_leap-2.1.11.so.debug rlm_eap_md5-2.1.11.so.debug
rlm_eap_mschapv2-2.1.11.so.debug rlm_eap_peap-2.1.11.so.debug
rlm_eap_sim-2.1.11.so.debug rlm_eap_tls-2.1.11.so.debug
rlm_eap_ttls-2.1.11.so.debug rlm_exec-2.1.11.so.debug
rlm_expiration-2.1.11.so.debug rlm_expr-2.1.11.so.debug
rlm_fastusers-2.1.11.so.debug rlm_files-2.1.11.so.debug
rlm_ippool-2.1.11.so.debug rlm_krb5-2.1.11.so.debug
rlm_ldap-2.1.11.so.debug rlm_linelog-2.1.11.so.debug
rlm_logintime-2.1.11.so.debug rlm_mschap-2.1.11.so.debug
rlm_otp-2.1.11.so.debug rlm_pam-2.1.11.so.debug
rlm_pap-2.1.11.so.debug rlm_passwd-2.1.11.so.debug
rlm_perl-2.1.11.so.debug rlm_policy-2.1.11.so.debug
rlm_preprocess-2.1.11.so.debug rlm_python-2.1.11.so.debug
rlm_radutmp-2.1.11.so.debug rlm_realm-2.1.11.so.debug
rlm_replicate-2.1.11.so.debug rlm_soh-2.1.11.so.debug
rlm_sql-2.1.11.so.debug rlm_sql_log-2.1.11.so.debug
rlm_sql_mysql-2.1.11.so.debug rlm_sql_postgresql-2.1.11.so.debug
rlm_sql_unixodbc-2.1.11.so.debug rlm_sqlcounter-2.1.11.so.debug
rlm_sqlippool-2.1.11.so.debug rlm_unix-2.1.11.so.debug
rlm_wimax-2.1.11.so.debug
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Vérification des fichiers non empaquetés: /usr/lib/rpm/check-files
/var/tmp/freeradius-2.1.11-1-root-root
erreur: Fichier(s) installé(s) (mais non empaquetés):
/etc/raddb/modules/redis
/etc/raddb/modules/rediswho
/etc/raddb/modules/replicate
/etc/raddb/modules/soh
/usr/lib/freeradius/rlm_replicate-2.1.11.so
/usr/lib/freeradius/rlm_replicate.so
/usr/lib/freeradius/rlm_soh-2.1.11.so
/usr/lib/freeradius/rlm_soh.so
Erreur de construction de RPM:
Fichier(s) installé(s) (mais non empaquetés):
/etc/raddb/modules/redis
/etc/raddb/modules/rediswho
/etc/raddb/modules/replicate
/etc/raddb/modules/soh
/usr/lib/freeradius/rlm_replicate-2.1.11.so
/usr/lib/freeradius/rlm_replicate.so
/usr/lib/freeradius/rlm_soh-2.1.11.so
/usr/lib/freeradius/rlm_soh.so
[support@radius1 RPMBUILD]$ find .
.
./BUILD
./rpmbuild.log
./SRPMS
./SOURCES
./SOURCES/freeradius-server-2.1.11.tar.bz2
./SPECS
./SPECS/freeradius-2.1.11.spec
./RPMS
[support@radius1 RPMBUILD]$
##################################################################
3
2
Hello All,
I am want to enable Simultaneous-Use for our users. I have been stuck
for many many days trying to figure this out, any help is greatly
appreciated. This is my first time posting, so sorry if my netiquette
is not correct
I. Configuration of System:
FreeRADIUS Version 2.1.1, built on May 9 2010 at 12:09:29
Novell SUSE Linux Enterprise Server 11 SP1
Cisco Wireless AP's
Cisco Wireless Controller - Cisco 4400 Series
Authentication using Novell e-Directory LDAP
Protocol - EAP-PEAP MSCHAPV2
mysql 5.0.67 is installed and radius database is created with correct schema
II. Description:
I am using Free Radius to authenticate Wireless Users.
Users are authenticated to the SSID by entering in their LDAP
Username/Password (stored in Novell e-Directory)
The users are using the standard WPA2 client on Windows machines (with
the EAP-PEAP MSCHAPv2 Protocol)
In addition, I have enabled checkval module to Check for Valid MAC
Addresses & DialupAccess=TRUE
III. Problem:
In looking at the debug logs, randomly generated UserName
Accounting-Request packets are being sent from the NAS to the
FreeRADIUS, before and after the successful authentication of the
UserName (ziggy) using the EAP-PEAP-MSCHAPV2 protocol (during which
time the correct UserName is sent by NAS). When I issue the radwho
command or look at the RADACCT tables, I see the randomly generated
UserNames in both tables. But when I check in the radpostauth
table, I see the UserName (Ziggy) in it.
