Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2012
- 110 participants
- 136 discussions
>
> ------------------------------
>
> Message: 2
> Date: Tue, 24 Jan 2012 13:53:10 +1100
> From: Claude Brown <Claude.Brown(a)vividwireless.com.au>
> Subject: RE: Cannot control attribute ordering via "rlm_perl"
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID:
> <5D6D54E9C21AB94EB5620F1078C21C14379D535B98(a)POSTOFFICE01.UNWAust.local>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Bjorn,
>
> Thanks.
>
>>
>> You don't even need to be that careful. Just run a read-only mysql
>> slave instance locally on the radius server and all mysql-related
>> performance problems will vanish.
>>
>
> We didn't try this.
>
> Our design goal is:
> - 250K users all needing to get on the network at the same time
> - each user performing 7 authentications during EAP negotiation
> - one hour duration to get everyone sorted
>
> This is about 486 authentications per second. I'm sure that a MySQL configuration can be constructed to achieve this, but I'm not confident it would be a simple setup. In contrast, the "files" module easily does this with a trivial configuration.
>
> In any case, assuming MySQL can be configured appropriately, I believe the thread-loss stability issue we experienced with high authentication rates would remain. See my longer reply to Alan for more details.
>
>>
>> If you do mysql accounting: use buffered-sql aka decoupled-accounting.
>> It won't fix the performance issues on your accounting mysql-server, but
>> it will decouple the radius server from any such problems.
>>
>
> Yes, we did use this feature to move the accounting backlog from the radius clients into the on-disk buffer.
>
> However, as you note it doesn't solve the accounting performance issues on the database. This was a significant issue for us as we are only able to learn the customers IP address (needed for many business processed) from the "accounting start" request. If this is delayed due to an avalanche of requests it affects customers in certain business states.
>
> We were able to gain a significant performance improvement over and above "rlm_sql" accounting by writing the essential data to a flat-file and then batch-loading that into the SQL database.
>
> The improvement came down to SQL transactions - the batch load only created one transaction for 1000's of accounting events rather than one transaction per event.
>
> Cheers,
>
> Claude.
>
Cheers,
I too have used MySQL in DHCP configurations with some non-expected behaviours. Out of curiosity, have you ever looked at using OpenLDAP? Performance wise it seems a better solution than MySQL?
Regards,
Rui Ribeiro
1
0
>
>
> Message: 3
> Date: Tue, 24 Jan 2012 08:23:45 +0100
> From: NdK <ndk.clanbo(a)gmail.com>
> Subject: Re: LDAP Group assign to vlan after AD user authentication
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Message-ID: <4F1E5C81.9080209(a)gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
>
>> But I reckon you could also do something like that in post-auth section
>> if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
>> update reply {
>> Tunnel-type = VLAN
>> Tunnel-medium-type = IEEE-802
>> Tunnel-Private-Group-Id = 1
>> }
>> }
> I think it could be possible to do the same using exec, a script and
> wbinfo... Just still don't know how.
> With
> for T in $(wbinfo --user-domgroups `wbinfo -n <ADusername>`) ; do
> wbinfo -s $T;
> done
> I can get all AD groups <ADusername> is into. Checking group membership
> would be even easier. But how do I set Tunnel-Private-Group-Id from an
> exec-ed script?
>
> BYtE,
> Diego.
>
I checked it up with modifying the ldap module and then using the users file, at least for non-roaming users. Found out also by trial and error the output of wbinfo is not consistent.
Best regards,
Rui Ribeiro
1
0
Thank you for the help. In addition to removing the unix option from the /sites-available/default authorize section, I also had to remove the 'encryption schema = "ssha"' from /modules/pap in order for it to work. I was also able to comment out "password_attribute = userPassword" from modules/ldap again and it still works. Just figured I would send this to let others trying to do the same thing that I made some unnecessary changes but it works now. Now lets see if I can keep it working when I add my WPA to do the authentication.
1
0
Any advice on a segfault situation...?
Jan 23 13:29:17 LX800476 kernel: [1366692.780725] freeradius[23459]:
segfault at 8 ip b7461326 sp b5105988 error 4 in
libc-2.7.so[b7403000+155000]
Running a backports verison of freeradius on Debian Lenny:
2.1.10+dfsg-2~bpo50+1, 2.6.26-2-686 on Vmware ESX cluster.
I cannot reproduce it on a test server and it only happens in
production. Probably a load thing...?
I could upgrade to current stable version in git, I could upgrade the OS
(Lenny to Squeeze). Debugging from this backports version seems an
impossible road? Or I could install the -dbg version and perhaps run the
server in a screen session? However I have experienced it won't crash if
run in debug mode (-X). I reckon in -X it is run in single threaded mode?
Rg,
Arnaud
5
6
Hi all.
I think I'm near to correctly configure my server... but I incur in a
situation that IIUC should be related to win clients only: I get
-8<--
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x6ac8f8c260c3e171 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-8<--
message and *eapol_test* (run from a *linux* machine!) gives up after
about 10 seconds.
I checked the FAQ, but couldn't find anything useful.
The certs I'm using are from internal CA (actually from an internal
intermediate CA, cert chain is certs/ca.pem and is 4.5k; root CA's
self-signed cert is pointed by ca_cert= in eapol_test's config file).
Server is a plain Debian Squeeze, plus SAMBA 3.5.6 and FreeRADIUS 2.1.10 .
Domain is correctly joined and winbindd is running.
