Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2011
- 110 participants
- 148 discussions
Re: "use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
by Alan Buxey 07 Jul '11
by Alan Buxey 07 Jul '11
07 Jul '11
use version 3 ?
the things you want work, why stick to 2.1.x?
Alan
3
4
Hi, all. We have some legacy software that ran under XTradius
(xtradius.sourceforge.net) The important thing was to execute an
external program for every auth & accounting request. Now I need to
recreate all that on another server, and I must use the same legacy
billing software. Unfortunately one can no longer build the old XTradius
on modern FreeBSDs, apparently it has some variable linkage problems.
Can that simple task be done in FreeRADIUS instead? Can it be configured
to call an external program (Auth-Type "External" in XTradius)?
Thanks!
3
4
Re: "use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
by Nitin Bhardwaj 07 Jul '11
by Nitin Bhardwaj 07 Jul '11
07 Jul '11
/
> Hi,
>
> > Sigh!
> >
> > Tried 3.x sometime back, it was seg-faulting left-and-right in my
>
> 3.0 is not a static beast. sometime back is sometime back! there have been
> several key fixes to it - and more when people run it.
>
> its no good saying seg-faulting left-ad-right' if those issues arent
> reported to the dev list - as they wont get fixed unless people report
> them - or run the server to find them ;-)
>
> > scenario, so want to stay with "official" and stable releases only.
>
> 3.x is an official release - its not some random fork by third party
>
> alan
/Sorry, what I meant was, Looking at the descriptions of various
branches here : http://git.freeradius.org/ :
o master <http://github.com/alandekok/freeradius-server/tree/master> -
The next "major" release, which will have new features and other changes.
o v2.1.x <http://github.com/alandekok/freeradius-server/tree/v2.1.x> -
The "long term support" release. The only changes to this code will be
minor bug fixes. All new development is done in the "stable" branch.
I decided to take the "long-term-support" release :)
--
Nitin.
1
0
Hi,
I am very new to radius server and installed
“freeradius-1.1.2-sol10-sparc-local”. While starting the server I am seeing
the below error message. I did not modify any configuration file. Just
running the radius after installation.
Please help me in solving this issue.
I tried the freeradius-1.1.7-sol10-sparc-local , I got the same error.
bash-3.00# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Segmentation Fault (core dumped)
Thanks
Simbu
2
1
Freeradius 2.1.0.
I have a NAS which sends a NAS-Port-Id attribute in the range
2147483648..2164260863. PostgreSQL doesn't like the query Freeradius
performs. It's choking when trying to insert for instance
'2163214239::integer' into the radacct table.
$ select 2163214239::integer;
ERROR: integer out of range
Example:
INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) values('80f0079f', '5c9f0b7076dcc9c0', 'username', NULLIF('', ''), '1.2.3.4', 2163214239::integer, 'Wireless-802.11', ('2008-09-26 09:52:52'::timestamp - '1'::interval - '3382'::interval), ('2008-09-26 09:52:52'::timestamp - '1'::interval), NULLIF('3382', '')::bigint, '', '', (('0'::bigint << 32) + '57743'::bigint), (('0'::bigint << 32) + '294709'::bigint), 'hotspot', 'XX:XX:XX:XX:XX:XX', 'Lost-Service', '', '', NULLIF('192.168.12.94', '')::inet, 0)
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: Error integer out of range
rlm_sql_postgresql: Postgresql Fatal Error: [22003: NUMERIC VALUE OUT OF RANGE] Occurred!!
[sql] Couldn't insert SQL accounting STOP record - ERROR: integer out of range
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Quick fixes...?
--
Vegard Svanberg <vegard(a)svanberg.no> [*Takapa@IRC (EFnet)]
6
6
Hello.
