Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2012
- 89 participants
- 117 discussions
> From: freeradius-users-request(a)lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 87, Issue 46
> To: freeradius-users(a)lists.freeradius.org
> Date: Tue, 17 Jul 2012 10:54:59 +0200
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Help needed configuring MAB on FreeRADIUS and Cisco
> switch (Alan DeKok)
> 2. Re: v2.1.x/src/modules/rlm_mschap/rlm_mschap.c (Alan DeKok)
> 3. radacct is not filled up (Andreas Meyer)
> 4. Re: radacct is not filled up (Fajar A. Nugraha)
> 5. Re: radacct is not filled up (Andreas Meyer)
> 6. Re: radacct is not filled up (Fajar A. Nugraha)
> 7. Re: Help needed configuring MAB on FreeRADIUS and Cisco
> switch (Kaya Saman)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 16 Jul 2012 18:24:42 -0400
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Help needed configuring MAB on FreeRADIUS and Cisco
> switch
> Message-ID: <500494AA.1040209(a)deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Kaya Saman wrote:
> >> There is a file in the "raddb" directory named "users".
> >
> > I **DID** do this....... !!
>
> You didn't SAY that. You were told to edit the "users" file.
> Instead, you went on a long round-about adventure, looking at other files.
>
> > There's no need to be so severe as the ban me!
>
> After 13 years of running this list, I've discovered it's the ONLY way
> to make some people follow instructions. I can be nice, and explain the
> same thing until I get frustrated. Or, I can threaten to ban people,
> and have them *immediately* start following instructions.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 16 Jul 2012 18:35:13 -0400
> From: Alan DeKok <aland(a)deployingradius.com>
> To: JJJ.Hooper(a)bristol.ac.uk, FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: v2.1.x/src/modules/rlm_mschap/rlm_mschap.c
> Message-ID: <50049721.6040401(a)deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> James JJ Hooper wrote:
> > I may have miscounted, but shouldn't that be:
> > snprintf(buffer + 44, sizeof(buffer) - 44,
>
> Yup. I'll fix it.
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 17 Jul 2012 00:59:25 +0200
> From: Andreas Meyer <anmeyer(a)anup.de>
> To: freeradius-users(a)lists.freeradius.org
> Subject: radacct is not filled up
> Message-ID: <20120717005925.4388efb0(a)itx.bitcorner.intern>
> Content-Type: text/plain; charset=US-ASCII
>
> Hello!
>
> I authenticate a users against a mysql-db and everything is fine. Get entries
> in the radpostauth table but the radacct table stays emtpy, instead the
> logging is done in /usr/var/log/radius/radacct/192.168.1.254
>
> # itx:/usr/var/log/radius/radacct/192.168.1.254 # ll
> insgesamt 284
> -rw------- 1 root root 12420 12. Jul 16:38 auth-detail-20120712
> -rw------- 1 root root 12420 13. Jul 19:35 auth-detail-20120713
> -rw------- 1 root root 6210 14. Jul 23:21 auth-detail-20120714
> -rw------- 1 root root 9078 15. Jul 17:06 auth-detail-20120715
> -rw------- 1 root root 180883 16. Jul 17:26 auth-detail-20120716
> -rw------- 1 root root 12640 17. Jul 00:43 auth-detail-20120717
> -rw------- 1 root root 1242 3. Jul 22:35 reply-detail-20120703
> -rw------- 1 root root 2008 12. Jul 16:38 reply-detail-20120712
> -rw------- 1 root root 2008 13. Jul 19:35 reply-detail-20120713
> -rw------- 1 root root 1004 14. Jul 23:21 reply-detail-20120714
> -rw------- 1 root root 1004 15. Jul 13:39 reply-detail-20120715
> -rw------- 1 root root 5041 16. Jul 17:26 reply-detail-20120716
> -rw------- 1 root root 2016 17. Jul 00:43 reply-detail-20120717
>
> I cannot find the place where in a configurationfile I can change
> the value to log into the radacct table.
>
> This is what I have in sql.conf:
>
> acct_table1 = "radacct"
> acct_table2 = "radacct"
> postauth_table = "radpostauth"
> authcheck_table = "radcheck"
> authreply_table = "radreply"
> groupcheck_table = "radgroupcheck"
> groupreply_table = "radgroupreply"
> usergroup_table = "radusergroup"
>
> Andreas
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 17 Jul 2012 10:38:02 +0700
> From: "Fajar A. Nugraha" <list(a)fajar.net>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: radacct is not filled up
> Message-ID:
> <CAG1y0sdFr3w=Fh+qc1-i5gM52c8M-51bJ7miF8DFFRV6Dx4LCA(a)mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 17, 2012 at 5:59 AM, Andreas Meyer <anmeyer(a)anup.de> wrote:
> > Hello!