vm-32laars:/var/tmp # radwho
Login Name What TTY When From Location
8c58770ca7 8c58770ca708 shell S29 Wed 10:55 10.32.156.5
vm-32laars:/var/tmp # radwho
Login Name What TTY When From Location
d830628b05 d830628b050e shell S29 Wed 10:56 10.32.156.5
mysql> select * from radpostauth;
+----+-----------+---------+---------------+---------------------+
| id | username | pass | reply | authdate |
+----+-----------+---------+---------------+---------------------+
| 28 | ziggy | | Access-Accept | 2011-06-08 10:54:22 |
+----+-----------+---------+---------------+---------------------+
mysql> select * from radacct order by RadAcctID desc limit 1;
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----
---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------
-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------
----+----------------+---------------+----------------------+
| radacctid | acctsessionid | acctuniqueid |
username | groupname | realm | nasipaddress | nasportid | nas
porttype | acctstarttime | acctstoptime
| acctsessiontime | acctauthentic | connectinfo_start |
connectinfo_stop | accti nputoctets |
acctoutputoctets | calledstationid | callingstationid |
acctterminatecause | servicetype | framedprotocol | framedipaddr
ess | acctstartdelay | acctstopdelay |
xascendsessionsvrkey |
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----
---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------
-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------
----+----------------
+---------------+----------------------+
| 10247 | 4defbb0d/8c:7b:9d:9f:d4:16/12409 | 60370f84e1b169c1 |
8c7b9d9fd416 | | | 10.32.156.5 | 29 |
| 2011-06-08 10:55:51 | NULL
| 0 | Remote | |
| 0 | 0 |
10.32.156.5 | 0.0.0.0 | |
| | |
0 | 0 | |
| 10246 | 4defb9c7/8c:58:77:0c:a7:08/12392 | e19aebd88b0eafbf |
8c58770ca708 | | | 10.32.156.5 | 29 |
| 2011-06-08 10:50:24 | 2011-06-08 10:55:37
| 313 | Remote | |
| 21002 | 3206 |
10.32.156.5 | 0.0.0.0 | User-Request |
| | |
0 | 0 | NULL |
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----
---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------
-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------
----+----------------+---------------+----------------------+
IV. Questions:
1) Why is the NAS sending so many randomly generated numeric
"UserName" in the Accounting-Request?
2) How can I get the NAS to send the correct Username (Ziggy) instead
of the randomly generated numbers in the Accounting-Request packets to
update in SQL?
3) I'm confused, should I use radutmp or sql to get Simultaenous-Use
to work? If only sql, can I disable radutmp in configuration files?
4) What do I need to do to get Simultaneous-Use to work properly?
5) Should the default & inner-tunnel files that have the same
parameters match? (i.e. in authorize {sql} in the default file and the
authorize {sql} in the inner-tunnel file)
6) Why do I see so many packets for Ziggy trying to authenticate just
once.. It is not until about Line 1389 in the debug log (see below
ITEM# 6) that the tunnel actually get's established and the next
packet on Line 1453 has the Acct-Status-Type = Start? There is a
total of about 3174 lines for just one login attempt.
V: Configuration relating to Simulatenous-Use:
===================================================================
/etc/raddb/sites-enabled/default
===================================================================
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
ldap
sql
checkval
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
attr_filter.accounting_response
}
session {
radutmp
sql
}
post-auth {
sql
ldap
exec
Post-Auth-Type REJECT {
ldap
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
===================================================================
/etc/raddb/sites-enabled/inner-tunnel
===================================================================
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
#sql
# checkval
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
sql
}
post-auth {
# sql
# sql_log
ldap
Post-Auth-Type REJECT {
attr_filter.access_reject
ldap
}
update outer.reply {
User-Name = "%{request:User-Name}"
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
===================================================================
/etc/raddb/sql.conf
===================================================================
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radius"
password = "password"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
#readclients = yes
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
===================================================================
/etc/raddb/sql/mysql/dialup.conf
===================================================================
#######################################################################
# Simultaneous Use Checking Queries
#######################################################################
# simul_count_query - query for the number of current connections
# - If this is not defined, no
simultaneouls use checking
# - will be performed by this module instance
# simul_verify_query - query to return details of current
connections for verification
# - Leave blank or commented out to
disable verification step
# - Note that the returned field order
should not be changed.
#######################################################################
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, \
nasipaddress, nasportid, framedipaddress, \
callingstationid, framedprotocol \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
===================================================================
/etc/raddb/eap.conf
===================================================================
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/serverkey.key
certificate_file = ${certdir}/servercert.cert
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
ttls {
default_eap_type=md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
====================================================
VI: Here is the DEBUG LOG (sorry there are so many lines)
====================================================
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on May
9 2010 at 12:09:29
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.32.156.5/32 {
require_message_authenticator = no
secret = "code"
shortname = "cw32ce0a.wifi.nm.ci.la.ca.us"
nastype = "cisco"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "10.32.197.139"
port = 636
password = "Password"
identity = "cn=admin,o=RALDAP"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = yes
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile = "/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64"
require_cert = "demand"
}
basedn = "ou=users,o=RALDAP"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "nspmPassword"
auto_header = no
access_attr = "dialupAccess"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 40
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0xb7961d90
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radius"
password = "password"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL
AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}'
WHERE acctsessionid = '%{Acct-Session-Id}' AND username
= '%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctsessiontime,
acctauthentic, connectinfo_start, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET
acctstarttime = '%S', acctstartdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay)
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND), '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32
| '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = "SELECT COUNT(*)
FROM radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS
NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress,
callingstationid, framedprotocol
FROM radacct WHERE
username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating checkval
checkval {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = yes
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=93, length=153
User-Name = "9027e444744e"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4defba9b/90:27:e4:44:74:4e/12402"
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
Acct-Status-Type = Start
Calling-Station-Id = "0.0.0.0"
Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defba9b/90:27:e4:44:74:4e/12402",User-Name = "9027e444744e"'
[acct_unique] Acct-Unique-Session-ID = "b893f021ffab4937".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "9027e444744e", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] expand: %t -> Wed Jun 8 10:54:07 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 9027e444744e
++[radutmp] returns ok
[sql] expand: %{User-Name} -> 9027e444744e
[sql] sql_set_user escaped user --> '9027e444744e'
[sql] expand: %{Acct-Delay-Time} ->
[sql] expand: INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 9027e444744e
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 93 to 10.32.156.5 port 32768
Finished request 1.