I want to use the certificate from Thawte. First of all I tried to use
free SSL certificate from Thawte. I received 3 certificates in
PEM-format: my Thawte trial SSL certificate, Thawte Trial Secure
Server Intermediate CA and Thawte Test CA Root certificate in format:
-----BEGIN CERTIFICATE-----
text here
-----END CERTIFICATE-----
I made .pem files from them with no new line in end of file. The eap.conf is:
private_key_password = (is empty because no password in certificates)
private_key_file = ${certdir}/trialThawte.pem
certificate_file = ${certdir}/trialThawteCA.pem
radiusd -X
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading private key file /etc/raddb/certs/trialThawte.pem
rlm_eap: Failed to initialize type tls
Tried to make .pem by following commands (use server.key, server.csr
were inputted to make Thawte certificate; server.crt is received
Thawte certificate):
openssl pkcs12 -export -in server.crt -inkey server.key -out
server.p12 -passin pass:1234 -passout pass:1234
unable to load private key
139734217189032:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:467:
139734217189032:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:pem_lib.c:476:
openssl pkcs12 -in server.crt -out server.pem -passin pass:12345
-passout pass:12345
140259536533160:error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140259536533160:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12
I confused that:
1. no passwords in received Thawte certificates
2. Root CA and Web Server CA
3. different pem format is used in RADIUS and is received from Thawte
What algorithm should be used to make valid to FreeRADIUS pem
certificate files from these Thawte certificates?
FreeRADIUS Version 2.1.7, for host x86_64-pc-linux-gnu
--
Best Regards, Shildyakov Alexey Vladimirovich
2
2
Re: "use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
by Nitin Bhardwaj 06 Jul '11
by Nitin Bhardwaj 06 Jul '11
06 Jul '11
> On 07/05/2011 06:03 PM, Nitin Bhardwaj wrote:
>
> Hello All,
>
> I'm using FreeRADIUS 2.1.11 as a proxy for authenticating PEAP
> clients with RADIUS server not supporting EAP.
>
> All is working well except that when I use
> "proxy_tunneled_request_as_eap = no" in eap.conf, FreeRADIUS is not
> passing back all the AVPs sent by RADIUS server in
> Access-Accept(MSCHAPv2) to the Client, only few ones.
>
> Be specific. Which ones?
>
> Better yet, show a debug of it not working.
>
>
> But when I set it as "proxy_tunneled_request_as_eap = yes",
> FreeRADIUS is relaying back all the AVPs received from the RADIUS
> server properly.
>
>
> eap.conf: ------------ eap { peap { copy_request_to_tunnel = yes
> use_tunneled_reply = yes proxy_tunneled_request_as_eap = no
> virtual_server = "proxy-inner-tunnel" } }
>
> Hence, in spite of setting "use_tunneled_reply = yes", why isnt FR
> copying all attributes in Access-Accept back to client ? Is this some
> bug, fixed in 3.x ?
>
> 3.x is not released yet.
>
> I don't think there are any fixed related to this in "master" (to
> become 3.x) but there might be; please provide more details as above,
> so we can try to reproduce.
Sorry, I was not clear enough earlier.
This is an issue same as the one mentioned in this query:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-September/m…
The RADIUS server is sending the following extra AVPs in Access-Accept
to FR:
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
But FR is eating them up while relaying the Access-Accept back to Client.
The Access-Accept from RADIUS server is as follows:
----------------------------------
rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61,
length=252
Proxy-State = 0x323036
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
MS-CHAP2-Success =
0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
MS-CHAP-Domain = "\tDEV"
----------------------------------
But the relayed Access-Accept to client is:
----------------------------------
Sending Access-Accept of id 208 to 172.18.10.13 port 48852
User-Name = "meru"
MS-MPPE-Recv-Key =
0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16
MS-MPPE-Send-Key =
0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
----------------------------------
My settings are as follows:
eap.conf:
--------------
eap {
tls{
//Usual stuff <snip....>
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
mchapv2 {
}
}
sites-enabled/proxy-inner-tunnel:
-----------------------------------------------
server proxy-inner-tunnel {
authorize {
update control {
# You should update this to be one of your realms.
Proxy-To-Realm := "DEVLAB"
}
authenticate {
eap
}
post-proxy {
eap
}
}
FR relays all packets properly back to Client when I use
"proxy_tunneled_request_as_eap = yes" in eap.conf. But I cannot do that
way because the RADIUS server doesn't understand EAP at all - I need to
send a plain MSCHAPv2 in the inner request. I thought using
"use_tunneled_reply = yes" should have caused FR to relay back all the
AVPs back to outer tunnel, but its not working.