> >
> > I authenticate a users against a mysql-db and everything is fine. Get entries
> > in the radpostauth table but the radacct table stays emtpy, instead the
> > logging is done in /usr/var/log/radius/radacct/192.168.1.254
> >
> > # itx:/usr/var/log/radius/radacct/192.168.1.254 # ll
> > insgesamt 284
> > -rw------- 1 root root 12420 12. Jul 16:38 auth-detail-20120712
> > -rw------- 1 root root 12420 13. Jul 19:35 auth-detail-20120713
> > -rw------- 1 root root 6210 14. Jul 23:21 auth-detail-20120714
> > -rw------- 1 root root 9078 15. Jul 17:06 auth-detail-20120715
> > -rw------- 1 root root 180883 16. Jul 17:26 auth-detail-20120716
> > -rw------- 1 root root 12640 17. Jul 00:43 auth-detail-20120717
> > -rw------- 1 root root 1242 3. Jul 22:35 reply-detail-20120703
> > -rw------- 1 root root 2008 12. Jul 16:38 reply-detail-20120712
> > -rw------- 1 root root 2008 13. Jul 19:35 reply-detail-20120713
> > -rw------- 1 root root 1004 14. Jul 23:21 reply-detail-20120714
> > -rw------- 1 root root 1004 15. Jul 13:39 reply-detail-20120715
> > -rw------- 1 root root 5041 16. Jul 17:26 reply-detail-20120716
> > -rw------- 1 root root 2016 17. Jul 00:43 reply-detail-20120717
> >
> > I cannot find the place where in a configurationfile I can change
> > the value to log into the radacct table.
>
> Did you read http://wiki.freeradius.org/SQL-HOWTO ?
>
> Search for "accounting"
>
> --
> Fajar
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 17 Jul 2012 09:44:22 +0200
> From: Andreas Meyer <anmeyer(a)anup.de>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Re: radacct is not filled up
> Message-ID: <20120717094422.64e6b1cf(a)itx.bitcorner.intern>
> Content-Type: text/plain; charset=US-ASCII
>
> Hello!
>
> "Fajar A. Nugraha" <list(a)fajar.net> wrote:
>
> > On Tue, Jul 17, 2012 at 5:59 AM, Andreas Meyer <anmeyer(a)anup.de> wrote:
> > > Hello!
> > >
> > > I authenticate a users against a mysql-db and everything is fine. Get entries
> > > in the radpostauth table but the radacct table stays emtpy, instead the
> > > logging is done in /usr/var/log/radius/radacct/192.168.1.254
>
>
> > > I cannot find the place where in a configurationfile I can change
> > > the value to log into the radacct table.
> >
> > Did you read http://wiki.freeradius.org/SQL-HOWTO ?
> >
> > Search for "accounting"
>
> Yes, I read the SQL-Howto. Made a change in the dialup.conf from
> sql_user_name = "%{User-Name}" to
> sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
>
> and the debug output shows that the radiusd is using stripped user-name.
> But the radacct is not filled up. All is written to the logfile in
> /usr/var/log/radius/radacct/192.168.1.254
>
> I wonder if it might have something to do with the buffered-sql in
> /usr/etc/raddb/sites-available. I made no changes to that file.
>
> mysql> use radius;
> Database changed
> mysql> show tables;
> +------------------+
> | Tables_in_radius |
> +------------------+
> | badusers |
> | mtotacct |
> | nas |
> | radacct |
> | radcheck |
> | radgroupcheck |
> | radgroupreply |
> | radpostauth |
> | radreply |
> | radusergroup |
> | totacct |
> | userinfo |
> +------------------+
> 12 rows in set (0.01 sec)
>
> Everything is fine and radcheck and radpostauth and userinfo and so on is
> written to the database exept for the radacct information.
>
> Andreas
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 17 Jul 2012 14:49:37 +0700
> From: "Fajar A. Nugraha" <list(a)fajar.net>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: radacct is not filled up
> Message-ID:
> <CAG1y0sfhziFXxOpea1CfShGJh0-zbYr8NcVsnoCqk7CvZCmuXQ(a)mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 17, 2012 at 2:44 PM, Andreas Meyer <anmeyer(a)anup.de> wrote:
> >> > I cannot find the place where in a configurationfile I can change
> >> > the value to log into the radacct table.
