Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2012
- 110 participants
- 136 discussions
08 Jan '12
Kveðja - Regards
Stefán B. Jónsson
<http://www.martolvan.is/>
sími/tel +354-478-1300, GSM/Mobile +354-894-6541, fax +354-478-2393
Skype name: stefan.martolvan.is
Trúnaður /Disclosure
http://www.martolvan.is/tunadur-tolvuposts.html
From: stefan(a)martolvan.is [via FreeRadius] [mailto:ml-node+s1045715n5127854h18@n5.nabble.com]
Sent: 7. janúar 2012 15:57
To: Stefán B. Jónsson
Subject: Re: Need to autorize access after an successful ldap search
Is something fundamentally wrong with my question ?
I simply need to find an way to authorize access after finding existence of an MAC address stored in LDAP.
This must have been done before at least I know that it is possible, I just get awfully confused in the context of how the config files work, I suspect that this should be done using combination of LDAP query and User file commands, I'm just not understanding how the user file command structure works.
I would appreciate if any one could point me in the right direction, this is depriving me of all sleep and time by now.
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/Need-to-autorize-access-after-an-su…
To unsubscribe from Need to autorize access after an successful ldap search, click here <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsu…> .
NAML <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macr…>
This email has been processed by SmoothZap - www.smoothwall.net
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Need-to-autorize-access-after-an-su…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
1
0
Dear friends,
i have FS for PSTN outbound call using below dial plan,
<extension name="CallToPSTN" >
<condition field="destination_number" expression="^(0\d+)$" >
<action application="bridge" data="sofia/internal/$1(a)1.2.3.4" />
</condition>
</extension>
While, now i need dynamically specify the outbound GW’s IP address
according to the return result of the external command before routing in
the source code , e.g. if the external command return FS the IP address of
OB GW 6.7.8.9, then
<action application="bridge" data="sofia/internal/$1(a)6.7.8.9" />
however, i don't know which function i should call within the source code
to realize it, could anybody help to advise,
P.S. i know there is existing module “mod_xml_curl” can realize similar
function, however, I could not use it for this case…
thanks a lot!
BR,
Charles
2
2
I am trying to get freeradius to authorize the services on an Alvarion
BreezeMax 5000 system ver 1.7.
I have gotten the cpe authenticated but services are not assigned.
I have downloaded on 1/5/2012 the Master from git.
I modified the dictionary file such that
$INCLUDE dictionary.alvarion.wimax.v2_2 replaced $INCLUDE
dictionary.alvarion
$INCLUDE dictionary.wimax.alvarion replaced $INCLUDE dictionary.wimax
I ran configure using ./configure --with-experimental-modules
I ran make and make install (it compiled, installed and ran)
wimax was uncommented in 2 places in default file
one in the authorize section and one in the post-auth section
(the wimax module indicates there should also be one in the
"preacct" section but I do not find that one nor can I figure where it
should be)
and the following were uncommented in default file
update request {
WiMAX-MN-NAI = "%{User-Name}"
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = "%{EAP-MSK}"
}
the following users were defined with these replies in the user file
"wimax1(a)WIMAX.COM" Cleartext-Password := "wimax"
Filter-Id = "SP=sp1:MSF=msf1;SP=sp_data_eth:MSF=msf_data_eth;",
Session-Timeout = 1200, Termination-Action = RADIUS-Request
"KeepAliveUserNameAndPassword" Cleartext-Password :=
"KeepAliveUserNameAndPassword"
Filter-Id = "SP=sp1:MSF=msf1;SP=sp_data_eth:MSF=msf_data_eth;",
Session-Timeout = 1200, Termination-Action = RADIUS-Request
(I don't think I needed the keepalive one but I put it there anyways.)
in the above filters I have tried both with and without a trailing ;
after msf_data_eth and before the " mark
no changes were made in the inner-tunnel file
delete_mppe_keys = yes in the wimax module (I've tried with both yes
and no)
fr seems to work. I see that the Filter-Id is indicated for the reply
(see below).
The Alvarion CPE does get authenticated according to the CPE but there
are no services defined for the CPE
sp1, msf1, sp_data_eth, and msf_data_eth are all defined in the BTS.
What is it that I am missing in configuration of the FreeRadius?
below is a radiusd -X run
FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on
Jan 6 2012 at 15:07:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/sqlippool
including configuration file /usr/local/etc/raddb/sql/postgresql/ippool.conf
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/sql
including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/eap
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/utf8
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
proto = "*"
max_connections = 16
}
client 10.97.0.0/24 {
require_message_authenticator = no
secret = "testing123"
shortname = "private-network-1"
max_connections = 16
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
passchange {
}
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file
/usr/local/etc/raddb/modules/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_wimax
Module: Instantiating module "wimax" from file
/usr/local/etc/raddb/modules/wimax
wimax {
delete_mppe_keys = yes
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Loading virtual module acct_unique
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Loading virtual module remove_reply_message_if_eap
Module: Linked to module rlm_always
Module: Instantiating module "noop" from file
/usr/local/etc/raddb/modules/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
Module: Loading virtual module remove_reply_message_if_eap
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=252,
length=181
User-Name = "KeepAliveUserNameAndPassword"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 0
Calling-Station-Id = "\000\000\000\000\000"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Message-Authenticator = 0x07dfa70c37088f55baade217a16d54fc
Acct-Session-Id = "KeepAliveSessionId"
User-Password = "KeepAliveUserNameAndPassword"
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) group authorize {
(0) - entering group authorize {...}
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-00-00-00-00-00
(0) [wimax] = ok
(0) suffix : No '@' in User-Name = "KeepAliveUserNameAndPassword",
looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files : users: Matched entry KeepAliveUserNameAndPassword at line 7
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) group PAP {
(0) - entering group PAP {...}
(0) pap : login attempt with password "KeepAliveUserNameAndPassword"
(0) pap : Using clear text password "KeepAliveUserNameAndPassword"
(0) pap : User authenticated successfully
(0) [pap] = ok
(0) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(0) group post-auth {
(0) - entering group post-auth {...}
(0) [exec] = noop
(0) update request {
(0) expand: %{User-Name} -> KeepAliveUserNameAndPassword
(0) } # update request = noop
(0) update reply {
(0) expand: %{EAP-MSK} ->
(0) } # update reply = noop
(0) wimax : No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.
(0) [wimax] = noop
(0) policy remove_reply_message_if_eap {
(0) - entering policy remove_reply_message_if_eap {...}
(0) ? if (reply:EAP-Message&& reply:Reply-Message)
(0) ? Evaluating (reply:EAP-Message ) -> FALSE
(0) ? Skipping (reply:Reply-Message)
(0) ? if (reply:EAP-Message&& reply:Reply-Message) -> FALSE
(0) else else {
(0) - entering else else {...}
(0) [noop] = noop
(0) - else else returns noop
(0) - policy remove_reply_message_if_eap returns noop
Sending Access-Accept of id 252 to 10.97.0.51 port 49154
Filter-Id = "SP=sp1:MSF=msf1;SP=sp_data_eth:MSF=msf_data_eth;"
Session-Timeout = 1200
Termination-Action = RADIUS-Request
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = 0x
WARNING: Skipping zero-length attribute WiMAX-MSK
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 252 with timestamp +1
Ready to process requests.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=253,
length=258
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 1
Calling-Station-Id = "\000\020\347a\r\226"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Framed-MTU = 1490
Service-Type = Framed-User
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-BS-Id = 0x303031303031303033303030303936303030
EAP-Message =
0x02010035017b616d3d317d38656133393239386439386236313839653061616439323539343937303135314057494d41582e434f4d
Message-Authenticator = 0x6a08e376952afbaf0740a456767bfe80
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) group authorize {
(1) - entering group authorize {...}
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-61-0d-96
(1) [wimax] = ok
(1) suffix : Looking up realm "WIMAX.COM" for User-Name =
"{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
(1) suffix : No such realm "WIMAX.COM"
(1) [suffix] = noop
(1) eap : EAP packet type response id 1 length 53
(1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1) [eap] = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) group authenticate {
(1) - entering group authenticate {...}
(1) eap : EAP Identity
(1) eap : processing type md5
rlm_eap_md5: Issuing Challenge
(1) [eap] = handled
Sending Access-Challenge of id 253 to 10.97.0.51 port 49154
EAP-Message = 0x010200160410d780646d179a777255c505dfbee44ab4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee37a64fee35a255d3718fb2df57c86c
(1) Finished request 1.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=254,
length=229
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 1
Calling-Station-Id = "\000\020\347a\r\226"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Framed-MTU = 1490
Service-Type = Framed-User
State = 0xee37a64fee35a255d3718fb2df57c86c
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-BS-Id = 0x303031303031303033303030303936303030
EAP-Message = 0x020200060315
Message-Authenticator = 0x94447e93f95cc98a8a6c227ccd901efe
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(2) group authorize {
(2) - entering group authorize {...}
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-61-0d-96
(2) [wimax] = ok
(2) suffix : Looking up realm "WIMAX.COM" for User-Name =
"{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
(2) suffix : No such realm "WIMAX.COM"
(2) [suffix] = noop
(2) eap : EAP packet type response id 2 length 6
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap : WARNING! No "known good" password found for the user.
Authentication may fail because of this.
(2) [pap] = noop
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) group authenticate {
(2) - entering group authenticate {...}
(2) eap : Request found, released from the list
(2) eap : EAP NAK
(2) eap : EAP-NAK asked for EAP-Type/ttls
(2) eap : processing type tls
(2) tls : Initiate
(2) tls : Start returned 1
(2) [eap] = handled
Sending Access-Challenge of id 254 to 10.97.0.51 port 49154
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee37a64fef34b355d3718fb2df57c86c
(2) Finished request 2.