I followed steps described in
http://deployingradius.com/documents/configuration/active_directory.html
(then noticed that the two references to ntlm_auth in authenticate
sections aren't needed for mschapv2: ntlm_auth gets called by mschap
module).
The complete output from freeradius -X is:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14
2010 at 21:12:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/passwd
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 137.204.65.161 {
require_message_authenticator = no
secret = "testing123qaz"
}
client 137.204.65.96 {
require_message_authenticator = no
secret = "testing123qaz"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = no
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=0, length=154
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0200001c01504552534f4e414c455c646965676f2e7a75636361746f
Message-Authenticator = 0xc68141559c87212c55a2b2741272d0dd
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 137.204.65.96 port 37126
EAP-Message = 0x010100160410dc4a25c479305ea4fe8c21f192a4dca4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683543ee6c2a6e7507d0df55eb21
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=1, length=150
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0x43ef683543ee6c2a6e7507d0df55eb21
Message-Authenticator = 0x4edf220dd0140e17c8aa0857f1b5e29d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 137.204.65.96 port 37126
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683542ed712a6e7507d0df55eb21
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=2, length=362
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020200da1980000000d016030100cb010000c703014f16ccffb3c34f03f4a77654249ab0c21036cd3ece504dc05416ca3a2aea6a2900005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
State = 0x43ef683542ed712a6e7507d0df55eb21
Message-Authenticator = 0x4c68e829881215fc01e273ba9cf55d20
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 218
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 208
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00cb], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 11ab], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 137.204.65.96 port 37126
EAP-Message =
0x0103040019c00000138116030100310200002d03014f16ccfd1c402dae323a0ef21e5d8a5afe0821a5d3dda9f1705e28a95d80f6f9000039000005ff0100010016030111ab0b0011a70011a40004d6308204d2308202baa003020102020112300d06092a864886f70d01010505003081ba310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d69613120301e06035504031317417374726f6e6f6d6961202d20
EAP-Message =
0x434120536572766572733122302006092a864886f70d0109011613646970617374722e736940756e69626f2e69743020170d3131313130383030303030305a180f39393939313233313233353935395a3081bd310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d6961312330210603550403131a7261646975732e617374726f6e6f6d69612e756e69626f2e69743122302006092a864886f70d0109011613
EAP-Message =
0x646970617374722e736940756e69626f2e697430819f300d06092a864886f70d010101050003818d0030818902818100c1c3b4a6e9b5fce7249f5440a7511ece035a791f3f621a91d6acbbbb5798f2f1ead6707f98fbeafe84b1593dd3a3794c69b43bff8314a380f52a44db1260043aea665a33823ef1772256b84440d6133ef83f7f2c38b5faf7f1643263c305d7c0fc140c5775b4ea392689908388fa8b973e1e58eb51512e695a011a6d01a3bf970203010001a360305e300c0603551d130101ff04023000301d0603551d0e041604146da6e750d66a1d54e6bbd913a5d85f72e4107999300b0603551d0f0404030205e0300f0603551d11040830
EAP-Message =
0x06870489cc4163301106096086480186f8420101040403020640300d06092a864886f70d0101050500038202010044824e99f11f014714ccfbccd8cba334673d130458ed773eb9fcf1749119e6cbdbbf6195b3e4985e0feaf58ee9f3c2dd284c2b44c5234d23b9428967b822917a65176be6b47985c4ba224df66a5f3b8627f855b53a867e7c8148327dbd43558c9352dc61fbdf59c0570118c2c3c6bc191198b2fa3dc5b4f3cf07b26c1245016c75823bd3e8ea1bd2c7a1dc3fda0ae658ea9a6609a0120f51bd34c64d82b2d094cd3ed063efc2272d0bf6d9440021b9c6827f561656de9b9197c76fc8597ac7b2ac50cd259cdf6145ff80951bdb41a0
EAP-Message = 0xf4833fe432eb73f52556205b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683541ec712a6e7507d0df55eb21
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=3, length=150
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0x43ef683541ec712a6e7507d0df55eb21
Message-Authenticator = 0xe97e4b03dcea854e92f7807e5a1fec21
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 137.204.65.96 port 37126
EAP-Message =
0x010403fc194013bef304b9b36fd11da95506f7d0ab98d840cc7954ad54619d25a1c07b212902891f1794db9f34496061f993fc975d3383950d58532953b20a516368420d7a1e7b6aaf99cdd32751ea6284092c12b409661afd56165ba3631aceb357115c0de589b66b975930ec93b4f5b1f3bb61858933eb89948a83c0c36d04dd42b59be638427449adba16a390966e64142fc1ba27dba01edd849b8ec8b4ccbbc794c32b0d810a246a8474e0f6b1e49f5cbc8989187f88dd3236507943a11c9ef419c54f05087b6bb0d33e6cb8ee517969594ff8b5e645141c9728786e4d5cb7442bc1ea464003af25294dc9f995b66fe32f25d057592181ef6e91d0
EAP-Message =
0xe7d75768520aef64038d6fba149898a05526ceadd05589b6dde0088d47baff4351da66d5f9f1f40ed2e3b31d09d00006643082066030820448a003020102020102300d06092a864886f70d01010505003081b7310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d6961311d301b06035504031314417374726f6e6f6d6961202d20526f6f742043413122302006092a864886f70d0109011613646970617374
EAP-Message =