> >>
> >> Did you read http://wiki.freeradius.org/SQL-HOWTO ?
> >>
> >> Search for "accounting"
> >
> > Yes, I read the SQL-Howto. Made a change in the dialup.conf from
> > sql_user_name = "%{User-Name}" to
> > sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
> >
> > and the debug output shows that the radiusd is using stripped user-name.
> > But the radacct is not filled up. All is written to the logfile in
> > /usr/var/log/radius/radacct/192.168.1.254
> >
> > I wonder if it might have something to do with the buffered-sql in
> > /usr/etc/raddb/sites-available. I made no changes to that file.
>
> Re-read the wiki page. If you HAVE read it correctly, you would've
> seen that you need to change something in that file.
>
> --
> Fajar
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 17 Jul 2012 09:54:57 +0100
> From: Kaya Saman <kayasaman(a)gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Help needed configuring MAB on FreeRADIUS and Cisco
> switch
> Message-ID:
> <CAPj0R5+JPYXNtzwuavkKTAoeh9ARJ8PFOFKuo5w5Rj09MSYVTQ(a)mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Alan,
>
> sorry for the mishaps yesterday......
>
> On Mon, Jul 16, 2012 at 4:20 PM, alan buxey <A.L.M.Buxey(a)lboro.ac.uk> wrote:
> [...]
> >
> >> By placing the entry you suggested at the top of the /etc/raddb/users
> >> file and restarting the server I got this:
> >
> > well, no you didnt...or rather, if you did stick that in the users file
> > then its certainly not the users file that the server is reading. you are editing
> > the live server config and not some extracted archive file?
> >
>
>
> Let's just try to focus on this issue and get a basic system up and
> running before continuing on - as that is inevitably what you were
> trying to do :-)
>
>
> Ok so first let's get back to real basics and check where we are in
> the file system:
>
>
> # cd /etc/raddb
>
> # ls
> acct_users clients.conf policy.conf sql
> attrs dictionary policy.txt sql.conf
> attrs.access_challenge eap.conf preproxy_users sqlippool.conf
> attrs.access_reject example.pl proxy.conf templates.conf
> attrs.accounting_response hints radiusd.conf users
> attrs.pre-proxy huntgroups sites-available
> certs modules sites-enabled
>
> # cat users | more
> 0015c5537baa Cleartext-Password := "0015c5537baa"
> Tunnel-Type:0 = VLAN,
> Tunnel-Medium-Type:0 = IEEE-802,
> Tunnel-Private-Group-Id:0 = "3",
> Tunnel-Preference = 0x000000
>
> #
> # Please read the documentation file ../doc/processing_users_file,
> # or 'man 5 users' (after installing the server) for more information.
> #
> # This file contains authentication security and configuration
> # information for each user. Accounting requests are NOT processed
> # through this file. Instead, see 'acct_users', in this directory.
> #
> # The first field is the user's name and can be up to
> # 253 characters in length. This is followed (on the same line) with
> # the list of authentication requirements for that user. This can
> # include password, comm server name, comm server port number, protocol
> # type (perhaps set by the "hints" file), and huntgroup name (set by
>
>
> I have additionally attached the full file just incase!
>
>
> Let's see in the file system if there are any other files called users
> which maybe the 'source' of the Radius service:
>
>
> # find / -name users
> /usr/bin/users
> /etc/selinux/targeted/contexts/users
> /etc/raddb/users
> /var/www/daloradius/contrib/configs/freeradius-1.1.7/cfg1/freeradius/users
>
>
> Will disabling SElinux help, could that be blocking things as it
> usually does with TFTP???
>
>
> Regards,
>
>
> Kaya
>
1
0
Hi Alan,
@dcc5543c03 recently committed to github was:
}
- snprintf(buffer + 12 + 32, sizeof(buffer) - 45,
+ snprintf(buffer + 45, sizeof(buffer) - 45,
" V=3 M=%s", inst->retry_msg);
}
I may have miscounted, but shouldn't that be:
snprintf(buffer + 44, sizeof(buffer) - 44,
^^^ ^^^
?