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=255,
length=285
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 1
Calling-Station-Id = "\000\020\347a\r\226"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Framed-MTU = 1490
Service-Type = Framed-User
State = 0xee37a64fef34b355d3718fb2df57c86c
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-BS-Id = 0x303031303031303033303030303936303030
EAP-Message =
0x0203003e150016030100330100002f0301000006dea50c9829a6d3f565bcdf7456521cc6099d8b828e302b1e2dce4a70e7000008002f000a000500040100
Message-Authenticator = 0xd86dddc0e2ef35284fb32302bf1daedf
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(3) group authorize {
(3) - entering group authorize {...}
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-61-0d-96
(3) [wimax] = ok
(3) suffix : Looking up realm "WIMAX.COM" for User-Name =
"{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
(3) suffix : No such realm "WIMAX.COM"
(3) [suffix] = noop
(3) eap : EAP packet type response id 3 length 62
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) group authenticate {
(3) - entering group authenticate {...}
(3) eap : Request found, released from the list
(3) eap : EAP/ttls
(3) eap : processing type ttls
(3) ttls : Authenticate
(3) ttls : processing EAP-TLS
(3) ttls : eaptls_verify returned 7
(3) ttls : Done initial handshake
(3) ttls : (other): before/accept initialization
(3) ttls : TLS_accept: before/accept initialization
(3) ttls :<<< TLS 1.0 Handshake [length 0033], ClientHello
(3) ttls : TLS_accept: SSLv3 read client hello A
(3) ttls :>>> TLS 1.0 Handshake [length 002a], ServerHello
(3) ttls : TLS_accept: SSLv3 write server hello A
(3) ttls :>>> TLS 1.0 Handshake [length 085e], Certificate
(3) ttls : TLS_accept: SSLv3 write certificate A
(3) ttls :>>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(3) ttls : TLS_accept: SSLv3 write server done A
(3) ttls : TLS_accept: SSLv3 flush data
(3) ttls : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(3) ttls : eaptls_process returned 13
(3) [eap] = handled
Sending Access-Challenge of id 255 to 10.97.0.51 port 49154
EAP-Message =
0x0104040015c00000089b160301002a0200002603014f0756b3dce62ca722a50e1ef6188815d5f205a7f1f1550cd636e1ca0e2c358c00002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3132303130353139303230355a170d3133303130343139303230355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100de6164aad9c1017d9e98efb9c6b0c22b8ac67c9da076bab014fcbb499f62f405430309f109065166a303815b81ec1bb015e964c845f625c8b22fc19d1543
EAP-Message =
0x69b92fae983c34835cf9928df6143e9bf749f2debeb406522c840f4b3c3163099857afed265426d4208a8e19876c026e2460eaacab04d5e1c2e73b2739ce3fce6db86491016a9b4f4c1b2934f539c3068506092806e0abaae82fa7285df21ca67eafe88ba1d263f7268841e0d360609e8980790063d1197fca1597291bd4433561f36a8e570ea6a530ebf5cc969652d3f09dc1b16bf3b0589f2816056070890f9af6eb9fb1484ba2759bff63410b828f487ecfbccb3f998f93a5b04bcbf7619c564b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101003cb3a57f3a4b668e76
EAP-Message =
0x1f26585c44e14542441630ef39baf247bbbc44c9fa9c0e212f0bebe931803bc2ff7e058a58a1b9a219f9899b7faaa5edb3bd02ba2f68b10bb50d51f29c9172c0ca063b3a13f99ce28d1ebf2df3f4210152202f8b50b0e94fcbb3b5e740f0b9943cc6d7966e568649d0b616a2d9dbd63563414ec7e9e8b792832b90a8d3f01a2d5afa4ba26e1410935f2fd919bc7ee4ac3406c3c8d21a3ecaa0bd4e3c3728f086e8aaa420188e48c67a0f4a59f1f6220857af62cd2392092d87f3527ef37899541dff209215d90cd8f317acfa273945baad0b14e5678ccb9b00c1a599ae17894420d17393cf6d095719d342ba1d941811223e64ab9d0b8d0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee37a64fec33b355d3718fb2df57c86c
(3) Finished request 3.
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=0,
length=229
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 1
Calling-Station-Id = "\000\020\347a\r\226"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Framed-MTU = 1490
Service-Type = Framed-User
State = 0xee37a64fec33b355d3718fb2df57c86c
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-BS-Id = 0x303031303031303033303030303936303030
EAP-Message = 0x020400061500
Message-Authenticator = 0xd9761a90cc87c962fd3b1d9ba3d5c37b
(4) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(4) group authorize {
(4) - entering group authorize {...}
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-61-0d-96
(4) [wimax] = ok
(4) suffix : Looking up realm "WIMAX.COM" for User-Name =
"{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
(4) suffix : No such realm "WIMAX.COM"
(4) [suffix] = noop
(4) eap : EAP packet type response id 4 length 6
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) group authenticate {
(4) - entering group authenticate {...}
(4) eap : Request found, released from the list
(4) eap : EAP/ttls
(4) eap : processing type ttls
(4) ttls : Authenticate
(4) ttls : processing EAP-TLS
(4) ttls : Received TLS ACK
(4) ttls : Received TLS ACK
(4) ttls : ACK handshake fragment handler
(4) ttls : eaptls_verify returned 1
(4) ttls : eaptls_process returned 13
(4) [eap] = handled
Sending Access-Challenge of id 0 to 10.97.0.51 port 49154
EAP-Message =
0x0105040015c00000089b00f7aba20691b7a87b300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3132303130353139303230355a170d3133303130343139303230355a308193310b3009060355040613024652310f300d0603550408130652616469757331123010
EAP-Message =
0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bc30533f96a0877a3280b984b05dd556c5e33278566f1eaba558868fc2260fd162f73679a4fb97ef499d73434ee850cd698de202197a9417c73e613c7a32e9246d979c7cdba7e1cc8b24eb9760fece85a31680a58f4626b89e4b11f86c4ccb9e28ff7728a9e230f0a72da7
EAP-Message =
0x7fd3d2beed58c0263c6044fe8459aca3c1e51f9a95ecdf123ed4b783576dfdcd35cc6f14f3e70902a05fd0b3e069ffbf26eba77e4b01eb9f0892c8affdf80ec03ba2aa1268edb54f349e952c03efbf3e44a2d2517e174a5c0db20e703ce797dd98a1e1415b3654e0cc68a6a335f3905bb93fe92f146f97b6f1cde8dce4f134cf2bf73db5869a9fd31adc0ad68c23eb7a688e20a3d70203010001a381fb3081f8301d0603551d0e04160414c6f2b33fb54c9b615f9cc261e48adbd7c651f5253081c80603551d230481c03081bd8014c6f2b33fb54c9b615f9cc261e48adbd7c651f525a18199a48196308193310b3009060355040613024652310f300d
EAP-Message =
0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900f7aba20691b7a87b300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100b0c9953dd9df2ffa112823d7ceca2bc90bcbe5463161632adfc8d8d86cbc21fa90c3ba769392a4fee11dc2d1f834b44d9fd40f0264f06f657e039352e59e6946c57b0b7723ec446f1ca0f6616cb1
EAP-Message = 0xf882cb62abfb0d6232ed28a9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee37a64fed32b355d3718fb2df57c86c
(4) Finished request 4.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=1,
length=229
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 1
Calling-Station-Id = "\000\020\347a\r\226"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Framed-MTU = 1490
Service-Type = Framed-User
State = 0xee37a64fed32b355d3718fb2df57c86c
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-BS-Id = 0x303031303031303033303030303936303030
EAP-Message = 0x020500061500
Message-Authenticator = 0xef737a5a4bd7ccef3fc0193c76fed73d
(5) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(5) group authorize {
(5) - entering group authorize {...}
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-61-0d-96
(5) [wimax] = ok
(5) suffix : Looking up realm "WIMAX.COM" for User-Name =
"{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
(5) suffix : No such realm "WIMAX.COM"
(5) [suffix] = noop
(5) eap : EAP packet type response id 5 length 6
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) group authenticate {
(5) - entering group authenticate {...}
(5) eap : Request found, released from the list
(5) eap : EAP/ttls
(5) eap : processing type ttls
(5) ttls : Authenticate
(5) ttls : processing EAP-TLS
(5) ttls : Received TLS ACK
(5) ttls : Received TLS ACK
(5) ttls : ACK handshake fragment handler
(5) ttls : eaptls_verify returned 1
(5) ttls : eaptls_process returned 13
(5) [eap] = handled
Sending Access-Challenge of id 1 to 10.97.0.51 port 49154
EAP-Message =
0x010600b915800000089b3d2597e37be612302c51251c809caf06efe13344d68deb5cfd8abbb0ccb8daabe346f1179e51544bb2960cedde88c033d1f68539aaad5f0078a4144e8441407e8f86570400d136f23320d86712d4dbd9887b5d892b7bf71c7fc3862e967c7f8cbfe752971cd38a7a895000823e4166edfe4442df305d728337b4dcd7e4f6d7be981bf5e48730b79fb5500dd8da4ad2db24cda20ad7723b61dd6526cb5d5f724d15c1d73eef0c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee37a64fea31b355d3718fb2df57c86c
(5) Finished request 5.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Waking up in 4.0 seconds.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=2,
length=557
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 1
Calling-Station-Id = "\000\020\347a\r\226"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Framed-MTU = 1490
Service-Type = Framed-User
State = 0xee37a64fea31b355d3718fb2df57c86c
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-BS-Id = 0x303031303031303033303030303936303030
EAP-Message =
0x0206014c15001603010106100001020100493f1128088cfc52ecfd1411ff5ee55bdf4db01f3fa627cbb785e8bcedff936f3185525d6329b86ba0ef71f41ee7bc889415afa4bc101422f84a68222001fb7cc2f44b26f86ec65a4047ec69a24f1fd60e6fd234d63befb8ae166731c4aec4dbe4fd1c693136679c6b4094bb218908df95caa0ff8ca6d747bb19ba0d6f5471a7ff30d60ebd8937b3ddc561603cf7ef7a316f04044062efb1eccc1b561f6f1f7ad03e62ac3d439c4de799b4f8ba7000f7dcf1c0c6ba15dfdc591d6f82bb112155a8d337f82658c15f9485a363afefb03e023223bdfce2c84e1deb738d1806b90fea9c69bf5b2173125b529224
EAP-Message =
0x0edc306e48ce048e02c2add34f74027fdcfb6e271403010001011603010030ea083b041af212a12ae8ffbd04ad129aad64aa9b57e6b0c8a6bcf22be74cababaaa5c3bcd230bab51d055fee3380a470
Message-Authenticator = 0x5397dd3676e023551a225bcd4c9b4841
(6) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(6) group authorize {
(6) - entering group authorize {...}
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-61-0d-96
(6) [wimax] = ok
(6) suffix : Looking up realm "WIMAX.COM" for User-Name =
"{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
(6) suffix : No such realm "WIMAX.COM"
(6) [suffix] = noop
(6) eap : EAP packet type response id 6 length 253
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) group authenticate {
(6) - entering group authenticate {...}
(6) eap : Request found, released from the list
(6) eap : EAP/ttls
(6) eap : processing type ttls
(6) ttls : Authenticate
(6) ttls : processing EAP-TLS
(6) ttls : eaptls_verify returned 7
(6) ttls : Done initial handshake
(6) ttls :<<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(6) ttls : TLS_accept: SSLv3 read client key exchange A
(6) ttls :<<< TLS 1.0 ChangeCipherSpec [length 0001]
(6) ttls :<<< TLS 1.0 Handshake [length 0010], Finished
(6) ttls : TLS_accept: SSLv3 read finished A
(6) ttls :>>> TLS 1.0 ChangeCipherSpec [length 0001]
(6) ttls : TLS_accept: SSLv3 write change cipher spec A
(6) ttls :>>> TLS 1.0 Handshake [length 0010], Finished
(6) ttls : TLS_accept: SSLv3 write finished A
(6) ttls : TLS_accept: SSLv3 flush data
(6) ttls : (other): SSL negotiation finished successfully
SSL Connection Established
(6) ttls : eaptls_process returned 13
(6) [eap] = handled
Sending Access-Challenge of id 2 to 10.97.0.51 port 49154
EAP-Message =
0x0107004515800000003b14030100010116030100304d77d31f3558219cd2d5d05b8c42db32a2ce0d6bd1da6e97e38197f17d4eac78e578974e0c3354ea36b515b5476332ab
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee37a64feb30b355d3718fb2df57c86c
(6) Finished request 6.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=3,
length=378
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 1
Calling-Station-Id = "\000\020\347a\r\226"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Framed-MTU = 1490
Service-Type = Framed-User
State = 0xee37a64feb30b355d3718fb2df57c86c
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-BS-Id = 0x303031303031303033303030303936303030
EAP-Message =
0x0207009b15001703010090a94a44a2a1a24b0a0392b385be4c524085fc4dfb58cfba7623fc7c790c2d41fc76e98554be526ca2c8006d0a629f426c5d5c33fe724c6ca3081b7c85e42a4d265a64e46174b8351f823a47031ffb562df9f92c6215742d6a8bde1501cbd573142fc18b05197ceb050886a163d0984703554fb9281a249d8037c2e80197f4fc14eca539d1dfa4058805d16490ba6e92cd
Message-Authenticator = 0x0ea984d0f33d209c0596706209586ebe
(7) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(7) group authorize {
(7) - entering group authorize {...}
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-61-0d-96
(7) [wimax] = ok
(7) suffix : Looking up realm "WIMAX.COM" for User-Name =
"{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
(7) suffix : No such realm "WIMAX.COM"
(7) [suffix] = noop
(7) eap : EAP packet type response id 7 length 155
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) group authenticate {
(7) - entering group authenticate {...}
(7) eap : Request found, released from the list
(7) eap : EAP/ttls
(7) eap : processing type ttls
(7) ttls : Authenticate
(7) ttls : processing EAP-TLS
(7) ttls : eaptls_verify returned 7
(7) ttls : Done initial handshake
(7) ttls : eaptls_process returned 7
(7) ttls : Session established. Proceeding to decode tunneled attributes.