Cleaning up request 1 ID 93 with timestamp +2
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=95, length=153
User-Name = "a467068f617f"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4defbaad/a4:67:06:8f:61:7f/12403"
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
Acct-Status-Type = Start
Calling-Station-Id = "0.0.0.0"
Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defbaad/a4:67:06:8f:61:7f/12403",User-Name = "a467068f617f"'
[acct_unique] Acct-Unique-Session-ID = "a96fb9b5775cab4f".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "a467068f617f", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] expand: %t -> Wed Jun 8 10:54:14 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> a467068f617f
++[radutmp] returns ok
[sql] expand: %{User-Name} -> a467068f617f
[sql] sql_set_user escaped user --> 'a467068f617f'
[sql] expand: %{Acct-Delay-Time} ->
[sql] expand: INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> a467068f617f
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 95 to 10.32.156.5 port 32768
Finished request 2.
Cleaning up request 2 ID 95 with timestamp +9
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=249, length=184
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0202000a017a69676779
Message-Authenticator = 0x2d7411a0a70277876c359c8b4d67b798
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.32.197.139:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to
/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=admin,o=RALDAP/novell to 10.32.197.139:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
[sql] expand: %{User-Name} -> ziggy
[sql] sql_set_user escaped user --> 'ziggy'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'ziggy' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'ziggy' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
[sql] User ziggy not found
++[sql] returns notfound
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-fa-a1-ba-e8
rlm_checkval: Value Name: Calling-Station-Id, Value: 78-ca-39-b9-12-f9
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-22-fa-a1-ba-e8
++[checkval] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 249 to 10.32.156.5 port 32768
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e623a5da78451212e3283d83
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=250, length=311
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0203007719800000006d16030100680100006403014defbab394ef0bf49e249034a8f7bd9769a69976d1734654ad86542a75ed2b32000018002f00350005000ac013c014c009c00a003200380013000401000023ff010001000000000a00080000057a69676779000a0006000400170018000b00020100
State = 0xe620bc83e623a5da78451212e3283d83
Message-Authenticator = 0x67139174caeb2bd6111e66658ae9da26
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 119
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 109
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0068], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 250 to 10.32.156.5 port 32768
EAP-Message = 0x0104040019c0000008a216030100310200002d03014defb74eca097d9d5f9de12b27867f05bb279f3b41b0d5f096742ed43b4205cd00002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message = 0x74686f72697479301e170d3130303632393139323834315a170d3131303632393139323834315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d6469eb536013124569539d3e8c186e90de7d9ef492251ea1d694337fb2d4fcd4492d29a54e25740af4fc9580a88a4bc2f9e8ddc72a088
EAP-Message = 0x4910b9ffc1b899aea0078060c00099336a3260cf793fc7df0a1dabea863a017762807644fb82c3ffe5a82547ef57766021e53c9c9b1a1cd7b47f559854dce22812f752bd20f7a7d9280f68ad65f2d30909dcb38ab41921433fcb696c63dbad3b49a5f32ee13ec68ffa1af9662b0dbec130c3469281874ad71857141c6a935803e2ae72fd48c5c65ebfbf39cba8c76a89f25a6785ed61a8c4826d6092cfe55fbb6fb2d29aec987ec551078ac689469c07d3ecb16f9e3b04bc6cfa004fbeb5c05a057f6938850ec18fbf0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101002059
EAP-Message = 0xe7ff00e87350fe0b3266f50fa368ebdb9c8124b1cc9e6e07db3d5f495a4ab344ebb45f50770ed6c1723a43533f924e12d79d0d4982a1ae3b03923b97d0f767452c6995a6a523157d250ba3b918e598e93b4b87501e1b022b6e130d8ffc762c5a3d4035d8cdb057ac0fd12bd06a976618d88fc46efafbc990aa9a295fcd8b70f6c48139fdff53c35e0fb38c4db1f10f56054082aa53ce9e7c9bc5d5cbaa9eaf705ad917edee420c59ad70f658994fe18469e213085ca638ead1e8bd72a9e721901034a57d33badbe54bb92476bab7d89ff4c87882bf4f8114c812afc320b1dd68b9683011d32a46b4f17192e56c92ef213f99f6c6b7464103ecea2b0171
EAP-Message = 0x020004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e724a5da78451212e3283d83
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=251, length=198
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020400061900
State = 0xe620bc83e724a5da78451212e3283d83
Message-Authenticator = 0x05e641c1ed2dbfb0b9a0bc003ded62a0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 251 to 10.32.156.5 port 32768
EAP-Message = 0x010503fc1940a003020102020900ec81d7fdbd08b57f300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303632393139323834315a170d3130303732393139323834315a308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c503568c9100eb4a533106a33bd1908feb4a8324db7e26fb401a9a01bd2f9834a7230b260e386dbecb5726d12d5a360d182bacc25cf8768a8c876598089c054cdf7fdd5b03241a2761a1ca0a970d820f0db8c79c16cc8c2704e0d07f1a9ab05060c7dc42cd01db61