0x722e736940756e69626f2e6974301e170d3131303431333130333730305a170d3231303431333130333430305a3081ba310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d69613120301e06035504031317417374726f6e6f6d6961202d20434120536572766572733122302006092a864886f70d0109011613646970617374722e736940756e69626f2e697430820222300d06092a864886f70d0101010500
EAP-Message =
0x0382020f003082020a0282020100c9a65b653687e1f4bf0d007c1b3aae71b27e2ff3b067da0b00dfbcbf0caf2c00604895c08456621a269599dcc830617f93d9c1deab2811dfd06be62d67b54ca64a5949b6bd8497ec291da11d93f2a2e587db880d812a98c5fda02b3679a241c7cdce479bbc700f03838935a1c53798e14992dce210fad9e9ba9bfd11dc190b32974bd4be6ae0df5c7dce19c7361a16457a3ca455d03d5cdc779d16683f7341e91aecc7700d227730e266b59b9c7e60b44d40a65bbfec45ba31ec7b02123c27edf85863965edf64b3baf16fc717fff7a1e3e836cce5af3998c1f652b61e94ad3c0d929b94dc29a23cf4a4756c786055
EAP-Message = 0x57c1c75cb275e2dc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683540eb712a6e7507d0df55eb21
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=4, length=150
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0x43ef683540eb712a6e7507d0df55eb21
Message-Authenticator = 0x9e08902da5fd2b646400ed4b41e91a21
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 137.204.65.96 port 37126
EAP-Message =
0x010503fc1940497db7ae62ebca425e91325041df3a0972986b9982f7371bd4b07e006d76de0b75c503345e77d85993d80e68402d8066603ccf88e2a2d326c6ebc6a7af4ee4fc20e5e9db1d9453305b2ed641b1aa87eeaebd1f19a814b71b8b217f93de4891037d8ace80d28d00228cacb32fac30040ee1d17085b30fdbc11703f26fec9db2e33c058fcbbd69e6504b2bd43b292c32f1b1848892dd33e3439d7f1d3e4375e030ec9be5a2ef407d6d85591c43208690b9c257bdb61e0b6e68b9bf1359ea4d08b11ba6a90019e964b3190c4005bf032c72408d3ae0c1b87fa069ed65c7cc25e0de88ab5b723cc11a10d0bc6c6e2e48f11e1c2c8932bb35bc
EAP-Message =
0x5bdaf7c2cc256a9dc7993d847f302df8eccf0203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414bb0d326895f83bd24f85fcfaeabee6cc8a5e5686300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d0101050500038202010069f6c733df3066b2cf7705a1f4deb879d2c43ccab1b3d44fb22287067333f0517f99f9a07f62b5978fa9e902900370d50c0564d7855beed40c88831d65d07ca6698d4ee10305e0c488e88c1edd57ff1c02a0679cab0af5417459f650aeef
EAP-Message =
0x63d5f84fe63dccfc660b1381be5b08341ae7c60ac2c7a5ae1804c253c108bae37c3841472c01cc4fdff69ec7f4636dd47d07836933d9d00cfd445419d2877c82e0a8cea2da6b1f03cd1c583a0873cfa4570ec0aff784d75f5524b66ddf3b0ea2d76d2d51d665c8976babf7fabf17898b3863a6046de6c4e577a726531a141a298c901279807ec540bb6bd07421c74b5ee3e7c0b0002e41e8ae1466b53026a26f95bfa23ae5b3d8b8cdb4bc559a180ffb6bfe375900350f2828889e3c7534fd0efd544b2784efe655c6d8c6fb6d3afe60c877533bef905dca4eacf5a049d76e9f8276cd0eccabc0eccdb1e1e84652ebc8fe6336de3cb78cdb2972929135
EAP-Message =
0xc1fb48eb425e4cbadee88635e5d31cd6f92e459a8060931ca72220f652ecdb6158e6a8362f958d3cda07254a07fa4ead61be4c045ea160919d6b54425411f8871810b5ec45fe79cd08c696dd86f561b15fc6e990d40c14876cb49be71ddbe5a0e884a7a9f418f3a900d72287f2749d4d7a3110aab60298f2b187d3b2e4240ddebdbc520cfa91ddf780f8ab925af7685f5d226b696b58a84a9337b192147712f03b9bd36b320006613082065d30820445a003020102020101300d06092a864886f70d01010505003081b7310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c
EAP-Message = 0x060355040a131555
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683547ea712a6e7507d0df55eb21
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=5, length=150
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0x43ef683547ea712a6e7507d0df55eb21
Message-Authenticator = 0x91d8e3c1b56da793b962e80700e26bf2
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 137.204.65.96 port 37126
EAP-Message =
0x010603fc19406e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d6961311d301b06035504031314417374726f6e6f6d6961202d20526f6f742043413122302006092a864886f70d0109011613646970617374722e736940756e69626f2e6974301e170d3131303431333130333430305a170d3231303431333130333430305a3081b7310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b
EAP-Message =
0x131a446970617274696d656e746f20646920417374726f6e6f6d6961311d301b06035504031314417374726f6e6f6d6961202d20526f6f742043413122302006092a864886f70d0109011613646970617374722e736940756e69626f2e697430820222300d06092a864886f70d01010105000382020f003082020a0282020100b572b5d8c13ea37504ee78aa1797f2fd41bae7fcdbbe347b2e82ccb435e534ba0f3a86e855325864418e9a257c6ba9a235490a863d975525a0c61686bacc4c6a2bd72ae802168723c92e69ec9c607c14bab310d68a22d50bc26b67256530554e90110e50adda28f09bb2eb39287b0515b3d5647d28d45de0f483998a15
EAP-Message =
0x71276b02173ab7fcf982697be48847eafd4f3b2a82dc48be9d5a1b5099e012455d40694118097125da6ffb233804f7cae4df233d8269c94afe552d1df57e941087cd758d3bf1a84716470b1d163e61de926f76b1d8a593484ba9e2d9a6f2dbfd2bbe6eaf0297b491c7d2963e497759c90439ef565dbb9ca07afd7acdcd4637652ab48cd2c0d0b71f84881788b1314b40d43e67729cfdefa44d078f16bbf423da10a0cc0911f46afb31ef3c9e03e2fe84808249bd9d58129a6977643b0b2ff1836c41c7f9df69879ecd99a8aacfc951d49dbf311e51ffa4b69f4ce2c0a0c1315d15c0b2c25ed37ef40dd9a1205adce6ce1a45c4e17623d4347025e11e9a
EAP-Message =
0xa3284539579fce75d6bb213cb35fd75b22fa9764c34521f8e1f7eca57effa5c78145ab38278e73a25e4ab9e02da62ebe6560a65e4e9e92d35766f7aafc516acc177dbd84e56415f23b93832120a851a012534bf744c46bf37f7258f99697f7d9c7bbad728d63c7dec47b6a9cf6e1288d04e15c8d308296e645517fc297564d06d4e9c76715f10203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414c82d02f0845d318f4982f8ee767edf32386b435d300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411160f78636120636572746966696361