(7) ttls : Got tunneled request
User-Name = "wimax1(a)WIMAX.COM"
MS-CHAP-Challenge = 0x4ff634da70572b920e78e38be8977202
MS-CHAP2-Response =
0x6c00bb3a20c2232fc139ef8b9c65b557b75400000000000000005bc93665692787af9c594fc9bc1c22709773fbba940e5ba8
FreeRADIUS-Proxied-To = 127.0.0.1
(7) ttls : Sending tunneled request
User-Name = "wimax1(a)WIMAX.COM"
MS-CHAP-Challenge = 0x4ff634da70572b920e78e38be8977202
MS-CHAP2-Response =
0x6c00bb3a20c2232fc139ef8b9c65b557b75400000000000000005bc93665692787af9c594fc9bc1c22709773fbba940e5ba8
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
(7) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) group authorize {
(7) - entering group authorize {...}
(7) [chap] = noop
(7) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
(7) [mschap] = ok
(7) suffix : Looking up realm "WIMAX.COM" for User-Name = "wimax1(a)WIMAX.COM"
(7) suffix : No such realm "WIMAX.COM"
(7) [suffix] = noop
(7) update control {
(7) } # update control = noop
(7) eap : No EAP-Message, not doing EAP
(7) [eap] = noop
(7) files : users: Matched entry wimax1(a)WIMAX.COM at line 4
(7) [files] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap : WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) Found Auth-Type = MSCHAP
(7) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) group MS-CHAP {
(7) - entering group MS-CHAP {...}
(7) mschap : Creating challenge hash with username: wimax1(a)WIMAX.COM
(7) mschap : Told to do MS-CHAPv2 for wimax1(a)WIMAX.COM with NT-Password
(7) mschap : adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) WARNING: Empty post-auth section. Using default return values.
(7) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
(7) ttls : Got tunneled reply code 2
Filter-Id = "SP=sp1:MSF=msf1;SP=sp_data_eth:MSF=msf_data_eth;"
Session-Timeout = 1200
Termination-Action = RADIUS-Request
MS-CHAP2-Success =
0x6c533d30413343343445383339364636373237324330443444433632433932413444393239444146314633
MS-MPPE-Recv-Key = 0x9efd76988038d3ccf4f6ab6aa211af6c
MS-MPPE-Send-Key = 0x2b74cab7d6bdc6e763f480864a5c581b
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) ttls : Got tunneled Access-Accept
(7) ttls : Got MS-CHAP2-Success, tunneling it to the client in a challenge.
(7) [eap] = handled
Sending Access-Challenge of id 3 to 10.97.0.51 port 49154
EAP-Message =
0x0108005f158000000055170301005062cd34a1fec097a2061cc98ee4632f597a42ed4cd80a2d7a7e84c06929acba192114c44395bb6e676d6529843c7618fe2ebe29a179e7ed8f1cfa6692e8c775760daca68609f7893158eef62a49fba9eb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee37a64fe83fb355d3718fb2df57c86c
(7) Finished request 7.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 10.97.0.51 port 49154, id=4,
length=229
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
NAS-IP-Address = 10.97.0.51
NAS-Port-Type = Wireless-802.16
NAS-Port = 1
Calling-Station-Id = "\000\020\347a\r\226"
NAS-Identifier = "001001003000096000"
WiMAX-GMT-Timezone-offset = 0
Framed-MTU = 1490
Service-Type = Framed-User
State = 0xee37a64fe83fb355d3718fb2df57c86c
WiMAX-Release = "1.0"
WiMAX-Accounting-Capabilities = IP-Session-Based
WiMAX-BS-Id = 0x303031303031303033303030303936303030
EAP-Message = 0x020800061500
Message-Authenticator = 0xf409f172ed2561c15ab0cbef54e4d1a2
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(8) group authorize {
(8) - entering group authorize {...}
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-10-e7-61-0d-96
(8) [wimax] = ok
(8) suffix : Looking up realm "WIMAX.COM" for User-Name =
"{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
(8) suffix : No such realm "WIMAX.COM"
(8) [suffix] = noop
(8) eap : EAP packet type response id 8 length 6
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) group authenticate {
(8) - entering group authenticate {...}
(8) eap : Request found, released from the list
(8) eap : EAP/ttls
(8) eap : processing type ttls
(8) ttls : Authenticate
(8) ttls : processing EAP-TLS
(8) ttls : Received TLS ACK
(8) ttls : Received TLS ACK
(8) ttls : ACK handshake is finished
(8) ttls : eaptls_verify returned 3
(8) ttls : eaptls_process returned 3
(8) ttls : Using saved attributes from the original Access-Accept
(8) eap : Freeing handler
(8) [eap] = ok
(8) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(8) group post-auth {
(8) - entering group post-auth {...}
(8) [exec] = noop
(8) update request {
(8) expand: %{User-Name} ->
{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM
(8) } # update request = noop
(8) update reply {
(8) expand: %{EAP-MSK} ->
(8) } # update reply = noop
(8) wimax : MIP-RK =
0xa2cd93eabee4a9a935f0933e2f37c957da9234590d87e33821a353a732f73a28696ae2171e51289b41207e8558e941db6193526d4f6b70ebc740e44c08cae189
(8) wimax : MIP-SPI = d57e2db6
(8) wimax : WARNING: WiMAX-IP-Technology not found in reply.
(8) wimax : WARNING: Not calculating MN-HA keys
(8) [wimax] = updated
(8) policy remove_reply_message_if_eap {
(8) - entering policy remove_reply_message_if_eap {...}
(8) ? if (reply:EAP-Message&& reply:Reply-Message)
(8) ? Evaluating (reply:EAP-Message ) -> TRUE
(8) ? Evaluating (reply:Reply-Message) -> FALSE
(8) ? if (reply:EAP-Message&& reply:Reply-Message) -> FALSE
(8) else else {
(8) - entering else else {...}
(8) [noop] = noop
(8) - else else returns noop
(8) - policy remove_reply_message_if_eap returns noop
Sending Access-Accept of id 4 to 10.97.0.51 port 49154
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "{am=1}8ea39298d98b6189e0aad92594970151(a)WIMAX.COM"
WiMAX-FA-RK-Key = 0x9081b1490484318c46d65476645a3ea806798046
WiMAX-MSK = 0x
WARNING: Skipping zero-length attribute WiMAX-MSK
WiMAX-MSK =
0x0d156b72753d155483788273ff85ed2c67c724fc8e5cbcacee65caeaf5cfff7c62b3f42371331bc2efc2694834c80ad4ba4fe730f9b434c4726a22b5c2c39ecb
WiMAX-FA-RK-SPI = 3056434901
(8) Finished request 8.
Waking up in 0.1 seconds.
Waking up in 0.1 seconds.
Waking up in 3.3 seconds.
(1) Cleaning up request packet ID 253 with timestamp +48
Waking up in 0.1 seconds.
(2) Cleaning up request packet ID 254 with timestamp +48
Waking up in 0.1 seconds.
(3) Cleaning up request packet ID 255 with timestamp +48
Waking up in 0.1 seconds.
(4) Cleaning up request packet ID 0 with timestamp +48
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 1 with timestamp +48
Waking up in 0.3 seconds.
(6) Cleaning up request packet ID 2 with timestamp +49
Waking up in 0.1 seconds.
(7) Cleaning up request packet ID 3 with timestamp +49
Waking up in 0.1 seconds.
(8) Cleaning up request packet ID 4 with timestamp +49
Ready to process requests.
4
3
Looking for a bit of advice, I am starting to think I am chasing the
impossible and will have to start to use Realms or proxies to resolve
this issue.
FreeRADIUS 2.1.7
I have multiple LDAP sources, with different suffixes and I have to
take into account the possibility that there may be username overlap
between the two. AA from either one should be OK.
I have two LDAP modules configured. Say uk and fr.