EAP-Message = 0x6c5d107c8046cd2ef12e233bd35a4e2b477676934e34ac5813c75f4dc23301fece997d5aa08123c84b543cd45bc65fa9f1a3e8ef217d4b9f5d88e82eca7f1539946f4fd105b06d7211d2d65af67f266c9f1eb30248a56f2e26d0019a5c1ea497f4d0e7f547f8c61d2944de1551387b563e8481dbd7276fbaa0a6451ef65777c9cb3b6951f6efed6c5f696f08a03f2980779f90ff5dffdf7f0203010001a381fb3081f8301d0603551d0e0416041476cfd1a77faaafd0b29217ddec7f9888590af0f43081c80603551d230481c03081bd801476cfd1a77faaafd0b29217ddec7f9888590af0f4a18199a48196308193310b300906035504061302465231
EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ec81d7fdbd08b57f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005b833733cc74015c776e5318978ffde37ceae715464c1183b82463c95957bc61c72d783a923fe70884a01208a04749183f0afc1393284259b0e848605447a7723437701d8a495f9130c6fb
EAP-Message = 0xfd2a7aac200acb6a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e425a5da78451212e3283d83
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=252, length=198
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020500061900
State = 0xe620bc83e425a5da78451212e3283d83
Message-Authenticator = 0x2bd996782a861ab5f0e4318920573ce9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 252 to 10.32.156.5 port 32768
EAP-Message = 0x010600bc1900f2ab17a522f98a0885febb4ff3cb657112b10067895f114462e116b84ff52e461aaa436d80c5cc1184d51c44b67c3c648257a0929a4f6c4d895b47930901d4fe1576ed3296df98e3d9edd900aa0a41a39653932d77f570c5599129b33d1bf32cabf0dffa0ab0c366c5fcdb6f3d65a12df7269b9bb211c9feb0284e064ff51a1eadb7105302f0f2e1a57195e4522c1f26739b2da61de91672163a418fe25d17caa3446a139fed55c8d98cf3b04416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e526a5da78451212e3283d83
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=253, length=530
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0206015019800000014616030101061000010201006a27393ec43fea150a039f85ea376f584f8dc0069188328100ef31e34922ea71afc7bad9dcd521344a965f0bc349ca5b3f3ad1d8a110d985f6b3b37a562d7bf6e30422b56b4024a56b0e0caf08657680edca70fd5cfca3cac7b2b64fc21e1df7497888ace8a91a26325fb8297010a5ad6675aa89dc6a226a37e010880c28d7b071e1c9bec2b0fc532e1128992e47add8591a7056a942d6e48e8b0233a9a3384e51a4107105854a10dd61d441881f66c6adb6d9bfefa5e6adea93b2e4c58cee49b85446252a7a1dd4e63360023373983eeec36e27c7001511b4ea598b61d1c0fee7c78f1a012825f1
EAP-Message = 0x6a0da33f23a3db2b18e6a04e0f1c5821902a7f3b6d0c25a71403010001011603010030a93820cff9e6253dac65d3a219b134eb2fc85813c46c9203fdb38dd047e41e5b182733893ca45f6f4aba93a4d969338c
State = 0xe620bc83e526a5da78451212e3283d83
Message-Authenticator = 0x5fadc4968a75cf5dffcdb32871abe493
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 253 to 10.32.156.5 port 32768
EAP-Message = 0x01070041190014030100010116030100303b450ec40b7584ae543440d814c44ae8e40f26ec51f917cb1bf1ca87ee319929d82566eb8c874843b7f2c270821b9a72
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e227a5da78451212e3283d83
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=254, length=198
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020700061900
State = 0xe620bc83e227a5da78451212e3283d83
Message-Authenticator = 0x6711b49c21e05d9d0471f5cada5a673e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.32.156.5 port 32768
EAP-Message = 0x0108002b19001703010020d615b42fdceaf564c2458858918d9d99fa2a59075262b3b911249b9dbdaf854e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e328a5da78451212e3283d83
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=255, length=235
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0208002b1900170301002080e7daa50845a9cfa553bd5a213b34c81a694936a8086e9c41e845c2ee13adbe
State = 0xe620bc83e328a5da78451212e3283d83
Message-Authenticator = 0xa23930f64ee0f25f0138d3be32faf555
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - ziggy
[peap] Got tunnled request
EAP-Message = 0x0208000a017a69676779
server (null) {
PEAP: Got tunneled identity of ziggy
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to ziggy
Sending tunneled request
EAP-Message = 0x0208000a017a69676779
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x0109001f1a0109001a107c3fb260e0ff5fca049a623efeb652427a69676779
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7f5c17f37f550df77f9cb88e74ec1077
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0109001f1a0109001a107c3fb260e0ff5fca049a623efeb652427a69676779
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7f5c17f37f550df77f9cb88e74ec1077
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 255 to 10.32.156.5 port 32768
EAP-Message = 0x0109003b190017030100302ea4cc7d7bc8bdbbf752876a38a688a14fd819c650d6a76d55e9711dda0cdde12b238d04624ddc997de86bcd1d6a54a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e029a5da78451212e3283d83
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=0, length=299