Kind regards,
James
--
James J J Hooper
Senior Network Specialist, University of Bristol
http://wireless.bristol.ac.uk
--
2
1
-------- Original Message --------
Subject: Re: Problem by Anonymous Identity.
Date: Mon, 16 Jul 2012 18:07:46 -0400
From: guillermo <gwilliam(a)uci.cu>
To: freeradius-users(a)lists.freeradius.org
Thanks Phil for your quick response:
I tell you I did what you recommended, and the response in the access-accept travel with the original user, or with the user authenticating against LDAP, HOWEVER the accounting process is registering with the name specified in the option Anonymous identity 802.1X of my client.
The user is valid and the anonymous identity gwilliam is lolooooo, here is a log of the two processes, the process of authentication and accounting, as you can see in the accounting process that registers the user is specified as anonymous user identity. I hope you understand all this mess.
----------------------------------------
UTENTICATION PROCESS
----------------------------------------
Sending Access-Accept of id 144 to 172.18.3.1 port 1812
User-Name = "gwilliam"
MS-MPPE-Recv-Key = 0x2d7f52eebec0c11ab59987210fb00e3fb2c65de7562bd7f350787496f25295a4
MS-MPPE-Send-Key = 0x20907496a507061a2397283b24d6dbdf50096fb12110ec2d5838132f41244ed8
EAP-Message = 0x034b0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 65.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 58 ID 137 with timestamp +6938
Cleaning up request 59 ID 138 with timestamp +6938
Cleaning up request 60 ID 139 with timestamp +6938
Cleaning up request 61 ID 140 with timestamp +6938
----------------------------------------
ACCOUNTING PROCESS
----------------------------------------
rad_recv: Accounting-Request packet from host 172.18.3.1 port 1812, id=42, length=296
User-Name = "lolooooo"
NAS-Port = 12292
Framed-IP-Address = X.X.X.X
NAS-Identifier = "NN1-Doc-04(S5300)"
Acct-Status-Type = Interim-Update
Acct-Delay-Time = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Session-Id = "NN1-Doc000030000000045d8560000046"
Acct-Authentic = RADIUS
Acct-Session-Time = 16
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Event-Timestamp = "Jul 16 2012 18:15:07 EDT"
NAS-Port-Type = Ethernet
Calling-Station-Id = "XXXX XXXX XXXX"
NAS-Port-Id = "slot=0;subslot=0;port=3;vlanid=4"
Huawei-IPHost-Addr = "XXXXXXXX XXXXXXXX"
Huawei-Input-Burst-Size = 0
Huawei-Input-Average-Rate = 0
Huawei-Output-Burst-Size = 0
Huawei-Output-Average-Rate = 0
Huawei-Priority = 4294901760
Huawei-Connect-ID = 46
NAS-IP-Address = 172.18.3.1
+- entering group preacct {...}
++[preprocess] returns ok
++? if (reply:User-Name =~ /^(.+)(a)(.+)$/)
(Attribute reply:User-Name was not found)
++? elsif (reply:User-Name)
? Evaluating (reply:User-Name) -> FALSE
++? elsif (reply:User-Name) -> FALSE
++- entering else else {...}
expand: %{User-Name} -> lolooooo
+++[reply] returns ok
++- else else returns ok
[acct_unique] Hashing 'NAS-Port = 12292,Client-IP-Address = 172.18.3.1,NAS-IP-Address = 172.18.3.1,Acct-Session-Id = "NN1-Doc000030000000045d8560000046",User-Name = "lolooooo"'
[acct_unique] Acct-Unique-Session-ID = "0f129f7be1f9064a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "lolooooo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/172.18.3.1/detail-20120716
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/172.18.3.1/detail-20120716
[detail] expand: %t -> Mon Jul 16 18:10:18 2012
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
[radutmp] expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
[radutmp] expand: %{User-Name} -> lolooooo
++[radutmp] returns ok
[sradutmp] expand: /var/log/freeradius/sradutmp -> /var/log/freeradius/sradutmp
[sradutmp] expand: %{User-Name} -> lolooooo
++[sradutmp] returns ok
[sql] expand: %{User-Name} -> lolooooo
[sql] sql_set_user escaped user --> 'lolooooo'
[sql] expand: %{Acct-Input-Gigawords} -> 0
[sql] expand: %{Acct-Input-Octets} -> 0
[sql] expand: %{Acct-Output-Gigawords} -> 0
[sql] expand: %{Acct-Output-Octets} -> 0
[sql] expand: UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}'<< 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'<< 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET framedipaddress = '10.3.9.110', acctsessiontime = '16', acctinputoctets = '0'<< 32 | '0', acctoutputoctets = '0'<< 32 | '0' WHERE acctsessionid = 'NN1-Doc000030000000045d8560000046' AND username = 'lolooooo'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++? if (noop)
? Evaluating (noop) -> FALSE
++? if (noop) -> FALSE
[attr_filter.accounting_response] expand: %{User-Name} -> lolooooo
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 42 to 172.18.3.1 port 1812
Finished request 2.