The full log is as follows:
------------------------------------------------
[root@nitin-centos ~]# radiusd -X
FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul 5
2011 at 19:03:48
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm DEVLAB {
authhost = 172.19.6.4
secret = meru2002
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 172.18.10.13 {
require_message_authenticator = no
secret = "meru2002"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server proxy-inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 44579
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=198, length=152
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x02010009016d657275
Message-Authenticator = 0x960d94c0685c6dd5ba509de67f73d37a
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 198 to 172.18.10.13 port 48852
EAP-Message = 0x0102001604109fe03af8d36fe702cf4550cf1f8c0622
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afde108730ebe85102c777b46
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=199, length=167
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x020200060319
State = 0xfde30c7afde108730ebe85102c777b46
Message-Authenticator = 0x9f1b4526ff2f96a96aae56daf8c0c317
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 199 to 172.18.10.13 port 48852
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afce015730ebe85102c777b46
Finished request 1.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=200, length=243
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x0203005219800000004816030100430100003f03014c32bfcfbdd3039d0bcab75c921dd349c355de3f12bc41174c7fdd579d1e3c9200001800390038003300320016001300660035002f000a000500040100
State = 0xfde30c7afce015730ebe85102c777b46
Message-Authenticator = 0xcb652a53a53fcfdfa58375d9b220dd1f
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 82
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 72
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0043], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 200 to 172.18.10.13 port 48852
EAP-Message =
0x0104040019c000000aad160301002a0200002603014e13f11e0d4506fb9ff964758407af4d4a824f4f4b5ece856b606e06258e0c2800003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3131303730353133343634375a170d3132303730343133343634375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c62489fe8f25360bcf54e00e5504239ff4a63a0527f6a6a3056b6c5acee49a33fa8876b189c35a2995c50e04c5228612d1d4786d0ae26d91876ecc895ccb
EAP-Message =
0x32872a0bbdd7c8b7c1a174e096e7b018f8f0bf7baf0ae841dd934974f5bcfff09a0183ced606e5862cb0c306cedc7d566f0433d59da9b782dbdd5200473b793b5f54672bc83e38ff345224996e3f80bc10162ebd81809ac1eb27c50cfd44d5a25268be450b5c3bc19d2a7213a0210f6a98d0a4b2bc9b8bdb7b13c20d93fe5e502d4a54483cdf5f0cea7dbd00f94247418293b57d04dfb3b950afb1d1a537b72e4e61f88cb4983152cf0e9aa6f6137a870a7dea3061c504af04f0f328cc63e1cff4550203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007b97bb0db325b70a48
EAP-Message =
0xa3020e155a9b286a8b9bcc15ae1bd01a59f947bb34d6ac55d476e54d8aae86184368e2d6050a2cc11d3bfd2f10330799cf718a5288efa67c70957413f721eada58a5241ed0638b9ce2c183d991857700090a54bc7aad25922184a1df1d632b344994c97ed658089f518ed19a8c19a806c1c17787a753c2c36be6f69d9a414498114cab4dcf2b71bfa17392586bcabfbd2769afd2a947d79ff582a6668dd3421dad3721fd8fd39c20232336a39da35d0f5a90ab49f992246413c4dd695ab1d341246454f08d62dfcdfd351c55c0b60e5be5ca56cd2418ff42733dcc8c58ce26e28af04e4d9cbaec3bdb6741e393d3c7a79613b5df9fe4390004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7affe715730ebe85102c777b46