EAP-Message = 0x7465300d06092a86
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683546e9712a6e7507d0df55eb21
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=6, length=150
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600061900
State = 0x43ef683546e9712a6e7507d0df55eb21
Message-Authenticator = 0x077edb2d3f7d2398c30c8ca6cfcd209c
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 6 to 137.204.65.96 port 37126
EAP-Message =
0x010703af19004886f70d010105050003820201008e9eed3d5cab551c140a2f7a7dc07e8343a21484b60e617e7f9642923c8b976534393d89c5ca72ba6388e878f730f2c45e327b3e05b6bcc3d1d168f06964d9b65c3a6e57c6c376a3b571c092ad0361b0dc4c9bde733f918c41dda48051dff54a7f28616bec00e865abf462533cfd0313a0ddc716844075ed48821e50527728527548ace4f8fa1e6fba70e0bfdb68f5047e4873ebe08cd10874d51823b780ca1406d1c0e864c866888a61cffe76a81e521bbb95be971095789fa1a05b349060e38f543a94372060c15db0eceb71e6e901554a65a98ff82fb5e015af6c3f359aefce149108ba56832a76
EAP-Message =
0x0ccbf811a7b147b57abe282b2f976b874e5d874b4e68b6049f823747eaa603b1d49386876d3f30ce48cb824a34f3334ed56fd85b6b0c52839cda6fffd8a4e58612e29ab9e4790c71dcfaab93a7ba27906745479013f71482d1847cdc32a157fb224a4967d12442112d1d4cb5b27d855399b36e7a6094945cd0dd1d62c8f5b12c44577fc41ec88148a936bffc4155e2471052751decb392dc9ac949b6b571919fb73e06e2cf9fa49f651d690cb2fdd28e4fe9eac7d69e83687a361ced306d185a7c33847c4b11e898a56b46bd6cf06e91a13e77830347dce154020c99b3b1137d6eaaa9bb3e986ad58658cac5325e3205fe1e1aa40f4376ebad56e32738
EAP-Message =
0xaf4629f89f2260261926dbef1e7b538135e845ea5a3f30ca58bc160301018d0c000189008086af5afd81c88476eb4edc6626f30532fc1c25e7fada2ff7f4e984cc33c8f686d5e84b9280c055086728ae16e62b8290c7b385605b8d78891b76b90c6f4079994972d901ff1808add6780846d0764e95394517eee4210bec51c4c21ea3585ed5ccb42f551589f73c5edaec4e85096cfcb129515e33580e35c65bc9a884774f73000102008057e7a7868b2f9d6622e844bcd694740942fc76f79eafdeb7e5a28d52410ef7f5b9995ee56f8b65bed8de7a5bc66e648a48375658ce1ce1554f56b09c98863fde3c626d9e2384cc540ec794038e1d768d7b4676
EAP-Message =
0xb7377cd6c3e2bc0560065d66f46f1cf1802f5c5c309ef2d7156c4709fc094fe932a2e4f553aff9247e6cc8d1d60080209fb36f0a4e491d426154c9f662928c6445de6500998cb2b80a31771909359d6937b561e921877fb7632e2dce99a514c758abcad7e532a631a5beea379bec1cb119ae9a8fca9d8e876737f7077dbccacc5602f69445d55c5854c39e44dbb7f587d6333461ca65b220927bcbfdc01ca1c61d49a0145e663b6c763d233c29516816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683545e8712a6e7507d0df55eb21
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=7, length=352
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020700d01980000000c6160301008610000082008058cb301e009d8318a60397ed75c8861dd36756ba2532b32838c82c63fa01249f74e1c82e7135b99af9f09cbaa421dd2ce762f4ee6cd653997fa66efb83e6eaf0c759aa67254341e7757487383ca57593ad791519575b775f4621f717f33504c13fdb6d446ce886d493c4a90d876de51c7fc2c13e25ec6e5ab26fad4279f7db7614030100010116030100300dede37dfec28dc8fa13099ce8dfaf7fcb620f48ac259780509a498d305d802212a9e74110e87c0de8945581b1b76d41
State = 0x43ef683545e8712a6e7507d0df55eb21
Message-Authenticator = 0x914cd62018f2bacb1b5e43844427bfe2
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 7 to 137.204.65.96 port 37126
EAP-Message =
0x010800411900140301000101160301003077355cb0da486b0aea4ca9ed045399695f9f681ed77edc1ced530c75ee8779af5a6e22760acf506e1ff11ff69292a1c0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683544e7712a6e7507d0df55eb21
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=8, length=150
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020800061900
State = 0x43ef683544e7712a6e7507d0df55eb21
Message-Authenticator = 0x95f257485417d82e8bf94ed289656605
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 8 to 137.204.65.96 port 37126
EAP-Message =
0x0109002b1900170301002011b3a4baaef394361a7512b0601adb69cd64e7af2263a874925458c57cbb06d5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef68354be6712a6e7507d0df55eb21
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=9, length=240
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0209006019001703010020ca89e914288890073989835b87135e61d123f1b99c9e9dbb59bd00e538fe267017030100303a5233f9f866703fc729d93881a51dfafcf7c271b58e4ad2025ca975dc66e1f50926ecc360a99ed05e0484657b041e79
State = 0x43ef68354be6712a6e7507d0df55eb21
Message-Authenticator = 0x53a08dffdbbacff3b1b6fba2481f6a23
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - PERSONALE\diego.zuccato
[peap] Got inner identity 'PERSONALE\diego.zuccato'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message =
0x0209001c01504552534f4e414c455c646965676f2e7a75636361746f
server {
PEAP: Setting User-Name to PERSONALE\diego.zuccato
Sending tunneled request
EAP-Message =
0x0209001c01504552534f4e414c455c646965676f2e7a75636361746f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "PERSONALE\\diego.zuccato"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00311a010a002c107cfe362585aadb4fa23845b02bcfe01d504552534f4e414c455c646965676f2e7a75636361746f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd1443252d14e285c0e8360ebb6b84386