Cleaning up request 2 ID 42 with timestamp +28
Going to the next request
Ready to process requests.
On 07/16/2012 12:19 PM, Phil Mayers wrote:
> On 16/07/12 16:57, guillermo wrote:
>> Hello friends:
>> I wanted to help me solve a problem on my server freeradius criteria. To
>> the point, what I need is to deny the use by clients of the option
>> Anonymous Identity, for in the accounting server I recorded this and not
>
> This is a bad idea. But, if you really want to do this:
>
> authorize {
>
> ...
> if (User-Name =~ /^@/) {
> reject
> }
> ...
>
> }
>
>> the actual user hindering Trace connectnios.
>
> Much better is to fix your RADIUS server so that it puts the correct
> User-Name in the REPLY, and your NAS should (if it complies with the
> RFCs) then use that User-Name in accounting packets.
>
>
> The EAP methods should do this automatically, however you might have
> problems if you are doing EAP-TTLS/PAP or EAP-TTLS/MSCHAP because the
> inner method is not EAP.
>
> We do this:
>
> sites-enabled/inner-tunnel:
>
> post-auth {
> if (!reply:User-Name) {
> update reply {
> User-Name := "%{User-Name}"
> }
> }
> }
>
> sites-enabled/default:
>
> post-auth {
>
> ...
> if (reply:User-Name =~ /^(.+)(a)(.+)$/) {
> # reply contains user@realm
>
> # overwrite the realm with the one in the request
> # in case the far end has changed realm. This forces
> # routing symmetry
> update reply {
> User-Name := "%{1}@%{Realm}"
> }
> }
>
> elsif (reply:User-Name) {
> # reply contains bare user, no realm - add one
> update reply {
> User-Name := "%{reply:User-Name}@%{Realm}"
> }
> }
>
> else {
> # no reply username, use the one from the request
> update reply {
> User-Name := "%{User-Name}"
> }
> }
> ...
>
> }
>
>
> ...ensure you have:
>
> use_tunneled_reply = yes
>
> ...in your eap.conf for this to work properly.
>
> If your NAS doesn't send the reply User-Name back in accounting, throw
> it away and get a new one.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS
> INFORMATICAS...
> CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION
>
> http://www.uci.cu
> http://www.facebook.com/universidad.uci
> http://www.flickr.com/photos/universidad_uci
10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS...
CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION
http://www.uci.cu
http://www.facebook.com/universidad.uci
http://www.flickr.com/photos/universidad_uci
1
0
Hello,
I currently use PEAP and the mschap module to call ntlm_auth and authenticate against Active Directory. The FreeRadius server is currently joined to domain1.
It may come about in the near future that I need to query two different domains before failing a request. Unlang says I can do this:
redundant {
mschap.domain1
mschap.domain2
}
Where mschap.domain{1,2} are copies of the stock mschap module, with the new domain plugged in.
Will this work? Do I need to change the Samba configuration?
In a quick test, with the server in domain1, I ran ntlm_auth and specified domain2, which failed to authenticate the user.
Thanks,
Dave A.
4
4
Hello friends:
I wanted to help me solve a problem on my server freeradius criteria. To
the point, what I need is to deny the use by clients of the option
Anonymous Identity, for in the accounting server I recorded this and not
the actual user hindering Trace connections.
Waiting for your help ...
10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS...
CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION
http://www.uci.cu
http://www.facebook.com/universidad.uci
http://www.flickr.com/photos/universidad_uci
2
1
Hi folks,
I've found on FR Version 2.1.12 that mismatching shared secret errors
are not recorded on "regulars logs" (eg /var/log/radius/radius.log)
but only when run in mode debug:
"Received Accounting-Request packet from client 10.129.189.1 with
invalid signature! (Shared secret is incorrect.) Dropping packet
without response."