I am happy that the authorize section works:
authorize {
uk {
fail = 2
notfound = 2
ok = 1
}
fr {
fail = 2
notfound = 2
ok = 1
}
}
This gives an authorization if the user exists in either of the LDAP
sources. Auth-Type is being set to LDAP
authenticate {
Auth-Type LDAP {
uk {
reject = 1
fail = 1
notfound = 1
ok = return
}
fr {
reject = 1
fail = 1
notfound = 1
ok = return
}
}
What I hoped this would do is return OK if authentication against
either of the sources worked. This is similar to the duplicate-users
scenario in many ways I suppose.
However (output below) it attempts to do the authentication against
both LDAP sources using the first suffix from the authorisation or
carried over from the first Authentication attempt (I don't know
which).
[uk] performing user authorization for user
[uk] expand: %{Stripped-User-Name} ->
[uk] expand: %{User-Name} -> user
[uk] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user)
[uk] expand: ou=people,dc=uk,dc=com -> ou=people,dc=uk,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as STUFF/STUFF to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=uk,dc=com, with filter (uid=user)
[uk] looking for check items in directory...
[uk] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[uk] Setting Auth-Type = LDAP
[uk] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[uk] returns ok
** It has found a user "user" in the correct UK suffix, so that is as expected.
[fr] performing user authorization for user
[fr] expand: %{Stripped-User-Name} ->
[fr] expand: %{User-Name} -> user
[fr] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user)
[fr] expand: ou=people,dc=fr,dc=com -> ou=people,dc=fr,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.0.2:389, authentication 0
rlm_ldap: bind as STUFF/STUFF to 192.168.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=fr,dc=com, with filter (uid=user)
[fr] looking for check items in directory...
[fr] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[fr] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[fr] returns ok
** It has found a user "user" in the correct FR suffix, so that is good.
** Aggregate outcome of the authorise group is "ok". All I need to do
is get a successful Auth against either one of them.
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[uk] login attempt by "user" with password "stuff"
[uk] user DN: uid=user,ou=people,dc=uk,dc=com
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: bind as uid=user,ou=people,dc=uk,dc=com/stuff to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[uk] returns reject
** This is OK - this user "user" is not the UK one, they are the FR one.
[fr] login attempt by "user" with password "stuff"
[fr] user DN: uid=user,ou=uk,dc=com
rlm_ldap: (re)connect to 192.168.0.2:389, authentication 1
rlm_ldap: bind as uid=user,ou=people,dc=uk,dc=com/stuff to 192.168.0.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: uid=user,ou=people,dc=uk,dc=com bind to 192.168.0.2:389
failed No such object
[fr] ldap_connect() failed
++[fr] returns fail
Failed to authenticate the user.
** It has attempted to bind to LDAP using the UK suffix, not the FR
one, so fails where it should not.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 43 to 127.0.0.1 port 59453
Waking up in 4.9 seconds.
Cleaning up request 0 ID 43 with timestamp +3
Ready to process requests.
2
1
We've had some bug reports with not generating the bootstrap certs
(correctly) with some of our packages. I investigated and found two
issues which we've fixed. I would send a patch but our fix is not
generic because it depends on knowing the uid and gid of the server
when either the bootstrap script or the Makefile executes. Here are
the two issues in summary, then I'll follow with detail:
1) Failure to set openssl's $RANDFILE environment variable.
Symptom is "unable to write 'random state'" error.
2) 10 second sub-process timeout when executing bootstrap.
Symptom is incomplete cert generation, failure to start.
Details
-------
1) /etc/raddb/certs/Makefile creates the random file
/etc/raddb/certs/random, it has 0640 permissions. If bootstrap is
run directly by root it's ownership is root:root, if bootstrap is
run by radiusd -X it's ownership is root:radiusd (because that's
the effective uid:gid of radiusd during it's configuration phase)
2) openssl's command line tools use a random file defined by the
environment variable $RANDFILE. if $RANDFILE is not defined it
defaults to $HOME/.rnd. $RANDFILE is often re-written by the
openssl command line tools, when it is re-written it's permissions
are forced to 0600.
3) /etc/raddb/certs/Makefile does not set $RANDFILE, thus openssl does
not use /etc/raddb/certs/random, rather it uses $HOME/.rnd which
because the uid is root is /root/.rnd (on Linux). Also this means
the file /etc/raddb/certs/random is never used nor modified during
cert generation.
This is why we sometimes get "unable to write 'random state'"
because if root's homedir already has a .rnd file radiusd does not
have permission to write it.
See http://www.openssl.org/support/faq.html#USER2
for a complete explanation.
4) When radiusd starts up it needs to read /etc/raddb/certs/random
because it configures openssl to use that file as it's random
file. Because that file is not modified in item #3 and retains it's
0640 permissions there are no initialization problems.
5) However if the Makefile is modfied to fix the problem defined in
item #2 by exporting the environment variable
$RANDFILE=/etc/raddb/certs/random then the openssl command line
tools will rewrite the file with permissions 0600. This causes
radiusd to fail it's initialization because it's running as
root:radiusd and cannot read the random file.
6) We DO NOT want to write any file in $HOME, therefore we must set
$RANDFILE. Also since the openssl command line tools will generate
$RANDFILE there is no point in having the Makefile generate it,
that should be removed. After the Makefile is run it must reset the
permissions of $RANDFILE to 0640 so radiusd can read it.
7) The cert boostrap program is run by the function
radius_exec_program() (in the file src/main/exec.c:74). The
function radius_exec_program() has a hardcoded time limit of 10
seconds for child processes. If 10 seconds of elapsed time is
exceeded it attempts to kill the child process.
Testing the bootstap progam on an i386 virtual machine shows it's
execution duration varies widely, between 5 seconds and 30 seconds.
In fact the openssl dh parameter generation explictily warns:
"This is going to take a long time". Thus it should be expected the
bootstrap cert generation could easily exceed 10 seconds of elapsed
time.
Thus even when all the issues mentioned above are corrected the
bootstrap cert generation will sometimes fail and sometimes succeed
depending on whether it exceeded the 10 second timeout. This
clearly is not acceptable. However it does make sense to limit
child processes to 10 seconds during normal server execution.
In Fedora and RHEL6 we moved the bootstrap cert generation to the RPM
install, thus the bootstrap certs were generated the first time the
RPM was installed, running radius -X did not run the cert
bootstrap. This is preferable for a variety of reasons:
a) You shouldn't need to run the server in debug mode (e.g. radiusd
-X) to get it configured to run the first time, this is clumsy and
confusing to users. The only reason it might not be confusing to
users is the "bootstrap during first debug" behaviour is discussed
widely on the FreeRADIUS mailing lists (and probaby appears in
documentation someplace).
b) It doesn't suffer the permission problems with the random file. But
that's just a fortunate artifact because a package install runs as
root. We should fix those problems irrespective of where the first
bootstrap is run from, in part because sometimes an admin might run
the cert generation manually.
c) The duration of the bootstrap command is irrelevant when run by the
RPM install, it will not be terminated if it exceeds the hardcoded
10 second timeout.
Although there is a good argument for generating the temporary
bootstrap certs during initial package install this may not an option
for the generic FreeRADIUS distribution because it is not package
based, rather it's a configure,make,install sequence. However there is
no reason the bootstrap cert generation couldn't be moved to the
install phase rather than being invoked from a running server in debug
mode.
The RHEL5 version of freeradius2 was packaged prior to moving the cert
bootstrap to RPM install as is currently done in Fedora and
RHEL6. Therefore we only were seeing those problems in RHEL5 because
the problems did not manifest themselves if cert bootstrap was done
during package install.
Necessary Fixes:
----------------
Both the boostrap script and the Makefile need to add this export:
export RANDFILE=random
You might ask why it's necessary to also add it to the Makefile
because the Makefile inherits the environment from the bootstrap
script. But it should be perfectly O.K. to just run make directly,
thus it needs to be defined in both places.
After the certs are generated the newly created files need their
ownship and permissions fixed. We use a uid:gid of radiusd:radiusd for
the server and depend on group permission (gid=radiusd) for files
owned by root. Thus after cert generation the following must be done
(but this is specific to our installation)
chmod 0640 random
chown root:radiusd *
FWIW, In our case the file ownership and permissions only needed to be
fixed if the cert genration was performed manually because when it was
done automatically during RPM install it was done like this:
if [ ! -e /etc/raddb/certs/server.pem ]; then
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap'
> /dev/null 2>&1
fi
Which resulted in the right ownship and permissions (modulo the newly
introduced $RANDFILE which now needs it's permission adjusted)
HTH,
John
--
John Dennis <jdennis(a)redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
1
0
Cheers,
I´m in the testing phase of a freeradius for the EDUROAM federation; local users are working ok authenticated against an AD, but when I proxy for the federation, users loose attributes, like Service-Type = "Framed-User", and is all zeros like "Message-Authenticator = 0x00000000000000000000000000000000". Obviously the request is denied by the federation, while a radtest works fine.
In proxy.conf I have:
realm DEFAULT {
type = radius
authhost = federation_server:1812
accthost =federation_server:1813
secret = xxxxxxxx
nostrip
}
My pre-proxy at the moment is:
pre-proxy {
# files
# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
pre_proxy_log
# if (Packet-Type != Accounting-Request) {
# attr_filter.pre-proxy
# }
}
I´ve already tried some approaches and at the moment I am quite at loss of how to tackle this problem. Some ideas?
Best regards,
Rui Ribeiro
Here comes the debugging:
!free
freeradius -Xxxxxx
Thu Jan 5 21:14:05 2012 : Info: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03
Thu Jan 5 21:14:05 2012 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
Thu Jan 5 21:14:05 2012 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Thu Jan 5 21:14:05 2012 : Info: PARTICULAR PURPOSE.
Thu Jan 5 21:14:05 2012 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Thu Jan 5 21:14:05 2012 : Info: GNU General Public License v2.
Thu Jan 5 21:14:05 2012 : Info: Starting - reading configuration files ...