Finished request 2.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=201, length=167
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x020400061900
State = 0xfde30c7affe715730ebe85102c777b46
Message-Authenticator = 0xb44bb5aa230ad5e60d13eddafd1dbe7c
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 201 to 172.18.10.13 port 48852
EAP-Message =
0x010503fc194000938269734f3cf5bf300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303730353133343634375a170d3132303730343133343634375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a90f1b4e1a7a1f8b41485334f6fcb4be169ba9f5fe114d0b0a1bc70eef1462c110b6e20ce17292c98beb45757e3b9b936eacbd0125080b244f9d776f0f0406abcc2fd33fd75c72fa4fe73532404acc189f8b663bd94ffecb37ad0a83f0a510e92b35ad219ac275d4fae60a8cbe47d8
EAP-Message =
0xf8eadd6536322afb14b2540c9345f8a02f099b3453a28a0392d140bd4764c75880bd5db3be5c3117438d9400bcfdca3be386526fb8f618411c1a2fbe56c52ddb0cbdfc118d0912bd1883228832306baaa83b8e8672a3ecefcdd3d9a745d1d4424cfef46993103704d12820497b57f3e94df7cb5d887cae556cdc46f992bf3f1d757d45cb94aed0d70dc4fc949256fa1c4b0203010001a381fb3081f8301d0603551d0e04160414f565b2f3ff7d52b7d92e678d3843de8ac3b371ee3081c80603551d230481c03081bd8014f565b2f3ff7d52b7d92e678d3843de8ac3b371eea18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900938269734f3cf5bf300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009f7c151e0351bf12ef597651afcf6e5f732ebf175e33af8e2adbc6c8ff64078592e069b00a5e1fcece5d05331068acd01e78d0a65ea5eca85a41b7a948a4073a2e7baec6f88652eeec66a47c8d73f77f6fd2
EAP-Message = 0xe005f788e24cb66e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afee615730ebe85102c777b46
Finished request 3.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=202, length=167
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x020500061900
State = 0xfde30c7afee615730ebe85102c777b46
Message-Authenticator = 0xe812ebc412f80a25bd7498462aa6e62b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 202 to 172.18.10.13 port 48852
EAP-Message =
0x010602c719008ed1e209185a65d79ce3ef916051889d7bdaeb3525ffc5107d08ca060e538707279d6c7c4d00bd7e2cd644f85b28e438ef74ff013334cc24decd6b574a1df5f73441a4d7b07cf0e5ea79111f624a738780e8bc2564e305a43e8ad9df004a59d0e07b4f5a177c45ca420b747f76ad21feec38781f5164e77d33c6e27a51073ec20c671d919da22056a657f540198bea9e10816a61c4a3f7c8e4f210b734fabf9c012baca0786d160301020d0c0002090080bb53fc5d6c82b9ab4ed79feb313de75ac8e65c23fdb6bd4a6662e6b46bfd437f4f52e12048d2b6e3755cf5e2714aac141168d560132d2b4764c9e36e9ac301c108e84436571a
EAP-Message =
0xf39b55d3596d9bc06850cc9c280dbf6d24f184fe467b90eefb82ae300805a960cd120caeb2b25d9cc64ec6a159c8bc689297e0f7e839ae89defb0001020080b9306e9f87fa00bb87ab9eaa2de2397c994a34a022fafc638aa95eb6e027a8b7ce8388e02d2059a8fcb2a166325998c894cef051b5a5fb688119391fc6ff5a9252191c6ffbdf22762b1b4f3bd5351bb1e94e04e9b71ac318acc8d993140cd8c54e50f583db0dd6c717123d98bb965470aea9eda8dda4bf76717d9f6db1dae8b60100ad862e37923fd73a6b93a8e135f62aa075a591f7ff6b5b147499e74a5895975e758ec48330cc84ea86cda010de172c7438d4fb7bf7f4bb1c28e82575