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0209006b190017030100606c7749f02b0698602b4d8c7391ead7367cb14ddbeaa33c1c345483f86a7a61965498be6823c24a50d0ee61499687e9b278e72700e5fb2c48d76db4393365e13bb5624897e58a7160a8164ba77d0ad762ae4dd872fb91b201aea14cdb08b127ec
State = 0xe620bc83e029a5da78451212e3283d83
Message-Authenticator = 0x22d835d6fe511c9016fc9a2b9691f3cb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020900401a0209003b31ba23e5c1721898ca3954317553c86aba0000000000000000bd34249dc56ad087ff883aa9764c69f6d848f370f75db300007a69676779
server (null) {
PEAP: Setting User-Name to ziggy
Sending tunneled request
EAP-Message = 0x020900401a0209003b31ba23e5c1721898ca3954317553c86aba0000000000000000bd34249dc56ad087ff883aa9764c69f6d848f370f75db300007a69676779
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ziggy"
State = 0x7f5c17f37f550df77f9cb88e74ec1077
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for ziggy with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010a00331a0309002e533d35394543324543313042363837423735413339424133433941384445383036433041333933333741
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7f5c17f37e560df77f9cb88e74ec1077
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010a00331a0309002e533d35394543324543313042363837423735413339424133433941384445383036433041333933333741
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7f5c17f37e560df77f9cb88e74ec1077
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.32.156.5 port 32768
EAP-Message = 0x010a005b19001703010050c19cd32624e8cddabf0fa2387505602c4bc0164f92e8273d1849e420b04920d6d29e169b5f4fa18e031d3ac445c78f18bcb48b3c63a4cdd5f9dc9e4d07106ec30daedb164ac1fa19c911a240f1447684
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e12aa5da78451212e3283d83
Finished request 10.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=1, length=235
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020a002b1900170301002009cecc97373c0400e41ea22d3d29d81d3ff006fa9ecd4b3afca62b77fa8c953a
State = 0xe620bc83e12aa5da78451212e3283d83
Message-Authenticator = 0xc7631b4d93c923d6460500dd33b4566d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020a00061a03
server (null) {
PEAP: Setting User-Name to ziggy
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ziggy"
State = 0x7f5c17f37e560df77f9cb88e74ec1077
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group session {...}
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> ziggy
++[radutmp] returns ok
+- entering group post-auth {...}
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.32.197.139:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to
/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=ziggy,ou=users,o=RALDAP/ziggy to 10.32.197.139:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ziggy"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ziggy"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.32.156.5 port 32768
EAP-Message = 0x010b002b1900170301002049a52fa96dcb33d6f581b75f7657e1e6202fd2c7e22308df4d67c837775995ce
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83ee2ba5da78451212e3283d83
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=2, length=235
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020b002b19001703010020eea6cdab5fcb5553d5c76ec1ef19d42396ed439a838b0d35367cfdda86fef168
State = 0xe620bc83ee2ba5da78451212e3283d83
Message-Authenticator = 0xa6bc090d74217df806b10f83260e7a30
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> ziggy
[sql] sql_set_user escaped user --> 'ziggy'
[sql] expand: %{User-Password} ->
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'ziggy',
'', 'Access-Accept', '2011-06-08 10:54:22')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'ziggy',
'', 'Access-Accept', '2011-06-08
10:54:22')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[ldap] returns noop
++[exec] returns noop
Sending Access-Accept of id 2 to 10.32.156.5 port 32768
User-Name = "ziggy"
MS-MPPE-Recv-Key =
0x24ed6bc6b1501b91115a0aebb258aa071975a0c24c0b284bafbb36992de2da7c
MS-MPPE-Send-Key =
0xa0a91a481b11147334dc7c5019ac8aa906c8498bc9f165b56fdb1e495a65110c
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 12.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=96, length=153
User-Name = "0018de9a2a1a"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4defbab7/00:18:de:9a:2a:1a/12405"
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
Acct-Status-Type = Start
Calling-Station-Id = "0.0.0.0"
Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defbab7/00:18:de:9a:2a:1a/12405",User-Name = "0018de9a2a1a"'
[acct_unique] Acct-Unique-Session-ID = "7fab12adbf4fb3ac".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "0018de9a2a1a", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] expand: %t -> Wed Jun 8 10:54:25 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 0018de9a2a1a
++[radutmp] returns ok
[sql] expand: %{User-Name} -> 0018de9a2a1a
[sql] sql_set_user escaped user --> '0018de9a2a1a'
[sql] expand: %{Acct-Delay-Time} ->
[sql] expand: INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 0018de9a2a1a
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 96 to 10.32.156.5 port 32768
Finished request 13.