My configuration:
FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on
Jan 3 2012 at 16:18:16
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb-testing/radiusd.conf
including configuration file /etc/raddb-testing/proxy.conf
including configuration file /etc/raddb-testing/clients.conf
including files in directory /etc/raddb-testing/modules/
including configuration file /etc/raddb-testing/modules/chap
including configuration file /etc/raddb-testing/modules/mschap
including configuration file
/etc/raddb-testing/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb-testing/modules/exec
including configuration file /etc/raddb-testing/modules/realm
including configuration file /etc/raddb-testing/modules/checkval
including configuration file /etc/raddb-testing/modules/rediswho
including configuration file /etc/raddb-testing/modules/passwd
including configuration file /etc/raddb-testing/modules/attr_filter
including configuration file /etc/raddb-testing/modules/linelog
including configuration file /etc/raddb-testing/modules/wimax
including configuration file /etc/raddb-testing/modules/pam
including configuration file /etc/raddb-testing/modules/inner-eap
including configuration file /etc/raddb-testing/modules/echo
including configuration file /etc/raddb-testing/modules/soh
including configuration file /etc/raddb-testing/modules/replicate
including configuration file /etc/raddb-testing/modules/acct_unique
including configuration file /etc/raddb-testing/modules/etc_group
including configuration file /etc/raddb-testing/modules/pap
including configuration file /etc/raddb-testing/modules/expr
including configuration file /etc/raddb-testing/modules/smbpasswd
including configuration file /etc/raddb-testing/modules/attr_rewrite
including configuration file /etc/raddb-testing/modules/radutmp
including configuration file /etc/raddb-testing/modules/mac2ip
including configuration file /etc/raddb-testing/modules/logintime
including configuration file /etc/raddb-testing/modules/sql_log
including configuration file /etc/raddb-testing/modules/smsotp
including configuration file /etc/raddb-testing/modules/preprocess
including configuration file /etc/raddb-testing/modules/policy
including configuration file /etc/raddb-testing/modules/cui
including configuration file /etc/raddb-testing/modules/perl
including configuration file /etc/raddb-testing/modules/digest
including configuration file /etc/raddb-testing/modules/mac2vlan
including configuration file /etc/raddb-testing/modules/otp
including configuration file /etc/raddb-testing/modules/files
including configuration file /etc/raddb-testing/modules/always
including configuration file /etc/raddb-testing/modules/ntlm_auth
including configuration file /etc/raddb-testing/modules/detail
including configuration file /etc/raddb-testing/modules/krb5
including configuration file /etc/raddb-testing/modules/sradutmp
including configuration file /etc/raddb-testing/modules/opendirectory
including configuration file /etc/raddb-testing/modules/counter
including configuration file /etc/raddb-testing/modules/detail.example.com
including configuration file /etc/raddb-testing/modules/ippool
including configuration file /etc/raddb-testing/modules/expiration
including configuration file /etc/raddb-testing/modules/dynamic_clients
including configuration file /etc/raddb-testing/modules/detail.log
including configuration file /etc/raddb-testing/modules/redis
including configuration file /etc/raddb-testing/modules/ldap
including configuration file /etc/raddb-testing/modules/unix
including configuration file /etc/raddb-testing/eap.conf
including configuration file /etc/raddb-testing/policy.conf
including files in directory /etc/raddb-testing/sites-enabled/
including configuration file /etc/raddb-testing/sites-enabled/status
including configuration file /etc/raddb-testing/sites-enabled/control-socket
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel
including configuration file /etc/raddb-testing/sites-enabled/default
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb-testing/dictionary
main {
name = "radiusd"
prefix = "/usr/local-test"
localstatedir = "/usr/local-test/var"
sbindir = "/usr/local-test/sbin"
logdir = "/usr/local-test/var/log/radius"
run_dir = "/usr/local-test/var/run/radiusd"
libdir = "/usr/local-test/lib"
radacctdir = "/usr/local-test/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local-test/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.1.5 {
require_message_authenticator = no
secret = "testing123"
shortname = "spectrum.sarlanga.edu"
}
client 10.129.100.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-PB"
}
client 10.129.10.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-SS"
}
client 10.129.11.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-1"
}
client 10.129.111.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-1"
}
client 10.129.12.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-2"
}
client 10.129.13.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-3"
}
client 10.129.14.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-4"
}
client 10.129.199.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "PIVOT-LINKSYS"
}
client 10.129.200.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "PIVOT-TPLINK"
}
client 10.129.254.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "Transitional"
}
client 10.129.15.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-5"
}
client 10.129.16.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-6"
}
client 10.129.17.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-7"
}
client 10.129.60.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-0"
}
client 10.129.61.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-I"
}
client 10.129.62.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-I"