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00311a010a002c107cfe362585aadb4fa23845b02bcfe01d504552534f4e414c455c646965676f2e7a75636361746f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd1443252d14e285c0e8360ebb6b84386
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 9 to 137.204.65.96 port 37126
EAP-Message =
0x010a005b19001703010050f9cbc0b02898cb8b33b5aadcf2e5d786e51996bf476af50b8bac872bf606a14a926337af4751a874a5d9847d53369d80d8176dcc4b04a7d78c9d24b8793710676b922857e73b358ee7614e9ff31ff80a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef68354ae5712a6e7507d0df55eb21
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 137.204.65.96 port 37126,
id=10, length=304
User-Name = "PERSONALE\\diego.zuccato"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020a00a01900170301002008596c1f4e70f289a40e621c9dcf0ca40054e79c53f3e2388597359078fe736f1703010070f7b6bde3723b7339008514fd27e63539ac816a7ad2b544ba51e6d690a98eb2985001bb97e6f4ece90a0f0ce5f8680c419e69036afd840b4d9db82fbf2d7f23ec150e3f114d9dfa21a178c3fe04182c840280a7c9a3881db001030c51d19214a245322d9693b21991dc342a7c361803e6
State = 0x43ef68354ae5712a6e7507d0df55eb21
Message-Authenticator = 0x87426031892e2deae424d6c68b5add28
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 160
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020a00521a020a004d315a07b47ea772821852bfa4a104f82bda000000000000000060eb877432cb1abb8ee542673b52a0350cf856409285d6ac00504552534f4e414c455c646965676f2e7a75636361746f
server {
PEAP: Setting User-Name to PERSONALE\diego.zuccato
Sending tunneled request
EAP-Message =
0x020a00521a020a004d315a07b47ea772821852bfa4a104f82bda000000000000000060eb877432cb1abb8ee542673b52a0350cf856409285d6ac00504552534f4e414c455c646965676f2e7a75636361746f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "PERSONALE\\diego.zuccato"
State = 0xd1443252d14e285c0e8360ebb6b84386
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 82
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: diego.zuccato
[mschap] Told to do MS-CHAPv2 for diego.zuccato with NT-Password
[mschap] expand: %{mschap:User-Name} -> diego.zuccato
[mschap] expand:
--username=%{%{mschap:User-Name}:-%{User-Name:-None}} ->
--username=diego.zuccato
[mschap] expand: %{mschap:NT-Domain} -> PERSONALE
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-PERSONALE} ->
--domain=PERSONALE
[mschap] mschap2: 7c
[mschap] Creating challenge hash with username: diego.zuccato
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=a386f8c169a1c226
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=60eb877432cb1abb8ee542673b52a0350cf856409285d6ac
Exec-Program output: NT_KEY: 9BB45778B8201310A484C797422B8D27
Exec-Program-Wait: plaintext: NT_KEY: 9BB45778B8201310A484C797422B8D27
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010b00331a030a002e533d37343331453632374644453739373334444344324534393334414138303431343633384142373037
Message-Authenticator = 0x00000000000000000000000000000000
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: diego.zuccato
[mschap] Told to do MS-CHAPv2 for diego.zuccato with NT-Password
[mschap] expand: %{mschap:User-Name} -> diego.zuccato
[mschap] expand:
--username=%{%{mschap:User-Name}:-%{User-Name:-None}} ->
--username=diego.zuccato
[mschap] expand: %{mschap:NT-Domain} -> PERSONALE
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-PERSONALE} ->
--domain=PERSONALE
[mschap] mschap2: 7c
[mschap] Creating challenge hash with username: diego.zuccato
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=a386f8c169a1c226
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=60eb877432cb1abb8ee542673b52a0350cf856409285d6ac
Exec-Program output: NT_KEY: 9BB45778B8201310A484C797422B8D27
Exec-Program-Wait: plaintext: NT_KEY: 9BB45778B8201310A484C797422B8D27
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010b00331a030a002e533d37343331453632374644453739373334444344324534393334414138303431343633384142373037
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd1443252d04f285c0e8360ebb6b84386
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010b00331a030a002e533d37343331453632374644453739373334444344324534393334414138303431343633384142373037
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd1443252d04f285c0e8360ebb6b84386
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 10 to 137.204.65.96 port 37126
EAP-Message =
0x010b005b1900170301005045ddd3dfa215dc299b05eb6e78c8401b338a72d790e0c9a68dda5b5b37965481bc9986b0305597baa1886b95b644924146f8e906975675912df555716751ebb66b407cc46ceb46a84c17ac8b178aa6c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43ef683549e4712a6e7507d0df55eb21
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +8
Cleaning up request 1 ID 1 with timestamp +8
Cleaning up request 2 ID 2 with timestamp +8
Cleaning up request 3 ID 3 with timestamp +8
Cleaning up request 4 ID 4 with timestamp +8
Cleaning up request 5 ID 5 with timestamp +8
Cleaning up request 6 ID 6 with timestamp +8
Cleaning up request 7 ID 7 with timestamp +8
Cleaning up request 8 ID 8 with timestamp +8
Cleaning up request 9 ID 9 with timestamp +8
Cleaning up request 10 ID 10 with timestamp +8
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x43ef683549e4712a did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
Any hint?
TIA!
Diego.
4
12
Hi
I have been trying to implement radius authetication server at my
workplace. The idea is to have all wifi access points authenticate against