Cleaning up request 13 ID 96 with timestamp +20
Going to the next request
Waking up in 2.1 seconds.
Cleaning up request 3 ID 249 with timestamp +17
Cleaning up request 4 ID 250 with timestamp +17
Cleaning up request 5 ID 251 with timestamp +17
Cleaning up request 6 ID 252 with timestamp +17
Cleaning up request 7 ID 253 with timestamp +17
Cleaning up request 8 ID 254 with timestamp +17
Cleaning up request 9 ID 255 with timestamp +17
Cleaning up request 10 ID 0 with timestamp +17
Cleaning up request 11 ID 1 with timestamp +17
Cleaning up request 12 ID 2 with timestamp +17
3
4
what's the role of Squid in a radius runnin server, i know its related
to proxy thing but would like to 've more info.
2
1
what's the role of Squid in a radius running server, i know its
related to proxy thing but would like to 've more info.
1
0
Hi,
I'm unable to authenticate using the LEAP method. All the other EAP methods
are working fine.
Thanks in advance for your help. Here is the output from radiusd -X:
FreeRADIUS Version 2.1.10, for host i386-redhat-linux-gnu, built on Oct 19
2010 at 19:44:13
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.127.1.0/24 {
require_message_authenticator = no
secret = "searchme123"
shortname = "Helix"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.127.1.30 port 1645, id=116,
length=136
User-Name = "tester"
Framed-MTU = 1400
Called-Station-Id = "0040.9646.4192"
Calling-Station-Id = "0027.1086.5a7c"
Service-Type = Login-User
Message-Authenticator = 0x7e9ddbf72355ce5d7aad0a9cf96ac61e
EAP-Message = 0x0202000b01746573746572
NAS-Port-Type = Wireless-802.11
NAS-Port = 682
NAS-IP-Address = 10.127.1.30
NAS-Identifier = "CiscoAp@Helix"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry tester at line 54
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 116 to 10.127.1.30 port 1645
EAP-Message = 0x010300160410affde2f5ab4ca3deefb3b297c9ea4b04
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaadb5926aad85d8ed2af7f39c1a410ab
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.127.1.30 port 1645, id=117,
length=149
User-Name = "tester"
Framed-MTU = 1400
Called-Station-Id = "0040.9646.4192"
Calling-Station-Id = "0027.1086.5a7c"
Service-Type = Login-User
Message-Authenticator = 0xe7f3c4960f807ce5881e8eff237b2694
EAP-Message = 0x020300060311
NAS-Port-Type = Wireless-802.11
NAS-Port = 682
State = 0xaadb5926aad85d8ed2af7f39c1a410ab
NAS-IP-Address = 10.127.1.30
NAS-Identifier = "CiscoAp@Helix"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry tester at line 54
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/leap
[eap] processing type leap
rlm_eap_leap: Stage 2
rlm_eap_leap: Issuing AP Challenge
rlm_eap_leap: Successfully initiated
++[eap] returns handled
Sending Access-Challenge of id 117 to 10.127.1.30 port 1645
EAP-Message = 0x0104001611010008bb0502e57fcf236d746573746572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaadb5926abdf488ed2af7f39c1a410ab
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.127.1.30 port 1645, id=118,
length=181
User-Name = "tester"
Framed-MTU = 1400
Called-Station-Id = "0040.9646.4192"
Calling-Station-Id = "0027.1086.5a7c"
Service-Type = Login-User
Message-Authenticator = 0x7e6bc97a2ae20c77c0bdfdfcd8d5d0d0
EAP-Message =
0x0204002611010018b48b4190ecaeabba63bfcee8bb974912e1e06d4742c50521746573746572
NAS-Port-Type = Wireless-802.11
NAS-Port = 682
State = 0xaadb5926abdf488ed2af7f39c1a410ab
NAS-IP-Address = 10.127.1.30
NAS-Identifier = "CiscoAp@Helix"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 38
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry tester at line 54
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/leap
[eap] processing type leap
rlm_eap_leap: Stage 4
rlm_eap_leap: NtChallengeResponse from AP is valid
[eap] Underlying EAP-Type set EAP ID to 5
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Challenge of id 118 to 10.127.1.30 port 1645
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaadb5926a8de488ed2af7f39c1a410ab
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 116 with timestamp +33
Cleaning up request 1 ID 117 with timestamp +33
Cleaning up request 2 ID 118 with timestamp +34
Ready to process requests.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/LEAP-Authentication-tp4475314p44753…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
1
0
Freeradius reports "Sending Access-Accept " (see log below) but we are
getting the message on our Cisco VPN box
"Radius: Invalid reply digest received; the shared-secret may be incorrect"
We have triple checked the shared secrete and it is correct. With the
wrong secrete it does not authenticate at all. Any ideas on what else
might be causing that?
Also, the password comes from the Cisco VPN to freeradius encrypted.
I had to resort to including the token in the userid field to make it
work. Any ideas how to decrypt the password? I have tried some tools
on the net like cisco-decrypt but it says the encrypted password I
give it is invalid. I notice users in the users file are
authenticated properly although the password is encrytped. I need
to decrypt the password in my python module.