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/radiusd.conf
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/proxy.conf
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/clients.conf
Thu Jan 5 21:14:05 2012 : Debug: including files in directory /etc/freeradius/modules/
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/smsotp
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/policy
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/counter
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/checkval
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/detail
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/radutmp
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/detail.log
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/ntlm_auth
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/mac2ip
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/perl
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/otp
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/ippool
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/linelog
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/detail.example.com
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/f_ticks
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/attr_rewrite
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/preprocess
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/attr_filter
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/always
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/sql_log
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/smbpasswd
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/files
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/unix
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/ldap
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/sradutmp
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/expiration
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/inner-eap
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/mschap
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/mac2vlan
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/krb5
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/passwd
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/pam
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/realm
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/wimax
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/chap
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/exec
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/expr
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/acct_unique
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/cui
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/opendirectory
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/dynamic_clients
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/echo
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/etc_group
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/pap
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/logintime
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/modules/digest
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/eap.conf
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/policy.conf
Thu Jan 5 21:14:05 2012 : Debug: including files in directory /etc/freeradius/sites-enabled/
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/sites-enabled/teste.iscte.pt
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/sites-available/default
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/sites-enabled/status
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/sites-enabled/default
Thu Jan 5 21:14:05 2012 : Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel
Thu Jan 5 21:14:05 2012 : Debug: main {
Thu Jan 5 21:14:05 2012 : Debug: user = "freerad"
Thu Jan 5 21:14:05 2012 : Debug: group = "freerad"
Thu Jan 5 21:14:05 2012 : Debug: allow_core_dumps = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: including dictionary file /etc/freeradius/dictionary
Thu Jan 5 21:14:05 2012 : Debug: main {
Thu Jan 5 21:14:05 2012 : Debug: prefix = "/usr"
Thu Jan 5 21:14:05 2012 : Debug: localstatedir = "/var"
Thu Jan 5 21:14:05 2012 : Debug: logdir = "/var/log/freeradius"
Thu Jan 5 21:14:05 2012 : Debug: libdir = "/usr/lib/freeradius"
Thu Jan 5 21:14:05 2012 : Debug: radacctdir = "/var/log/freeradius/radacct"
Thu Jan 5 21:14:05 2012 : Debug: hostname_lookups = no
Thu Jan 5 21:14:05 2012 : Debug: max_request_time = 30
Thu Jan 5 21:14:05 2012 : Debug: cleanup_delay = 5
Thu Jan 5 21:14:05 2012 : Debug: max_requests = 256000
Thu Jan 5 21:14:05 2012 : Debug: pidfile = "/var/run/freeradius/freeradius.pid"
Thu Jan 5 21:14:05 2012 : Debug: checkrad = "/usr/sbin/checkrad"
Thu Jan 5 21:14:05 2012 : Debug: debug_level = 0
Thu Jan 5 21:14:05 2012 : Debug: proxy_requests = yes
Thu Jan 5 21:14:05 2012 : Debug: log {
Thu Jan 5 21:14:05 2012 : Debug: stripped_names = yes
Thu Jan 5 21:14:05 2012 : Debug: auth = yes
Thu Jan 5 21:14:05 2012 : Debug: auth_badpass = yes
Thu Jan 5 21:14:05 2012 : Debug: auth_goodpass = yes
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: security {
Thu Jan 5 21:14:05 2012 : Debug: max_attributes = 200
Thu Jan 5 21:14:05 2012 : Debug: reject_delay = 0
Thu Jan 5 21:14:05 2012 : Debug: status_server = yes
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: radiusd: #### Loading Realms and Home Servers ####
Thu Jan 5 21:14:05 2012 : Debug: proxy server {
Thu Jan 5 21:14:05 2012 : Debug: retry_delay = 5
Thu Jan 5 21:14:05 2012 : Debug: retry_count = 1
Thu Jan 5 21:14:05 2012 : Debug: default_fallback = no
Thu Jan 5 21:14:05 2012 : Debug: dead_time = 120
Thu Jan 5 21:14:05 2012 : Debug: wake_all_if_all_dead = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: realm iscte.pt {
Thu Jan 5 21:14:05 2012 : Debug: authhost = LOCAL
Thu Jan 5 21:14:05 2012 : Debug: accthost = LOCAL
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: realm teste.iscte.pt {
Thu Jan 5 21:14:05 2012 : Debug: authhost = LOCAL
Thu Jan 5 21:14:05 2012 : Debug: accthost = LOCAL
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: realm NULL {
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: realm DEFAULT {
Thu Jan 5 21:14:05 2012 : Debug: nostrip
Thu Jan 5 21:14:05 2012 : Debug: authhost = 193.136.192.43:1812
Thu Jan 5 21:14:05 2012 : Debug: accthost = 193.136.192.43:1813
Thu Jan 5 21:14:05 2012 : Debug: secret = xxxxxxxxxx
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: realm DEFAULT {
Thu Jan 5 21:14:05 2012 : Debug: authhost = 193.136.192.44:1812
Thu Jan 5 21:14:05 2012 : Debug: accthost = 193.136.192.44:1813
Thu Jan 5 21:14:05 2012 : Debug: secret = xxxxxxxxxx
Thu Jan 5 21:14:05 2012 : Debug: } # realm DEFAULT
Thu Jan 5 21:14:05 2012 : Debug: radiusd: #### Loading Clients ####
Thu Jan 5 21:14:05 2012 : Debug: client localhost {
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 127.0.0.1
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: nastype = "other"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 193.136.188.36 {
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 193.136.188.36
Thu Jan 5 21:14:05 2012 : Debug: netmask = 32
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: nastype = "other"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 10.10.32.25 {
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 10.10.32.25
Thu Jan 5 21:14:05 2012 : Debug: netmask = 32
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: nastype = "other"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 10.10.66.18/32 {
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 10.10.66.18
Thu Jan 5 21:14:05 2012 : Debug: netmask = 32
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: shortname = "nut"
Thu Jan 5 21:14:05 2012 : Debug: nastype = "other"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 10.10.65.0/24 {
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: shortname = "rede1_aps"
Thu Jan 5 21:14:05 2012 : Debug: nastype = "cisco"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 10.10.66.0/24 {
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: shortname = "rede2_aps"
Thu Jan 5 21:14:05 2012 : Debug: nastype = "cisco"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 10.10.32.0/22 {
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: shortname = "eduroam2"
Thu Jan 5 21:14:05 2012 : Debug: nastype = "other"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 193.136.192.119 {
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: shortname = "proxyNacional"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 193.136.192.43 {
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: shortname = "proxyNacional1"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client 193.136.192.44 {
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: shortname = "proxyNacional2"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: radiusd: #### Instantiating modules ####
Thu Jan 5 21:14:05 2012 : Debug: instantiate {
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_exec, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_exec
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
Thu Jan 5 21:14:05 2012 : Debug: exec {
Thu Jan 5 21:14:05 2012 : Debug: wait = no
Thu Jan 5 21:14:05 2012 : Debug: input_pairs = "request"
Thu Jan 5 21:14:05 2012 : Debug: shell_escape = yes
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_expr, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_expr
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_expiration, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_expiration
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
Thu Jan 5 21:14:05 2012 : Debug: expiration {
Thu Jan 5 21:14:05 2012 : Debug: reply-message = "Password Has Expired "
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_logintime, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_logintime
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
Thu Jan 5 21:14:05 2012 : Debug: logintime {
Thu Jan 5 21:14:05 2012 : Debug: reply-message = "You are calling outside your allowed timespan "
Thu Jan 5 21:14:05 2012 : Debug: minimum-timeout = 60
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: radiusd: #### Loading Virtual Servers ####
Thu Jan 5 21:14:05 2012 : Debug: server teste.iscte.pt { # from file /etc/freeradius/sites-enabled/teste.iscte.pt
Thu Jan 5 21:14:05 2012 : Debug: modules {
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking authenticate {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_mschap, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_mschap
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
Thu Jan 5 21:14:05 2012 : Debug: mschap {
Thu Jan 5 21:14:05 2012 : Debug: use_mppe = yes
Thu Jan 5 21:14:05 2012 : Debug: require_encryption = yes
Thu Jan 5 21:14:05 2012 : Debug: require_strong = yes
Thu Jan 5 21:14:05 2012 : Debug: with_ntdomain_hack = yes
Thu Jan 5 21:14:05 2012 : Debug: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --domain=IUL --nt-response=%{mschap:NT-Response:-00}"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_eap, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_eap