a radius server.
The radius server needs to pass authentication to a backend Active
Directory server. I have been sucessful in authenticating wifi users
against file based and SQL based authentication in radius. NTLM_AUTH using
PAP also works fine, wherein plaintext password is sucessfully
authenticated against the AD and I get an "Access-Accept". However when I
pass the same credentials over CHAP, MSCHAP or EAP_MSCHAP the same is not
working and I end up in a "Access-Reject". Seems like that the ntlm_auth
program is not parsing the received encrypted password hence the
authetication fails. MSCHAP is a requirement as wifi clients at my place
mostly have eap supplicant. (Read in freeradius documentation that eap and
ldap doesnt go hand in hand, I may be wrong at interpreting the same)
The freeradius logs for all the cases is listed below. Radius gurus please
point me to the right direction as to make MS_CHAP authentication owrk over
ntlm_auth or ldap(if possible).
PS: I did all the testing using JRadius simulator.
Regards
Dhiraj Gaur
-------------------------- LOGS ------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22,
length=69
User-Name = "01546"
User-Password = "xxxxxxxxxxx" --> (Plian Text password)
NAS-IP-Address = 192.168.0.199
Message-Authenticator = 0x008294e58343b74ea977c228f5b5
ec5d
Fri Jan 20 18:28:42 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:28:42 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:28:42 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:28:42 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:28:42 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:28:42 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:28:42 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand:
--password=%{User-Password} -> --password=xxxxxxxxx --> (We can see the
password in plaintext)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[expiration] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++[logintime] returns noop
Fri Jan 20 18:28:42 2012 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Jan 20 18:28:42 2012 : Info: ++[pap] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type)
Fri Jan 20 18:28:42 2012 : Info: ? Evaluating !(control:Auth-Type) -> TRUE
Fri Jan 20 18:28:42 2012 : Info: ++? if (!control:Auth-Type) -> TRUE
Fri Jan 20 18:28:42 2012 : Info: ++- entering if (!control:Auth-Type) {...}
Fri Jan 20 18:28:42 2012 : Info: +++[control] returns noop
Fri Jan 20 18:28:42 2012 : Info: ++- if (!control:Auth-Type) returns noop
Fri Jan 20 18:28:42 2012 : Info: Found Auth-Type = ntlm_auth
Fri Jan 20 18:28:42 2012 : Info: +- entering group NTLM_AUTH {...}
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand:
--password=%{User-Password} -> --password=xxxxxxxx
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: +- entering group post-auth {...}
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:28:42 2012 : Info: [ntlm_auth] expand:
--password=%{User-Password} -> --password=xxxxxxxx
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Fri Jan 20 18:28:42 2012 : Debug: Exec-Program: returned: 0
Fri Jan 20 18:28:42 2012 : Info: ++[ntlm_auth] returns ok
Fri Jan 20 18:28:42 2012 : Info: ++[exec] returns noop
Sending Access-Accept of id 22 to 192.168.3.210 port 32854
JRADIUS CLINET LOG
Sending RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
User-Password := [Encrypted String]
NAS-IP-Address := 192.168.0.199
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessAccept
Attributes:
-----------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=22,
length=88
User-Name = "01546"
NAS-IP-Address = 192.168.0.199
CHAP-Challenge = 0xf454eecc38bb821eb32aa451728f6c57
CHAP-Password = 0x16aec775613540e9d4945ec5f116faf84e
Message-Authenticator = 0xf231228e943e3b7de3d2de0f48b1c9c2
Fri Jan 20 18:29:27 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:29:27 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:29:27 2012 : Info: [chap] Setting 'Auth-Type := CHAP'
Fri Jan 20 18:29:27 2012 : Info: ++[chap] returns ok
Fri Jan 20 18:29:27 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:29:27 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:29:27 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:29:27 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:29:27 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:29:27 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:29:27 2012 : Info: [ntlm_auth] expand:
--password=%{User-Password} -> --password=
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program output:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:27 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:29:27 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:29:27 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:29:27 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:29:27 2012 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> 01546
Fri Jan 20 18:29:27 2012 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Jan 20 18:29:27 2012 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jan 20 18:29:27 2012 : Info: Delaying reject of request 5 for 1 seconds
Fri Jan 20 18:29:27 2012 : Debug: Going to the next request
Fri Jan 20 18:29:27 2012 : Debug: Waking up in 0.9 seconds.