Thanks,
Jim
Ready to process requests.
rad_recv: Access-Request packet from host 135.207.5.9 port 1936,
id=173, length=133
User-Name = "jw701e%1307649138237"
User-Password = "||\027\327j=\225\035|\376\0221\376j\366`"
NAS-Port = 2017
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = "204.178.3.9"
Calling-Station-Id = "204.178.9.131"
Tunnel-Client-Endpoint:0 = "204.178.9.131"
NAS-IP-Address = 135.207.5.9
NAS-Port-Type = Virtual
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jw701e%1307649138237", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
*** authorize ***
*** RADlog call in authorize ***
(('User-Name', '"jw701e%1307649138237"'), ('User-Password',
'"||\\027\\327j=\\225\\035|\\376\\0221\\376j\\366`"'), ('NAS-Port',
'2017'), ('Service-Type', 'Framed-User'), ('Framed-Protocol', 'PPP'),
('Called-Station-Id', '"204.178.3.9"'), ('Calling-Station-Id',
'"204.178.9.131"'), ('Tunnel-Client-Endpoint:0', '"204.178.9.131"'),
('NAS-IP-Address', '135.207.5.9'), ('NAS-Port-Type', 'Virtual'))
User-Name: "jw701e%1307649138237"
User-Password: "||\027\327j=\225\035|\376\0221\376j\366`"
NAS-Port: 2017
Service-Type: Framed-User
Framed-Protocol: PPP
Called-Station-Id: "204.178.3.9"
Calling-Station-Id: "204.178.9.131"
Tunnel-Client-Endpoint:0: "204.178.9.131"
NAS-IP-Address: 135.207.5.9
NAS-Port-Type: Virtual
User: jw701e%1307649138237 Pwd: ||\027\327j=\225\035|\376\0221\376j\366`
Userid: jw701e(a)research.att.com Pwd: 1307649138237
Authenticate User: jw701e
SAFE authentication successful: jw701e
++[python] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = PYTHON
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PYTHON {...}
++[python] returns ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 173 to 135.207.5.9 port 1936
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 173 with timestamp +13
Ready to process requests.
2
1
Greetings guys,
I'm trying to install Freeradius 2.1.10 with module wimax on Debian squeeze
with apt-get command (apt-get build-dep freeradius).
Installation is successful, however when I launch freeradius I've got this
error:
Error: /etc/freeradius/modules/wimax[92]: Failed to link to module
'rlm_wimax': file not found
Error: /etc/freeradius/sites-enabled/default[104]: Failed to load module
"wimax".
Indeed when I check on /usr/lib/freeradius, I've got no rlm_wimax.so nor
rlm_wimax-2.1.10.so
Moreover, if I'm checking directly on the Debian packages on
http://packages.debian.org/squeeze/amd64/freeradius/filelist, there are no
such files like rlm_wimax
Is anyone has already encountered this issue ?
Regards,
2
2
As per the recent discussions, I tried to login to the wiki to edit some
problem pages I found.
1) I click "login", both of the buttons (Github and Facebook) have
incorrect height, much shorter than the actual imag, obscuring most of
the buttons (Firefox 3.5.8 linux x86_64). e.g. the github logo shows
just the ears and top of the head, everything below that is cut off.
2) when I click the button to auth via github (I've never logged in to
the wiki before), I get a runtime error:
RuntimeError at /auth/github/callback
Invalid data from provider, omniauth user hash {:user_info => {:name =>
}} must not be empty or whitespace
* file: omniauth.rb
* location: initialize
* line: 24
I have the full .htm backtrace and environment dump if someone wants it.
I haven't looked through it in depth, but given the session info and
secrets, omniauth info on my github account, etc. I didn't want to post
it to the list.
Thanks,
Jason Antman
Rutgers University
2
2
Currently I have a wireless setup that terminates the outer tunnel
locally then queries AD to get group/user data. This happens for the
realm named after the domain,the default realm, and NULL realm and works
perfectly. What I need to do now is add a new realm (testrealm)that
terminates the eap tunnel locally just like the other realms (to keep
the cert the same) and then proxies the inner tunnel to a MS ias server
(old_DC). All i will need back is an accept and then i will attempt to
pass attributes to the wireless controller based on the realm (I assume
I can do this). I appear to be having some issues with initial
authentication however.