EAP-Message =
0x3f7656fad6b6db3b6aabdf97a039bc944b257676000e58f16d041545e8fe965412ce2178d6a7ae69499986dfe99ff955bfb985a49e9d05107ad218622a99f5d29a5bfe8d3acfc5f156e04d700d611c1d5cb3e00e6ba986f8bf5b236c8741b5fa3293ddae6e0279c613fdd72d68af1f6ad512d9b858f59dae29a4b945235c89fe55ce40e14b58dc51c80f253c9a3e8ecfdf22fab4d162dbc87ebb06093cd02e3dd6bae646050ab8642ecf14213423f142f8ea4d35243dd51660446270dbdf7fd2ef48280b16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7af9e515730ebe85102c777b46
Finished request 4.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=203, length=369
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x020600d01980000000c616030100861000008200809a0c1bb68594ead0d108df37ab090c5ae82bbe69eee7b73f693f11bc68cd29f637eb8f4faf9a272f513c954cfcea094707e2af32c4e2b55d3a646126d249fd5fb7e1bd4e8288bf086aae28b808135864eb005218ea8d9a54481f4d43c7fb5368814aaac3a63100a32249d7e68f3b9dccf0d922c2d12c9c2b146232e496fe0bc81403010001011603010030840c77df284213f438f3551d62a3d4c9470e0ea6366e1b39d34f137f5c78d2891eb30875669d688fccf0e61e1da243c6
State = 0xfde30c7af9e515730ebe85102c777b46
Message-Authenticator = 0x88bb2bb9ca1a313aee2de681d281f0c3
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 203 to 172.18.10.13 port 48852
EAP-Message =
0x01070041190014030100010116030100303b23c31a29c705c25db0839a53e947b05d465fbd30c13653d3b8352bd088325b17a3151fd321e457c5d469e8ca818560
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7af8e415730ebe85102c777b46
Finished request 5.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=204, length=167
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x020700061900
State = 0xfde30c7af8e415730ebe85102c777b46
Message-Authenticator = 0xb1f44972992610c36bf8c5898b636d38
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 204 to 172.18.10.13 port 48852
EAP-Message =
0x0108002b190017030100206d1d6355f7e57d3754317857539e1a39325b6ecef30c90efef64a20af81c024f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afbeb15730ebe85102c777b46
Finished request 6.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=205, length=204
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x0208002b19001703010020625a119fe356dba5d6f7cf76e4d054c2241fb52f16778532b4f8004d14d1d4a6
State = 0xfde30c7afbeb15730ebe85102c777b46
Message-Authenticator = 0x2c2cd6601cd01b1317d2dc7594348bc0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - meru
[peap] Got inner identity 'meru'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02080009016d657275
server {
[peap] Setting User-Name to meru
Sending tunneled request
EAP-Message = 0x02080009016d657275
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
server proxy-inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Cancelling proxy to realm DEVLAB until the tunneled EAP
session has been established
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0109001e1a01090019105ba435e766423f0a72c901045f0a25886d657275
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 205 to 172.18.10.13 port 48852
EAP-Message =
0x0109003b1900170301003089452af1f3e64ab01e961a4b2dc9b0c13a90fc86e1da452b46c781c6c3aa4e465324742d29a8a5983bddf45bec669947
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afaea15730ebe85102c777b46
Finished request 7.