Fri Jan 20 18:29:28 2012 : Info: Sending delayed reject for request 5
Sending Access-Reject of id 22 to 192.168.3.210 port 32854
JRADIUS CLINET LOG
Sending RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199
CHAP-Challenge := [Binary Data (length=16)]
CHAP-Password := [Binary Data (length=17)]
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes:
--------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=23,
length=133
User-Name = "01546"
NAS-IP-Address = 192.168.0.199
MS-CHAP-Challenge = 0x4262788d507fdf3cc3a78a50f98c7a8e
MS-CHAP2-Response =
0x00007062fd34e8a05d2996f236e49ea738580000000000000000f7b20a408df67dbcda3faf9290592064f165a9bcf6f37e8f
Message-Authenticator = 0x92716bba8963b228666c070135f8245a
Fri Jan 20 18:29:56 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:29:56 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:29:56 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:29:56 2012 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type = mschap'
Fri Jan 20 18:29:56 2012 : Info: ++[mschap] returns ok
Fri Jan 20 18:29:56 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:29:56 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:29:56 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:29:56 2012 : Info: [eap] No EAP-Message, not doing EAP
Fri Jan 20 18:29:56 2012 : Info: ++[eap] returns noop
Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:29:56 2012 : Info: [ntlm_auth] expand:
--password=%{User-Password} -> --password=
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program output:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:29:57 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:29:57 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:29:57 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:29:57 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:29:57 2012 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> 01546
Fri Jan 20 18:29:57 2012 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Jan 20 18:29:57 2012 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jan 20 18:29:57 2012 : Info: Delaying reject of request 6 for 1 seconds
Fri Jan 20 18:29:57 2012 : Debug: Going to the next request
Fri Jan 20 18:29:57 2012 : Debug: Waking up in 0.8 seconds.
Fri Jan 20 18:29:57 2012 : Info: Sending delayed reject for request 6
Sending Access-Reject of id 23 to 192.168.3.210 port 32854
JRADIUS CLINET LOG
Sending RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199
MS-CHAP-Challenge := [Binary Data (length=16)]
MS-CHAP2-Response := [Binary Data (length=50)]
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes:
-----------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.3.210 port 32854, id=24,
length=63
User-Name = "01546"
NAS-IP-Address = 192.168.0.199
EAP-Message = 0x0200000a013031353436
Message-Authenticator = 0x2a95a91be9cb3f0d79d167ea048043f9
Fri Jan 20 18:30:30 2012 : Info: +- entering group authorize {...}
Fri Jan 20 18:30:30 2012 : Info: ++[preprocess] returns ok
Fri Jan 20 18:30:30 2012 : Info: ++[chap] returns noop
Fri Jan 20 18:30:30 2012 : Info: ++[mschap] returns noop
Fri Jan 20 18:30:30 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Fri Jan 20 18:30:30 2012 : Info: [suffix] No such realm "NULL"
Fri Jan 20 18:30:30 2012 : Info: ++[suffix] returns noop
Fri Jan 20 18:30:30 2012 : Info: [eap] EAP packet type response id 0 length
10
Fri Jan 20 18:30:30 2012 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Jan 20 18:30:30 2012 : Info: ++[eap] returns updated
Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand:
--username=%{mschap:User-Name} -> --username=01546
Fri Jan 20 18:30:30 2012 : Info: [ntlm_auth] expand:
--password=%{User-Password} -> --password=
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program output:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Fri Jan 20 18:30:30 2012 : Debug: Exec-Program: returned: 1
Fri Jan 20 18:30:30 2012 : Info: ++[ntlm_auth] returns reject
Fri Jan 20 18:30:30 2012 : Info: Using Post-Auth-Type Reject
Fri Jan 20 18:30:30 2012 : Info: +- entering group REJECT {...}
Fri Jan 20 18:30:30 2012 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> 01546
Fri Jan 20 18:30:30 2012 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Jan 20 18:30:30 2012 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jan 20 18:30:30 2012 : Info: Delaying reject of request 7 for 1 seconds
Fri Jan 20 18:30:30 2012 : Debug: Going to the next request
Fri Jan 20 18:30:30 2012 : Debug: Waking up in 0.9 seconds.
Fri Jan 20 18:30:31 2012 : Info: Sending delayed reject for request 7
Sending Access-Reject of id 24 to 192.168.3.210 port 32854
JRADIUS CLINET LOG
Sending RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := 01546
NAS-IP-Address := 192.168.0.199
EAP-Message := [Binary Data (length=10)]
Message-Authenticator := [Binary Data (length=16)]
Received RADIUS Packet:
----------------------------------------------------------
Class: class net.jradius.packet.AccessReject
Attributes:
4
15
21 Jan '12
Hello,
I would like to help with this:
I have Freeradius version 2.1.6
I have it running with SQL and DialupAdmin.