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on
Mar 31 2010 at 00:14:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/ldap.save
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/files
including configuration
file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/TESTrealm
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm nebraska.gov {
authhost = LOCAL
accthost = LOCAL
}
realm STN {
authhost = LOCAL
accthost = LOCAL
}
realm TESTrealm {
nostrip
authhost = 10.20.8.51:1645
secret = failkey
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.200.1.0/24 {
require_message_authenticator = no
secret = "testing321"
shortname = "TestingNetwork"
}
client 10.175.255.11 {
require_message_authenticator = no
secret = "failkey"
}
client 10.200.1.139 {
require_message_authenticator = no
secret = "failkey"
shortname = "gentoo"
}
client 10.20.8.51 {
require_message_authenticator = no
secret = "failkey"
shortname = "old_DC"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=
%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-STN}
--challenge=%{mschap:Challenge:-00} --nt-response=
%{mschap:NT-Response:-00}"
}
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=STN
--username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/radiusPRIVATE.key"
certificate_file = "/etc/raddb/certs/star_nebraska_gov.crt"
CA_file = "/etc/raddb/certs/digicert.pem"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating ntdomain
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "stone.ne.gov"
port = 389
password = ""
identity = "stn\seth.doty"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=ne,dc=gov"
filter = "(&(sAMAccountname=
%{Stripped-User-Name:-%{User-Name}})(objectClass=person))"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=
%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=
%{control:Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed
in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from
file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS
Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x1a101d00
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.175.255.11 port 32793,
id=119, length=190
User-Name = "TESTrealm\\twireless"
NAS-IP-Address = 10.200.3.252
NAS-Port = 0
NAS-Identifier = "10.200.3.252"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "C417FE62A790"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020100170173656e61746f72735c74776972656c657373
Aruba-Essid-Name = "NE1SECURE"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x3f5246673d0ef6b3928754dc6e3ee11a
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "TESTrealm\twireless", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "TESTrealm" for User-Name = "TESTrealm
\twireless"
[ntdomain] Found realm "TESTrealm"
[ntdomain] Adding Realm = "TESTrealm"
[ntdomain] Proxying request from user twireless to realm TESTrealm
[ntdomain] Preparing to proxy authentication request to realm
"TESTrealm"
++[ntdomain] returns updated
[eap] Request is supposed to be proxied to Realm TESTrealm. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for TESTrealm\twireless
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] expand: (&(sAMAccountname=
%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) ->
(&(sAMAccountname=TESTrealm\5ctwireless)(objectClass=person))
[ldap] expand: dc=ne,dc=gov -> dc=ne,dc=gov
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to stone.ne.gov:389, authentication 0
rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ne,dc=gov, with filter
(&(sAMAccountname=TESTrealm\5ctwireless)(objectClass=person))
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 165 to 10.20.8.51 port 1645
User-Name = "TESTrealm\\twireless"
NAS-IP-Address = 10.200.3.252
NAS-Port = 0
NAS-Identifier = "10.200.3.252"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "C417FE62A790"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020100170173656e61746f72735c74776972656c657373
Aruba-Essid-Name = "NE1SECURE"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313139
Proxying request 0 to home server 10.20.8.51 port 1645
Sending Access-Request of id 165 to 10.20.8.51 port 1645
User-Name = "TESTrealm\\twireless"
NAS-IP-Address = 10.200.3.252
NAS-Port = 0
NAS-Identifier = "10.200.3.252"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "C417FE62A790"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020100170173656e61746f72735c74776972656c657373
Aruba-Essid-Name = "NE1SECURE"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313139
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 10.20.8.51 port 1645, id=165,
length=25
Proxy-State = 0x313139
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> TESTrealm
\twireless
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 119 to 10.175.255.11 port 32793
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.175.255.11 port 32793,
id=120, length=190
User-Name = "TESTrealm\\twireless"
NAS-IP-Address = 10.200.3.252
NAS-Port = 0
NAS-Identifier = "10.200.3.252"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "C417FE62A790"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020100170173656e61746f72735c74776972656c657373
Aruba-Essid-Name = "NE1SECURE"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x4f2d6590c0f8ee9f7bc41e182518c188
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "TESTrealm\twireless", looking up realm
NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "TESTrealm" for User-Name = "TESTrealm
\twireless"
[ntdomain] Found realm "TESTrealm"
[ntdomain] Adding Realm = "TESTrealm"
[ntdomain] Proxying request from user twireless to realm TESTrealm
[ntdomain] Preparing to proxy authentication request to realm
"TESTrealm"
++[ntdomain] returns updated
[eap] Request is supposed to be proxied to Realm TESTrealm. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for TESTrealm\twireless
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] expand: (&(sAMAccountname=
%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) ->
(&(sAMAccountname=TESTrealm\5ctwireless)(objectClass=person))
[ldap] expand: dc=ne,dc=gov -> dc=ne,dc=gov
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ne,dc=gov, with filter
(&(sAMAccountname=TESTrealm\5ctwireless)(objectClass=person))
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 33 to 10.20.8.51 port 1645
User-Name = "TESTrealm\\twireless"
NAS-IP-Address = 10.200.3.252
NAS-Port = 0
NAS-Identifier = "10.200.3.252"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "C417FE62A790"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020100170173656e61746f72735c74776972656c657373
Aruba-Essid-Name = "NE1SECURE"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313230
Proxying request 1 to home server 10.20.8.51 port 1645
Sending Access-Request of id 33 to 10.20.8.51 port 1645
User-Name = "TESTrealm\\twireless"
NAS-IP-Address = 10.200.3.252
NAS-Port = 0
NAS-Identifier = "10.200.3.252"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "C417FE62A790"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020100170173656e61746f72735c74776972656c657373
Aruba-Essid-Name = "NE1SECURE"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313230
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 10.20.8.51 port 1645, id=33,
length=25
Proxy-State = 0x313230
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> TESTrealm
\twireless
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Cleaning up request 0 ID 119 with timestamp +6
Sending delayed reject for request 1
Sending Access-Reject of id 120 to 10.175.255.11 port 32793
Waking up in 4.9 seconds.
help me obi wan kenobi. you're my only hope
2
2