}
client 10.129.158.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-SS"
}
client 10.129.80.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-PB"
}
client 10.129.180.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-PB-SUM"
}
client 10.128.255.81 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-I"
}
client 10.129.81.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-I"
}
client 10.128.255.82 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-II"
}
client 10.129.82.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-II"
}
client 10.128.250.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-Bridge"
}
client 10.128.255.172 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-I_bis_test"
}
client 10.128.255.83 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-III"
}
client 10.129.83.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-III"
}
client 10.129.183.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-III"
}
client 10.129.84.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-IV"
}
client 10.129.184.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-IV-Bis"
}
client 10.129.194.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-IV-Bis-2"
}
client 10.128.255.181 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-I_bis"
}
client 10.129.181.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-I_bis"
}
client 10.129.162.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-I_bis_2"
}
client 10.128.255.86 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-VI"
}
client 10.129.86.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-VI"
}
client 10.128.255.87 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-VII"
}
client 10.129.87.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-VII"
}
client 10.129.187.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-VII-Derecho"
}
client 10.129.99.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-Pivot"
}
client 10.129.52.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PV-PB"
}
client 10.128.255.85 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-V"
}
client 10.129.85.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-V"
}
client 10.129.189.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-IX-HD"
}
client 10.129.88.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-VIII"
}
client 10.129.89.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "oficina-test"
}
client 10.129.160.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-Auditorio"
}
client 10.129.182.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Leaks-X"
}
client 192.168.2.53 {
require_message_authenticator = no
secret = "akantilad0-Green-22"
shortname = "sarlanga3"
}
client 192.168.45 {
require_message_authenticator = no
secret = "sarlangalad0-black-54"
shortname = "sarlanga4"
}
client 192.168.3.201 {
require_message_authenticator = no
secret = "sarlangalad0-blue-246692"
shortname = "sarlanga7"
}
client 192.168.4 {
require_message_authenticator = no
secret = "Zarag0Za-Muppet5-32"
shortname = "AP-sarlanga7"
}
client 192.168.142.240 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-1"
}
client 192.168.142.241 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-2"
}
client 192.168.142.242 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-3"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb-testing/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb-testing/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb-testing/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb-testing/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb-testing/radiusd.conf
modules {
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb-testing/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb-testing/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/raddb-testing/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_pam
Module: Instantiating module "pam" from file /etc/raddb-testing/modules/pam
pam {
pam_auth = "radiusd"
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb-testing/modules/unix
unix {
radwtmp = "/usr/local-test/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb-testing/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 600
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/pki/tls/certs/ips-spectrum-key.pem"
certificate_file = "/etc/pki/tls/certs/spectrum.sarlanga.edu.cer"
CA_file = "/etc/pki/tls/certs/IPS-IPSCABUNDLE.crt"
dh_file = "/etc/raddb-testing/certs/dh"
random_file = "/etc/raddb-testing/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = yes
lifetime = 6
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb-testing/modules/preprocess
preprocess {
huntgroups = "/etc/raddb-testing/huntgroups"
hints = "/etc/raddb-testing/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file
/etc/raddb-testing/modules/detail.log
detail auth_log {
detailfile = "/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/raddb-testing/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb-testing/modules/files
files {
usersfile = "/etc/raddb-testing/users"
acctusersfile = "/etc/raddb-testing/acct_users"
preproxy_usersfile = "/etc/raddb-testing/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb-testing/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file
/etc/raddb-testing/modules/detail
detail {
detailfile = "/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = yes
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/raddb-testing/modules/radutmp
radutmp {
filename = "/usr/local-test/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/raddb-testing/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb-testing/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_linelog
Module: Instantiating module "linelog" from file