How do I give access to wifi users who authenticate with username & pass over PEAP only to a group of users?
I mean that authorised would be only users from group WIFI and not other users belonging to other group like OpenVPN.
Now it authorises everybody from the radcheck table.
I am very new to radius and even if I was searching the net for some time I cannot find the answer which would fir my needs.
Thank you for help!
Lumir
4
5
Hello,
I have installed two servers with MVTS PRO installed on both servers ,
supports 600 concurrent calls.
and i installed one server with FreeRADIUS to manage both servers and
billing "with daloRADIUS".
and i have some needs must to be in the FreeRADIUS to manage the calls .
all calls must be checked firstly from two tables then go to Specific
Gateways like below :
1 - BlackList : to block calls to numbers from the BlackList table ,
2 - WhiteList : to send calls to numbers from the WhiteList table to White
Gateways
3 - Other calls not stored in both tables must be send to Checking Gateways
.
4 - if calls have a good CDR must be storing in WhiteList .
5 - other calls have a bad CDR must be storing in BlackList .
I want to have free choice for activate checking from both tables or one of
both tables or don't check any tables for each client individually.
how can i add both tables to FreeRADIUS and make configuration to check
before sending calls to MVTS Servers.
--
*Best Regards
Mohamed Daif*
2
1
I am very new to radius, and I
am having a problem configuring radius to authenticate by checking my
already running openldap server for authorization and then using PAP for
authentication. I am running a CentOS server where openldap is the
backed to a samba network authentication server. My comments here will
be posted in blue, radius debugging output in black, and security
changes to the output in red. I have two test runs of different
configurations but will also explain what I did throughout the the progression of my radius server
development. First I followed the directions on
"Deploying Radius" at
http://deployingradius.com/documents/configuration/pap.html. This lets
me know that the server is working, but does not have much information
about LDAP authentication and other sites I have looked over use
outdated information. So, throughout this process, I have kept track of
the changes that I have made, and saved the original configurations to
the files that I make changes to so that I can always start over again
if need be. After
the first test, I made changes to the /sites-available/default file to
uncomment the ldap line in the authorization section. I left the ldap
authentication line commented out because of further research describing
that it is not needed if I am just doing pap authentication. I used a
username and password that I know works for my network authentication. I
also made changes to the /modules/ldap file in order to connect to the
ldap database. The radius server had difficulties extracting
the userPassword from the ldap server, but pulled out the NT, LM passwords and the username just fine. I then made
one more change to the ldap module. I uncommented the line
"password_attribute = userPassword" and received the following results:
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/mschap.bak
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "localhost"
port = 389
password = "LdapPassword"
identity = "cn=Admin,dc=domain,dc=com"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=ndoa,dc=state,dc=nv,dc=us"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x2f50730
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 54977, id=196, length=59
User-Name = "username"
User-Password = "Password"
NAS-IP-Address = localhost
NAS-Port = 2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "username", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
[ldap] performing user authorization for username
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> username
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
[ldap] expand: dc=domain,dc=com -> dc=domain,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Admin,dc=domain,dc=com/LdapPassword to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=username)
[ldap] Added User-Password = {SSHA}encryptedPassword in check items
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == encryptedNTpassword
rlm_ldap: sambaLmPassword -> LM-Password == encryptedLMpassword
[ldap] looking for reply items in directory...
[ldap] user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "Password"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> username
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 196 to 127.0.0.1 port 54977
Waking up in 4.9 seconds.
After
this failed attempt, I figured that PAP was not configured properly for
my ldap authentication so I made a change to the /modules/pap file:
"auto_header = yes". I tested this configuration and saw that PAP was
still trying to authenticate my SSHA password with CRYPT so I added
"encryption_scheme = "ssha" " to the pap module file. and get this
result:
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/mschap.bak
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "ssha"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "localhost"
port = 389
password = "LdapPassword"
identity = "cn=Admin,dc=domain,dc=com"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=domain,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x189ff7c0
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 41127, id=231, length=59
User-Name = "username"
User-Password = "Password"
NAS-IP-Address = localhost
NAS-Port = 2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "username", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
[ldap] performing user authorization for username
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> username
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=username)
[ldap] expand: dc=domain,dc=com -> dc=domain,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Admin,dc=domain,dc=com/LdapPassword to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=username)
[ldap] Added User-Password = {SSHA}encryptedPassword in check items
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == encryptedNTpassword
rlm_ldap: sambaLmPassword -> LM-Password == encryptedLMpassword
[ldap] looking for reply items in directory...
[ldap] user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "Password"
[pap] No password configured for the user. Cannot do authentication
++[pap] returns fail
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> username
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 231 to 127.0.0.1 port 41127
Waking up in 4.9 seconds.
Cleaning up request 0 ID 231 with timestamp +2
Ready to process requests.
I
do not know if I am even heading in the right direction, but I would
appreciate any help to get this working. Thanks in advance.
2
1
Now that I have my Radius server configured I need to begin
implementation I have 600 computers that will be using it. The question
I am wondering is do I have to go around and install a certificate on
every one of the computers and then maintain that every year changing
out the certificate on 600 computers or is there some way that the
server passes out certificates when the machine logs on. Or do I have
an incorrect understanding of how to implement 802.1x security.
Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcsparin(a)hillcountrymemorial.org
--
This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
8
11