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
Thu Jan 5 21:14:05 2012 : Debug: eap {
Thu Jan 5 21:14:05 2012 : Debug: default_eap_type = "peap"
Thu Jan 5 21:14:05 2012 : Debug: timer_expire = 60
Thu Jan 5 21:14:05 2012 : Debug: ignore_unknown_eap_types = no
Thu Jan 5 21:14:05 2012 : Debug: cisco_accounting_username_bug = no
Thu Jan 5 21:14:05 2012 : Debug: max_sessions = 4096
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to sub-module rlm_eap_mschapv2
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating eap-mschapv2
Thu Jan 5 21:14:05 2012 : Debug: mschapv2 {
Thu Jan 5 21:14:05 2012 : Debug: with_ntdomain_hack = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to sub-module rlm_eap_tls
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating eap-tls
Thu Jan 5 21:14:05 2012 : Debug: tls {
Thu Jan 5 21:14:05 2012 : Debug: rsa_key_exchange = no
Thu Jan 5 21:14:05 2012 : Debug: dh_key_exchange = yes
Thu Jan 5 21:14:05 2012 : Debug: rsa_key_length = 512
Thu Jan 5 21:14:05 2012 : Debug: dh_key_length = 512
Thu Jan 5 21:14:05 2012 : Debug: verify_depth = 0
Thu Jan 5 21:14:05 2012 : Debug: CA_path = "/etc/freeradius/certs"
Thu Jan 5 21:14:05 2012 : Debug: pem_file_type = yes
Thu Jan 5 21:14:05 2012 : Debug: private_key_file = "/etc/freeradius/certs/server.key"
Thu Jan 5 21:14:05 2012 : Debug: certificate_file = "/etc/freeradius/certs/server.pem"
Thu Jan 5 21:14:05 2012 : Debug: CA_file = "/etc/freeradius/certs/ca.pem"
Thu Jan 5 21:14:05 2012 : Debug: private_key_password = "xxxxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: dh_file = "/etc/freeradius/certs/dh"
Thu Jan 5 21:14:05 2012 : Debug: random_file = "/dev/urandom"
Thu Jan 5 21:14:05 2012 : Debug: fragment_size = 1024
Thu Jan 5 21:14:05 2012 : Debug: include_length = yes
Thu Jan 5 21:14:05 2012 : Debug: check_crl = no
Thu Jan 5 21:14:05 2012 : Debug: cipher_list = "DEFAULT"
Thu Jan 5 21:14:05 2012 : Debug: make_cert_command = "/etc/freeradius/certs/bootstrap"
Thu Jan 5 21:14:05 2012 : Debug: cache {
Thu Jan 5 21:14:05 2012 : Debug: enable = no
Thu Jan 5 21:14:05 2012 : Debug: lifetime = 24
Thu Jan 5 21:14:05 2012 : Debug: max_entries = 255
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: verify {
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to sub-module rlm_eap_ttls
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating eap-ttls
Thu Jan 5 21:14:05 2012 : Debug: ttls {
Thu Jan 5 21:14:05 2012 : Debug: default_eap_type = "mschapv2"
Thu Jan 5 21:14:05 2012 : Debug: copy_request_to_tunnel = yes
Thu Jan 5 21:14:05 2012 : Debug: use_tunneled_reply = yes
Thu Jan 5 21:14:05 2012 : Debug: virtual_server = "inner-tunnel"
Thu Jan 5 21:14:05 2012 : Debug: include_length = yes
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to sub-module rlm_eap_peap
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating eap-peap
Thu Jan 5 21:14:05 2012 : Debug: peap {
Thu Jan 5 21:14:05 2012 : Debug: default_eap_type = "mschapv2"
Thu Jan 5 21:14:05 2012 : Debug: copy_request_to_tunnel = yes
Thu Jan 5 21:14:05 2012 : Debug: use_tunneled_reply = yes
Thu Jan 5 21:14:05 2012 : Debug: proxy_tunneled_request_as_eap = yes
Thu Jan 5 21:14:05 2012 : Debug: virtual_server = "inner-tunnel"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to sub-module rlm_eap_mschapv2
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating eap-mschapv2
Thu Jan 5 21:14:05 2012 : Debug: mschapv2 {
Thu Jan 5 21:14:05 2012 : Debug: with_ntdomain_hack = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking authorize {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_preprocess, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_preprocess
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
Thu Jan 5 21:14:05 2012 : Debug: preprocess {
Thu Jan 5 21:14:05 2012 : Debug: huntgroups = "/etc/freeradius/huntgroups"
Thu Jan 5 21:14:05 2012 : Debug: hints = "/etc/freeradius/hints"
Thu Jan 5 21:14:05 2012 : Debug: with_ascend_hack = no
Thu Jan 5 21:14:05 2012 : Debug: ascend_channels_per_line = 23
Thu Jan 5 21:14:05 2012 : Debug: with_ntdomain_hack = no
Thu Jan 5 21:14:05 2012 : Debug: with_specialix_jetstream_hack = no
Thu Jan 5 21:14:05 2012 : Debug: with_cisco_vsa_hack = no
Thu Jan 5 21:14:05 2012 : Debug: with_alvarion_vsa_hack = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_detail, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_detail
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log
Thu Jan 5 21:14:05 2012 : Debug: detail auth_log {
Thu Jan 5 21:14:05 2012 : Debug: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
Thu Jan 5 21:14:05 2012 : Debug: header = "%t"
Thu Jan 5 21:14:05 2012 : Debug: detailperm = 384
Thu Jan 5 21:14:05 2012 : Debug: dirperm = 493
Thu Jan 5 21:14:05 2012 : Debug: locking = no
Thu Jan 5 21:14:05 2012 : Debug: log_packet_header = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_realm, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_realm
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
Thu Jan 5 21:14:05 2012 : Debug: realm suffix {
Thu Jan 5 21:14:05 2012 : Debug: format = "suffix"
Thu Jan 5 21:14:05 2012 : Debug: delimiter = "@"
Thu Jan 5 21:14:05 2012 : Debug: ignore_default = no
Thu Jan 5 21:14:05 2012 : Debug: ignore_null = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_files, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_files
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "files" from file /etc/freeradius/modules/files
Thu Jan 5 21:14:05 2012 : Debug: files {
Thu Jan 5 21:14:05 2012 : Debug: usersfile = "/etc/freeradius/users"
Thu Jan 5 21:14:05 2012 : Debug: acctusersfile = "/etc/freeradius/acct_users"
Thu Jan 5 21:14:05 2012 : Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users"
Thu Jan 5 21:14:05 2012 : Debug: compat = "no"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking preacct {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking accounting {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
Thu Jan 5 21:14:05 2012 : Debug: detail {
Thu Jan 5 21:14:05 2012 : Debug: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
Thu Jan 5 21:14:05 2012 : Debug: header = "%t"
Thu Jan 5 21:14:05 2012 : Debug: detailperm = 384
Thu Jan 5 21:14:05 2012 : Debug: dirperm = 493
Thu Jan 5 21:14:05 2012 : Debug: locking = no
Thu Jan 5 21:14:05 2012 : Debug: log_packet_header = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_counter, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_counter
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "daily" from file /etc/freeradius/modules/counter
Thu Jan 5 21:14:05 2012 : Debug: counter daily {
Thu Jan 5 21:14:05 2012 : Debug: filename = "/etc/freeradius/db.daily"
Thu Jan 5 21:14:05 2012 : Debug: key = "User-Name"
Thu Jan 5 21:14:05 2012 : Debug: reset = "daily"
Thu Jan 5 21:14:05 2012 : Debug: count-attribute = "Acct-Session-Time"
Thu Jan 5 21:14:05 2012 : Debug: counter-name = "Daily-Session-Time"
Thu Jan 5 21:14:05 2012 : Debug: check-name = "Max-Daily-Session"
Thu Jan 5 21:14:05 2012 : Debug: reply-name = "Session-Timeout"
Thu Jan 5 21:14:05 2012 : Debug: allowed-servicetype = "Framed-User"
Thu Jan 5 21:14:05 2012 : Debug: cache-size = 5000
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: rlm_counter: Counter attribute Daily-Session-Time is number 11273
Thu Jan 5 21:14:05 2012 : Debug: rlm_counter: Current Time: 1325798045 [2012-01-05 21:14:05], Next reset 1325808000 [2012-01-06 00:00:00]
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_radutmp, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_radutmp
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
Thu Jan 5 21:14:05 2012 : Debug: radutmp {
Thu Jan 5 21:14:05 2012 : Debug: filename = "/var/log/freeradius/radutmp"
Thu Jan 5 21:14:05 2012 : Debug: username = "%{User-Name}"
Thu Jan 5 21:14:05 2012 : Debug: case_sensitive = yes
Thu Jan 5 21:14:05 2012 : Debug: check_with_nas = yes
Thu Jan 5 21:14:05 2012 : Debug: perm = 384
Thu Jan 5 21:14:05 2012 : Debug: callerid = yes
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "sradutmp" from file /etc/freeradius/modules/sradutmp
Thu Jan 5 21:14:05 2012 : Debug: radutmp sradutmp {
Thu Jan 5 21:14:05 2012 : Debug: filename = "/var/log/freeradius/sradutmp"
Thu Jan 5 21:14:05 2012 : Debug: username = "%{User-Name}"
Thu Jan 5 21:14:05 2012 : Debug: case_sensitive = yes
Thu Jan 5 21:14:05 2012 : Debug: check_with_nas = yes
Thu Jan 5 21:14:05 2012 : Debug: perm = 420
Thu Jan 5 21:14:05 2012 : Debug: callerid = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_always, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_always
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "ok" from file /etc/freeradius/modules/always
Thu Jan 5 21:14:05 2012 : Debug: always ok {
Thu Jan 5 21:14:05 2012 : Debug: rcode = "ok"
Thu Jan 5 21:14:05 2012 : Debug: simulcount = 0
Thu Jan 5 21:14:05 2012 : Debug: mpp = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_attr_filter, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_attr_filter
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
Thu Jan 5 21:14:05 2012 : Debug: attr_filter attr_filter.accounting_response {
Thu Jan 5 21:14:05 2012 : Debug: attrsfile = "/etc/freeradius/attrs.accounting_response"
Thu Jan 5 21:14:05 2012 : Debug: key = "%{User-Name}"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking session {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking pre-proxy {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "pre_proxy_log" from file /etc/freeradius/modules/detail.log
Thu Jan 5 21:14:05 2012 : Debug: detail pre_proxy_log {
Thu Jan 5 21:14:05 2012 : Debug: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
Thu Jan 5 21:14:05 2012 : Debug: header = "%t"
Thu Jan 5 21:14:05 2012 : Debug: detailperm = 384
Thu Jan 5 21:14:05 2012 : Debug: dirperm = 493
Thu Jan 5 21:14:05 2012 : Debug: locking = no
Thu Jan 5 21:14:05 2012 : Debug: log_packet_header = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking post-proxy {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "post_proxy_log" from file /etc/freeradius/modules/detail.log
Thu Jan 5 21:14:05 2012 : Debug: detail post_proxy_log {
Thu Jan 5 21:14:05 2012 : Debug: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d"
Thu Jan 5 21:14:05 2012 : Debug: header = "%t"
Thu Jan 5 21:14:05 2012 : Debug: detailperm = 384
Thu Jan 5 21:14:05 2012 : Debug: dirperm = 493
Thu Jan 5 21:14:05 2012 : Debug: locking = no
Thu Jan 5 21:14:05 2012 : Debug: log_packet_header = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking post-auth {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "reply_log" from file /etc/freeradius/modules/detail.log
Thu Jan 5 21:14:05 2012 : Debug: detail reply_log {
Thu Jan 5 21:14:05 2012 : Debug: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
Thu Jan 5 21:14:05 2012 : Debug: header = "%t"
Thu Jan 5 21:14:05 2012 : Debug: detailperm = 384
Thu Jan 5 21:14:05 2012 : Debug: dirperm = 493
Thu Jan 5 21:14:05 2012 : Debug: locking = no