Going to the next request
Waking up in 4.2 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=206, length=252
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x0209005b19001703010050934ee8273bff98e2ce4cd7af01b43419b36b17024edcb9e1f3fb99cb52c22c03c0b565e7a69dbe1424a68753ec8c2f2a596ac4a666a04d1dc85112f833bda916d4fcec71ffe2ee65140c2e8d059be1b0
State = 0xfde30c7afaea15730ebe85102c777b46
Message-Authenticator = 0x891db7ed9a95c5ffd9b0b427cac19ead
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275
server {
[peap] Setting User-Name to meru
Sending tunneled request
EAP-Message =
0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "meru"
State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
server proxy-inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to DEVLAB
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 61 to 172.19.6.4 port 1812
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588
MS-CHAP2-Response =
0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8
Proxy-State = 0x323036
Proxying request 8 to home server 172.19.6.4 port 1812
Sending Access-Request of id 61 to 172.19.6.4 port 1812
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588
MS-CHAP2-Response =
0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8
Proxy-State = 0x323036
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61,
length=252
Proxy-State = 0x323036
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
MS-CHAP2-Success =
0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
MS-CHAP-Domain = "\tDEV"
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
0x8c91600 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
} # server proxy-inner-tunnel
[eap] Final reply from tunneled session code 11
Proxy-State = 0x323036
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
MS-CHAP-Domain = "\tDEV"
EAP-Message =
0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
[eap] Got reply 11
[eap] Got tunneled reply RADIUS code 11
Proxy-State = 0x323036
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
MS-CHAP-Domain = "\tDEV"
EAP-Message =
0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
[eap] Got tunneled Access-Challenge
[eap] Saving tunneled attributes for later
[eap] Reply was handled
++[eap] returns ok
Sending Access-Challenge of id 206 to 172.18.10.13 port 48852
EAP-Message =
0x010a005b1900170301005017c5dbce0bb69cfd09fd41a5773d61f811bcf2ce164c32346899a98a231010fef71b89c1aed9412bc615a0d2c86595e420e4bd7f3538b748e8825b5f7c275e51bab5a82ae5c4c15e303ccdbd9e909e1a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7af5e915730ebe85102c777b46
Finished request 8.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=207, length=204
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x020a002b1900170301002010d201aca04a28ed500660ad0ea279183cf64cf8c3a2e5946a86d43567c9b7f7
State = 0xfde30c7af5e915730ebe85102c777b46
Message-Authenticator = 0xab4fe0c669c7850b88ad0a2ede3087e2
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020a00061a03
server {
[peap] Setting User-Name to meru
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "meru"
State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
server proxy-inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "meru"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 207 to 172.18.10.13 port 48852
EAP-Message =
0x010b002b19001703010020972594e10347244aac063470d19ff9c07f0b89472a6262ae06b555a8f266d39c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7af4e815730ebe85102c777b46
Finished request 9.
Going to the next request
Waking up in 4.0 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=208, length=204
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x020b002b1900170301002079ae2531cb0c20ac94b1150652cc1a83e2ebe697fe10e6d64b4a03ffd8f8bae1
State = 0xfde30c7af4e815730ebe85102c777b46
Message-Authenticator = 0xc8d498ff15ea96988f74edada8e319c1
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "meru"
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 208 to 172.18.10.13 port 48852
User-Name = "meru"
MS-MPPE-Recv-Key =
0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16
MS-MPPE-Send-Key =
0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 3.9 seconds.
Cleaning up request 0 ID 198 with timestamp +37
Waking up in 0.1 seconds.
Cleaning up request 1 ID 199 with timestamp +37
Waking up in 0.1 seconds.
Cleaning up request 2 ID 200 with timestamp +38
Cleaning up request 3 ID 201 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 4 ID 202 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 5 ID 203 with timestamp +38
Cleaning up request 6 ID 204 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 7 ID 205 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 8 ID 206 with timestamp +38
Cleaning up request 9 ID 207 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 10 ID 208 with timestamp +38
Ready to process requests.
-----------------------------------------------
Please help.
--
Nitin.
2
2
Hi list,
I have problem authenticating users against (My)SQL.
Freeradius is running on a FreeBSD 8.0-STABLE and is on version 2.1.10.
It is a fresh install that I made work with the default file
authentication.
When I connect the SQL backend, it doesn't work.
I followed the instructions on the FreeRADIUS wiki :
http://wiki.freeradius.org/SQl_HOWTO
The SQL module is correctly loaded and it returns an OK during
authentication.