Thu Jan 5 21:14:05 2012 : Debug: log_packet_header = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_linelog, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_linelog
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "f_ticks" from file /etc/freeradius/modules/f_ticks
Thu Jan 5 21:14:05 2012 : Debug: linelog f_ticks {
Thu Jan 5 21:14:05 2012 : Debug: filename = "syslog"
Thu Jan 5 21:14:05 2012 : Debug: format = ""
Thu Jan 5 21:14:05 2012 : Debug: reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
Thu Jan 5 21:14:05 2012 : Debug: attr_filter attr_filter.access_reject {
Thu Jan 5 21:14:05 2012 : Debug: attrsfile = "/etc/freeradius/attrs.access_reject"
Thu Jan 5 21:14:05 2012 : Debug: key = "%{User-Name}"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: } # modules
Thu Jan 5 21:14:05 2012 : Debug: } # server
Thu Jan 5 21:14:05 2012 : Debug: server status { # from file /etc/freeradius/sites-enabled/status
Thu Jan 5 21:14:05 2012 : Debug: modules {
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking authorize {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: } # modules
Thu Jan 5 21:14:05 2012 : Debug: } # server
Thu Jan 5 21:14:05 2012 : Debug: server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
Thu Jan 5 21:14:05 2012 : Debug: modules {
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking authenticate {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking authorize {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking session {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking post-auth {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: (Loaded rlm_ldap, checking if it's valid)
Thu Jan 5 21:14:05 2012 : Debug: Module: Linked to module rlm_ldap
Thu Jan 5 21:14:05 2012 : Debug: Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
Thu Jan 5 21:14:05 2012 : Debug: ldap {
Thu Jan 5 21:14:05 2012 : Debug: server = "x.x.x.x"
Thu Jan 5 21:14:05 2012 : Debug: port = 389
Thu Jan 5 21:14:05 2012 : Debug: password = "xxxxx"
Thu Jan 5 21:14:05 2012 : Debug: identity = "CN=xxxxx,CN=Users,DC=xxxx,DC=xxxxx"
Thu Jan 5 21:14:05 2012 : Debug: net_timeout = 10
Thu Jan 5 21:14:05 2012 : Debug: timeout = 4
Thu Jan 5 21:14:05 2012 : Debug: timelimit = 3
Thu Jan 5 21:14:05 2012 : Debug: tls_mode = no
Thu Jan 5 21:14:05 2012 : Debug: start_tls = no
Thu Jan 5 21:14:05 2012 : Debug: tls_require_cert = "allow"
Thu Jan 5 21:14:05 2012 : Debug: tls {
Thu Jan 5 21:14:05 2012 : Debug: start_tls = no
Thu Jan 5 21:14:05 2012 : Debug: require_cert = "allow"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: basedn = "cn=Users,dc=xxxxx,dc=xxxxx"
Thu Jan 5 21:14:05 2012 : Debug: filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
Thu Jan 5 21:14:05 2012 : Debug: base_filter = "(objectclass=radiusprofile)"
Thu Jan 5 21:14:05 2012 : Debug: auto_header = no
Thu Jan 5 21:14:05 2012 : Debug: access_attr_used_for_allow = yes
Thu Jan 5 21:14:05 2012 : Debug: rebind = yes
Thu Jan 5 21:14:05 2012 : Debug: groupname_attribute = "sAMAccountName"
Thu Jan 5 21:14:05 2012 : Debug: groupmembership_filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
Thu Jan 5 21:14:05 2012 : Debug: groupmembership_attribute = "memberOf"
Thu Jan 5 21:14:05 2012 : Debug: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
Thu Jan 5 21:14:05 2012 : Debug: ldap_debug = 0
Thu Jan 5 21:14:05 2012 : Debug: ldap_connections_number = 5
Thu Jan 5 21:14:05 2012 : Debug: compare_check_items = no
Thu Jan 5 21:14:05 2012 : Debug: do_xlat = yes
Thu Jan 5 21:14:05 2012 : Debug: edir_account_policy_check = no
Thu Jan 5 21:14:05 2012 : Debug: set_auth_type = no
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
Thu Jan 5 21:14:05 2012 : Debug: rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
Thu Jan 5 21:14:05 2012 : Debug: conns: 0x97a3e38
Thu Jan 5 21:14:05 2012 : Debug: } # modules
Thu Jan 5 21:14:05 2012 : Debug: } # server
Thu Jan 5 21:14:05 2012 : Debug: server { # from file /etc/freeradius/radiusd.conf
Thu Jan 5 21:14:05 2012 : Debug: modules {
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking authenticate {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking authorize {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking preacct {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking accounting {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking session {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking pre-proxy {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking post-proxy {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: Module: Checking post-auth {...} for more modules to load
Thu Jan 5 21:14:05 2012 : Debug: } # modules
Thu Jan 5 21:14:05 2012 : Debug: } # server
Thu Jan 5 21:14:05 2012 : Debug: radiusd: #### Opening IP addresses and Ports ####
Thu Jan 5 21:14:05 2012 : Debug: listen {
Thu Jan 5 21:14:05 2012 : Debug: type = "auth"
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 10.10.32.25
Thu Jan 5 21:14:05 2012 : Debug: port = 0
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: listen {
Thu Jan 5 21:14:05 2012 : Debug: type = "acct"
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 10.10.32.25
Thu Jan 5 21:14:05 2012 : Debug: port = 0
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: listen {
Thu Jan 5 21:14:05 2012 : Debug: type = "auth"
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 193.136.188.36
Thu Jan 5 21:14:05 2012 : Debug: port = 0
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: listen {
Thu Jan 5 21:14:05 2012 : Debug: type = "acct"
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 193.136.188.36
Thu Jan 5 21:14:05 2012 : Debug: port = 0
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: listen {
Thu Jan 5 21:14:05 2012 : Debug: type = "status"
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = *
Thu Jan 5 21:14:05 2012 : Debug: port = 18120
Thu Jan 5 21:14:05 2012 : Debug: client admin {
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 127.0.0.1
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: client admin2 {
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 10.10.32.35
Thu Jan 5 21:14:05 2012 : Debug: require_message_authenticator = no
Thu Jan 5 21:14:05 2012 : Debug: secret = "xxxxxx"
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: listen {
Thu Jan 5 21:14:05 2012 : Debug: type = "auth"
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 127.0.0.1
Thu Jan 5 21:14:05 2012 : Debug: port = 1812
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: listen {
Thu Jan 5 21:14:05 2012 : Debug: type = "acct"
Thu Jan 5 21:14:05 2012 : Debug: ipaddr = 127.0.0.1
Thu Jan 5 21:14:05 2012 : Debug: port = 1813
Thu Jan 5 21:14:05 2012 : Debug: }
Thu Jan 5 21:14:05 2012 : Debug: Listening on authentication address 10.10.32.25 port 1812
Thu Jan 5 21:14:05 2012 : Debug: Listening on accounting interface eth0 address 10.10.32.25 port 1813
Thu Jan 5 21:14:05 2012 : Debug: Listening on authentication address 193.136.188.36 port 1812 as server teste.iscte.pt
Thu Jan 5 21:14:05 2012 : Debug: Listening on accounting address 193.136.188.36 port 1813 as server teste.iscte.pt
Thu Jan 5 21:14:05 2012 : Debug: Listening on status address * port 18120 as server status
Thu Jan 5 21:14:05 2012 : Debug: Listening on authentication address 127.0.0.1 port 1812 as server inner-tunnel
Thu Jan 5 21:14:05 2012 : Debug: Listening on accounting address 127.0.0.1 port 1813 as server inner-tunnel
Thu Jan 5 21:14:05 2012 : Debug: Listening on proxy address 10.10.32.25 port 1814
Thu Jan 5 21:14:05 2012 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.10.65.135 port 46611, id=93, length=184
User-Name = "iscte(a)roam.fccn.pt"
NAS-IP-Address = 10.10.65.135
NAS-Port = 400
Called-Station-Id = "00-0F-7D-39-2A-12:eduroam2"
Calling-Station-Id = "60-C5-47-8B-FF-46"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 13Mbps/6Mbps 802.11n"
EAP-Message = 0x020f001701697363746540726f616d2e6663636e2e7074
Message-Authenticator = 0x2012955096623bb33854fc25a46b8cde
Thu Jan 5 21:14:08 2012 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Thu Jan 5 21:14:08 2012 : Info: +- entering group authorize {...}
Thu Jan 5 21:14:08 2012 : Info: ++[preprocess] returns ok
Thu Jan 5 21:14:08 2012 : Info: [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.10.65.135/auth-detail-20120105
Thu Jan 5 21:14:08 2012 : Info: [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.65.135/auth-detail-20120105
Thu Jan 5 21:14:08 2012 : Info: [auth_log] expand: %t -> Thu Jan 5 21:14:08 2012
Thu Jan 5 21:14:08 2012 : Info: ++[auth_log] returns ok
Thu Jan 5 21:14:08 2012 : Info: ++[mschap] returns noop
Thu Jan 5 21:14:08 2012 : Info: [eap] EAP packet type response id 15 length 23
Thu Jan 5 21:14:08 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Thu Jan 5 21:14:08 2012 : Info: ++[eap] returns updated
Thu Jan 5 21:14:08 2012 : Info: [suffix] Looking up realm "roam.fccn.pt" for User-Name = "iscte(a)roam.fccn.pt"
Thu Jan 5 21:14:08 2012 : Info: [suffix] Found realm "DEFAULT"
Thu Jan 5 21:14:08 2012 : Info: [suffix] Adding Realm = "DEFAULT"
Thu Jan 5 21:14:08 2012 : Info: [suffix] Proxying request from user iscte to realm DEFAULT
Thu Jan 5 21:14:08 2012 : Info: [suffix] Preparing to proxy authentication request to realm "DEFAULT"
Thu Jan 5 21:14:08 2012 : Info: ++[suffix] returns updated
Thu Jan 5 21:14:08 2012 : Info: ++[files] returns noop
Thu Jan 5 21:14:08 2012 : Info: ++[expiration] returns noop
Thu Jan 5 21:14:08 2012 : Info: ++[logintime] returns noop
Thu Jan 5 21:14:08 2012 : Info: # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
Thu Jan 5 21:14:08 2012 : Info: +- entering group pre-proxy {...}
Thu Jan 5 21:14:08 2012 : Info: [pre_proxy_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d -> /var/log/freeradius/radacct/10.10.65.135/pre-proxy-detail-20120105
Thu Jan 5 21:14:08 2012 : Info: [pre_proxy_log] /var/log/freeradius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.65.135/pre-proxy-detail-20120105
Thu Jan 5 21:14:08 2012 : Info: [pre_proxy_log] expand: %t -> Thu Jan 5 21:14:08 2012
Thu Jan 5 21:14:08 2012 : Info: ++[pre_proxy_log] returns ok
Sending Access-Request of id 4 to 193.136.192.43 port 1812
User-Name = "iscte(a)roam.fccn.pt"
NAS-IP-Address = 10.10.65.135
NAS-Port = 400
Called-Station-Id = "00-0F-7D-39-2A-12:eduroam2"
Calling-Station-Id = "60-C5-47-8B-FF-46"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 13Mbps/6Mbps 802.11n"
EAP-Message = 0x020f001701697363746540726f616d2e6663636e2e7074
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3933
Thu Jan 5 21:14:08 2012 : Info: Proxying request 0 to home server 193.136.192.43 port 1812
Sending Access-Request of id 4 to 193.136.192.43 port 1812
User-Name = "iscte(a)roam.fccn.pt"
NAS-IP-Address = 10.10.65.135
NAS-Port = 400
Called-Station-Id = "00-0F-7D-39-2A-12:eduroam2"
Calling-Station-Id = "60-C5-47-8B-FF-46"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 13Mbps/6Mbps 802.11n"
EAP-Message = 0x020f001701697363746540726f616d2e6663636e2e7074
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3933
Thu Jan 5 21:14:08 2012 : Debug: Going to the next request
Thu Jan 5 21:14:08 2012 : Debug: Waking up in 0.9 seconds.
Thu Jan 5 21:14:09 2012 : Debug: Waking up in 2.9 seconds.
Thu Jan 5 21:14:12 2012 : Error: ASSERT FAILED event.c[1181]: "We do not have threads, but the request is marked as queued or running in a child thread" == NULL
Aborted
radius:/home/rui#
4
3
Freeradius is configured to use peap/mschapv2 with Active Directory. We
created the certificate with the required extensions. Windows 7 is working
but Windows XP with service pack 3 is only working when using its Intel
Proset Wireless utility (with and without certicate validation). It does
not work with its native client not even when disabling validation of the
server certificate. We noticed that it authenticates successfully but then
it disconnects.
FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Dec 30
2009 at 13:47:58
Sending Access-Challenge of id 56 to 10.2.2.2 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8798165c87a987dbec3195d12e082e4
Finished request 22.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.2.2.2 port 1645, id=57,
length=233
User-Name = "testuser"
Framed-MTU = 1400
Called-Station-Id = "00-19-56-B0-90-18"
Calling-Station-Id = "00-1B-77-89-0E-6D"
Service-Type = Login-User
Message-Authenticator = 0x9dd7590ca977a2f03cb76f4b5edbde07
EAP-Message =
0x0203005719800000004d16030100480100004403014f03a34ae5fe3cfedf9316ea7e560abfb58e89c2dae7ae6c6283bffea9acf53c00001600040005000a0009006400620003000600130012006301000005ff01000100
NAS-Port-Type = Wireless-802.11
NAS-Port = 19655928
NAS-Port-Id = "19655928"
State = 0xc8798165c87a987dbec3195d12e082e4
NAS-IP-Address = 10.2.2.2
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.2.2.2/auth-detail-20120103
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.2.2/auth-detail-20120103
[auth_log] expand: %t -> Tue Jan 3 18:51:19 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
- Show quoted text -
Sending Access-Challenge of id 57 to 10.2.2.2 port 1645
EAP-Message =
0x0104040019c000000ed816030100310200002d03014f03a28702df642ca5039e264f0b999dc0f70726483fd1c8f098fa7054fb4f4b000004000005ff010001001603010e940b000e90000e8d0005833082057f30820467a00302010202105ed6e6fd6f3ad08e152a3b071ff3a04c300d06092a864886f70d01010505003051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e20536572766572204341301e170d3131313231363030303030305a170d3134313231353233353935395a3081d3310b3009060355040613
EAP-Message =
0x025553310e300c060355041113053738353230310b3009060355040813025458311430120603550407130b42726f776e7376696c6c65311630140603550409130d383020466f72742042726f776e312f302d060355040a132654686520556e6976657273697479206f662054657861732061742042726f776e7376696c6c65312f302d060355040b132654686520556e6976657273697479206f662054657861732061742042726f776e7376696c6c65311730150603550403130e6f73707265792e7574622e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100b3efbe37fee5602fbecf516c5aebcba16b22ae
EAP-Message =
0x87a73ec0f244cc8f51126b32dcf84352246a6edd26ffbf788f1b4d9560cffdd6c3cb1ddb54fdbd3dedfbbf84eba95fb6fff22b6cfaf1edb3c9e80017cfceb0938e0391cd5906fc252c8530608f09c70f289d9227e13a0b797aba45098d992fa7d1e64a24d475523c3541b9fa37f003a917bb407a866172640fdd93545da43c0ad333dd2c2d12acf80351ff022cbfe6b6954de284a7d041a6305bc9064fcbe2151cb2ad90d66004815358423731936a0ece44113921c314d9005d1403aeb9625671669df6bc2514cb88ccece09cc007d1041473662f836ce777873ab58551b5c2a6a9bb4e692fe23fcac4e94b0b0203010001a38201ce308201ca301f06
EAP-Message =
0x03551d23041830168014484f5afa2f4a9a5ee050f36b7b55a5def5be345d301d0603551d0e04160414684f11af8f1e2d124370e48bc48fc76a823b7563300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b06010505070302305d0603551d20045630543052060c2b06010401ae2301040301013042304006082b06010505070201163468747470733a2f2f7777772e696e636f6d6d6f6e2e6f72672f636572742f7265706f7369746f72792f6370735f73736c2e706466303d0603551d1f043630343032a030a02e862c687474703a2f2f63726c2e696e636f6d6d
EAP-Message = 0x6f6e2e6f72672f496e436f6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8798165c97d987dbec3195d12e082e4
Finished request 23.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.2.2.2 port 1645, id=58,
length=152
User-Name = "testuser"
Framed-MTU = 1400
Called-Station-Id = "00-19-56-B0-90-18"
Calling-Station-Id = "00-1B-77-89-0E-6D"
Service-Type = Login-User
Message-Authenticator = 0x1ca2ef2141258b5b61880ea68486371e
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 19655928
NAS-Port-Id = "19655928"
State = 0xc8798165c97d987dbec3195d12e082e4
NAS-IP-Address = 10.2.2.2
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.2.2.2/auth-detail-20120103
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.2.2/auth-detail-20120103
[auth_log] expand: %t -> Tue Jan 3 18:51:19 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 58 to 10.2.2.2 port 1645
EAP-Message =
0x010503fc19406d6f6e53657276657243412e63726c306f06082b0601050507010104633061303906082b06010505073002862d687474703a2f2f636572742e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e696e636f6d6d6f6e2e6f7267303c0603551d1104353033820e6f73707265792e7574622e656475820f77616c6c6163652e7574622e656475821077616c6c616365322e7574622e656475300d06092a864886f70d01010505000382010100580d1947654343a850bb6f6fcf396d7896e1cbf3984f9647720c04be79901faf6eefd776d9
EAP-Message =
0x54d61a7b5c1c085c89d86b0b9e3a6249973fc43164deb7cb68f28c27f2fb98a7eb051f102016a904b436245ec3a3acc3a9702238aec914c680bf5df6779002909fb571ba5fa188cc1f0ae8faee1381731e04fb48983fb1771e196471f923f13fd100700bd6ba40f3a622db305b2a78a13b2bd8dc758e341b8fd0e3436e01b656c19a18dcf489aea2e187645a7895f7b31c78ef1cb14afe07bb3328e08a1052b8c2c77416d46085b309a7a0465856f04a4e75b8fdce88ee593d19d62fd6eab34875b0ccd35b3cab55ddb456994e8d78b5af35cf3f80bf630f5c971c0004c7308204c3308203aba00302010202107f71c1d3a226b0d2b113f3e68167643e
EAP-Message =
0x300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3130313230373030303030305a170d3230303533303130343833385a3051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e2053657276657220434130820122300d06092a86
EAP-Message =
0x4886f70d01010105000382010f003082010a0282010100977cc7c8feb3e9206aa3a44f8e8e345606b37a6caa109b48612b369069e3340a47a7bb7bdeaa6afbeb82958fca1d7faf75a6a84cda2067611a0d86c1cac187afac4ee4de621b2f9db198afc601fb1770dbac1459ec6f3f337fa6980be4e238aff57f856d0e74049df62786c79b8fe7712a08f403024063247d40578f54e0547eb6134861f1dece0ebdb6fa4d98b2d90d8d79a6e0aacd0c919aa5dfab73bbca14785c4729a1cac5ba9fc7da60f7ffe77ff2d9daa12d0f4916a7d30092cf8a47d94df8d59566d374f98063004f4c84161fb3f5241fa14edee895d6b20b098b2c6bc75c2f8c63c9
EAP-Message = 0x99cb52b1627b7301
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8798165ca7c987dbec3195d12e082e4
Finished request 24.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.2.2.2 port 1645, id=59,
length=152
User-Name = "testuser"
Framed-MTU = 1400
Called-Station-Id = "00-19-56-B0-90-18"
Calling-Station-Id = "00-1B-77-89-0E-6D"
Service-Type = Login-User
Message-Authenticator = 0x279a6dd0a68ef53a4e4cbafdd3b8fd55
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 19655928
NAS-Port-Id = "19655928"
State = 0xc8798165ca7c987dbec3195d12e082e4
NAS-IP-Address = 10.2.2.2
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.2.2.2/auth-detail-20120103
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.2.2/auth-detail-20120103
[auth_log] expand: %t -> Tue Jan 3 18:51:19 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 59 to 10.2.2.2 port 1645
EAP-Message = 0x010603fc1940627f636cd868a0ee6aa88d1f29f3d018acad02030100
Thanks.
2
3
Hi Every body!
I'm setting up an Eduroam infrastructure authenticating through
a LDAP directory.
I conveniently configure realms for local request and remote request
as well.
But, i'm dealing with empty user attribute issue while attempting
to authenticate with the eduroam user. It seems that although the
request is proxied, my server tries to locally check the authorized
attributes of the user against my local ldap server. And since no
such user exists ldap returns : object not found
Thu Jan 5 20:19:26 2012 : Debug: rlm_ldap: object not found
Thu Jan 5 20:19:26 2012 : Debug: search failed
Thu Jan 5 20:19:26 2012 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Jan 5 20:19:26 2012 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0
Thu Jan 5 20:19:26 2012 : Debug: ++[ldap] returns notfound
Next, my server proxies an other request with empty attributes
certainly resulting from the previous object found result :
Sending Access-Request of id 144 to 193.190.198.59 port 1812
User-Name := ""
User-Password := ""
Service-Type := Authenticate-Only
Message-Authenticator := 0x00000000000000000000000000000000
NAS-Identifier := "Status Check. Are you alive?"
Thu Jan 5 20:19:47 2012 : Debug: No response to status check 3 from home server 193.190.198.59 port 1812
What may have been misconfigured ?
Note : The home server is alive since i test it through radtest command
Please see here in attachment the log of user authentication attempt
Thanks for your help.
Eric ATTOU
3
2
I'm doing tests using authentication eap-tls and freeradius response with Acces-Accept, but internet connectivity is practically nil.. Which can be the problem? Previously had a warning "compatibility certificate".. And I'm doing the tests from the same machine you configure freeradius.. Help please!!
Thanks..
Enviado desde mi dispositivo movil BlackBerry® de Digitel.
2
1
>
> Hi,
>
>> to authenticate with the eduroam user. It seems that although the
>> request is proxied, my server tries to locally check the authorized
>> attributes of the user against my local ldap server. And since no
>> such user exists ldap returns : object not found
>
> use unlang to put a protection wrapper around your ldap eg
>
> if (%{realm} == /yourrealm.com/){
> ldap
> }
I solved it in the users file:
DEFAULT Realm == "yourrealm.com", Ldap-Group == "your_ldap_group"
Service-Type = "Framed-User",
Reply-Message = "Eduroam instuition",
Framed-MTU = 1300,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "xxxx"
1
0