The queries are well formed and the results should be ok
What I don't understand is why sql module returns OK, and the
authentication is rejected. In my mind, an OK from the SQL module at
this step means it has authenticated the user.
Am I misunderstanding ?
The debug output and relevant configuration directives are below.
P.S. : 10.1.8.4 is the IP of the server, I'm running radtest commands
from this host (I can't use 127.0.0.1 because of how network currently
works in jails on FreeBSD).
Here is the output of the radtest command :
# radtest bsemene test 10.1.8.4 0 "password for jail client"
Sending Access-Request of id 214 to 10.1.8.4 port 1812
User-Name = "bsemene"
User-Password = "test"
NAS-IP-Address = 10.1.8.4
NAS-Port = 0
rad_recv: Access-Reject packet from host 10.1.8.4 port 1812, id=214,
length=20
Here is the debug output during authentication :
rad_recv: Access-Request packet from host 10.1.8.4 port 44065, id=138,
length=59
User-Name = "bsemene"
User-Password = "test"
NAS-IP-Address = 10.1.8.4
NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bsemene", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{Stripped-User-Name} ->
[sql] ... expanding second conditional
[sql] expand: %{User-Name} -> bsemene
[sql] expand: %{%{User-Name}:-DEFAULT} -> bsemene
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} ->
bsemene
[sql] sql_set_user escaped user --> 'bsemene'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = BINARY '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, opFROM
radcheck WHERE username = BINARY 'bsemene' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHEe = BINARY
'bsemene' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'dynamic' ORDER BY id
[sql] User found in group dynamic
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bsemene
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 138 to 10.1.8.4 port 44065
Waking up in 4.9 seconds.
Cleaning up request 0 ID 138 with timestamp +4
Ready to process requests.
Here are the (test) DB datas (sorry for the layout) :
mysql> SELECT * FROM radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| bsemene | dynamic | 1 |
+----------+-----------+----------+
1 row in set (0.02 sec)
mysql> SELECT * FROM radcheck;
+----+----------+--------------------+----+-------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+-------+
| 1 | bsemene | Cleartext-Password | == | test |
+----+----------+--------------------+----+-------+
1 row in set (0.00 sec)
mysql> SELECT * FROM radreply;
Empty set (0.00 sec)
mysql> SELECT * FROM radgroupreply;
+----+-----------+------------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+------------+----+-------+
| 1 | dynamic | Framed-MTU | := | 1500 |
+----+-----------+------------+----+-------+
1 row in set (0.02 sec)
Here is the default site config :
# cat sites-available/default | grep -v "^[[:space:]]*#" | grep -v
"^$"
[root@radius]
authorize {
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
And finally the service loading output :
Starting radiusd.
FreeRADIUS Version 2.1.10, for host i386-portbld-freebsd8.0, built on
Jun 28 2011 at 16:08:13
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file
/usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
main {
user = "freeradius"
group = "freeradius"
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log"
libdir = "/usr/local/lib/freeradius-2.1.10"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client jail {
ipaddr = 10.1.8.4
require_message_authenticator = no
secret = "password for jail client"
nastype = "other"
}
client WAP1 {
ipaddr = 10.1.8.127
require_message_authenticator = no
secret = "password for remote client"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file
/usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/ssl/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/certs/server.pem"
certificate_file = "/etc/ssl/certs/server.pem"
CA_file = "/etc/ssl/certs/ca.pem"
private_key_password = "password"
dh_file = "/etc/ssl/certs/dh"
random_file = "/etc/ssl/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/ssl/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file
/usr/local/etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "ip.of.SQL.server"
port = ""
login = "username"
password = "password"
radius_db = "dbname"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name =
"%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret,
server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username = BINARY
'%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username = BINARY
'%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct
SET acctstoptime = '%S',
acctsessiontime = unix_timestamp('%S') -
accounting_update_query = " UPDATE radacct
SET framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
accounting_update_query_alt = " INSERT INTO
radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid,
accounting_start_query = " INSERT INTO
radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress,
nasportid, n
accounting_start_query_alt = " UPDATE radacct
SET acctstarttime = '%S',
acctstartdelay = '%{%{Acct-Delay-Time}:-0}',
connectinfo_start
accounting_stop_query = " UPDATE radacct
SET acctstoptime = '%S',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{
accounting_stop_query_alt = " INSERT INTO
radacct (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype, acctsta
group_membership_query = "SELECT groupname FROM
radusergroup WHERE username = BINARY
'%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid,
username, nasipaddress, nasportid,
framedipaddress, callingstationid, fra
postauth_query = "INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'%{User-Name}',
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
rlm_sql (sql): Attempting to connect to
radius@mysql.it.cyanide-studio.com:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile = "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 10.1.8.4 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
--
Bastien Semene
Administrateur Réseau& Système
Cyanide Studio - FRANCE
--
If you think experts are expensive,
wait to see what amateurs will cost you
--
Bastien Semene
Administrateur Réseau& Système
Cyanide Studio - FRANCE
2
2
Hi,
We use FreeRadius 2.1.9.
It works fine, but Macbook user can't connect.
I have to activate only TTLS and PEAP in WLAN settings (802.1x) on the macbook, then it works.
Do exist any other possibility for MAC user?
PLZ help :)
Lionne Stangier
----------------------------------------------------------------------------
Lionne-Jeremias Stangier
Praktikant system engineer
allesklar.com AG
turmcenter ? am turm 40
d- 53721 siegburg
e-mail: lionne.stangier(a)meinestadt.de
fax: +49 (0) 2241-9253-66
www.allesklar.com
www.meinestadt.de - das portal für alle städte deutschlands
www.meinestadt.de/mobil - mobile apps von meinestadt.de
www.allesklar.de - deutschlands umfangreichster webkatalog
www.datingcafe.de ? die testsieger-singlebörse
http://blog.meinestadt.de ? der blog von meinestadt.de
allesklar.com AG | siegburg | AG siegburg HRB 7031
vorstand: dr. manfred stegger (vors.), peter bettin
vorsitzender des aufsichtsrats: dr. herbert groeger
2
6
Thank you for your quick answer.
I just change to peap in the eap.conf but i still have the same error.
Maybe i'll send an email to the maintener of the paquet.
I also tried to compile the last version of FreeRadius from sources but i was running into a lot of bugs...
----- Mail Original -----
De: "Alan Buxey" <A.L.M.Buxey(a)lboro.ac.uk>
À: "FreeRadius users mailing list" <freeradius-users(a)lists.freeradius.org>
Envoyé: Mercredi 6 Juillet 2011 13h22:55 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: Freeradius 2.0.5 simple configuration fail
Hi,
> I'm currently trying to set a Freeradius 2.0.5 on a synology NAS which I installed via ipkg.
> I would like to authenticate the wifi users throught a netgear WG103 '802.1x enabled'.
> So i've just modified the users file to add a 'rad' user :
> "rad Cleartext-Password := "rad""
> And added in clients.conf :
> client 10.1.1.16 {
> secret = ap_pass
> shortname = ap
> }
> I configured the ap according to these settings.
> Everything works fine when using radtest, but when trying to authenticate with the ap, i get the debug output that I put in attached file.
firstly, 2.0.5 is hideously old - and very very buggy. 2.1.x should be
a minimum. can you get your package folk to upgrade their FreeRADIUS package?
secondly, change your default eap type in the eap.conf to peap - you seem to have md5
which means a lot of NAK junk - this streamlines EAP. you cant do md5 with wireless.
> I suppose the problem comes from :
> "auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
> auth: Failed to validate the user."
from a quick look i'd say things should be okay - make the EAP change and
see if the AP plays nicely
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1
0