/etc/raddb-testing/modules/linelog
linelog {
filename = "/usr/local-test/var/log/radius/linelog"
permissions = 384
format = "%{Packet-Type} %{reply:Packet-Type} %{User-Name}
%{EAP-Type:-PAP} %{NAS-IP-Address} %{NAS-Identifier}"
}
Module: Instantiating module "reply_log" from file
/etc/raddb-testing/modules/detail.log
detail reply_log {
detailfile = "/usr/local-test/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb-testing/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb-testing/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server status { # from file /etc/raddb-testing/sites-enabled/status
modules {
Module: Creating Autz-Type = Status-Server
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_always
Module: Instantiating module "ok" from file /etc/raddb-testing/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb-testing/sites-enabled/inner-tunnel
modules {
Module: Creating Auth-Type = LDAP
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb-testing/modules/ldap
ldap {
server = "ldap.sarlanga.edu"
port = 636
password = "sarlanga"
identity = "cn=freeradius,ou=applications,dc=sarlanga,dc=edu"
net_timeout = 10
timeout = 120
timelimit = 30
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile = "/etc/raddb-testing/cacert.pem"
randfile = "/dev/urandom"
require_cert = "demand"
}
basedn = "ou=people,dc=sarlanga,dc=edu"
filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr = "radiusAllowed"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb-testing/ldap.attrmap"
ldap_debug = 40
ldap_connections_number = 15
compare_check_items = no
do_xlat = yes
set_auth_type = yes
keepalive {
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/etc/raddb-testing/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusPassword mapped to RADIUS Cleartext-Password
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x6cb0ac0
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server inner-tunnel-peap { # from file
/etc/raddb-testing/sites-enabled/inner-tunnel-peap
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.1.5
port = 0
}
listen {
type = "acct"
ipaddr = 192.168.1.5
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local-test/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "status"
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "YellowSubmarine"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18121
}
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock
Listening on status address 127.0.0.1 port 18120 as server status
Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel
Ready to process requests.
any ideas?
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
3
2
Hi,
radlast shows NAS-Identifier trunked
lbazch 009:AP-PV-PB Tue Jul 10 12:10 still logged in
mfembe 004:AP-PI-PB Tue Jul 10 12:10 still logged in
msabad 005:oficina- Tue Jul 10 12:10 still logged in
Why? Is a bug? A misconfiguration?
You want the debug output, ok you have it :)
FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on
Jan 3 2012 at 16:18:16
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb-testing/radiusd.conf
including configuration file /etc/raddb-testing/proxy.conf
including configuration file /etc/raddb-testing/clients.conf
including files in directory /etc/raddb-testing/modules/
including configuration file /etc/raddb-testing/modules/chap
including configuration file /etc/raddb-testing/modules/mschap
including configuration file
/etc/raddb-testing/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb-testing/modules/exec
including configuration file /etc/raddb-testing/modules/realm
including configuration file /etc/raddb-testing/modules/checkval
including configuration file /etc/raddb-testing/modules/rediswho
including configuration file /etc/raddb-testing/modules/passwd
including configuration file /etc/raddb-testing/modules/attr_filter
including configuration file /etc/raddb-testing/modules/linelog
including configuration file /etc/raddb-testing/modules/wimax
including configuration file /etc/raddb-testing/modules/pam
including configuration file /etc/raddb-testing/modules/inner-eap
including configuration file /etc/raddb-testing/modules/echo
including configuration file /etc/raddb-testing/modules/soh
including configuration file /etc/raddb-testing/modules/replicate
including configuration file /etc/raddb-testing/modules/acct_unique
including configuration file /etc/raddb-testing/modules/etc_group
including configuration file /etc/raddb-testing/modules/pap
including configuration file /etc/raddb-testing/modules/expr
including configuration file /etc/raddb-testing/modules/smbpasswd
including configuration file /etc/raddb-testing/modules/attr_rewrite
including configuration file /etc/raddb-testing/modules/radutmp
including configuration file /etc/raddb-testing/modules/mac2ip
including configuration file /etc/raddb-testing/modules/logintime
including configuration file /etc/raddb-testing/modules/sql_log
including configuration file /etc/raddb-testing/modules/smsotp
including configuration file /etc/raddb-testing/modules/preprocess
including configuration file /etc/raddb-testing/modules/policy
including configuration file /etc/raddb-testing/modules/cui
including configuration file /etc/raddb-testing/modules/perl
including configuration file /etc/raddb-testing/modules/digest
including configuration file /etc/raddb-testing/modules/mac2vlan
including configuration file /etc/raddb-testing/modules/otp
including configuration file /etc/raddb-testing/modules/files
including configuration file /etc/raddb-testing/modules/always
including configuration file /etc/raddb-testing/modules/ntlm_auth
including configuration file /etc/raddb-testing/modules/detail
including configuration file /etc/raddb-testing/modules/krb5
including configuration file /etc/raddb-testing/modules/sradutmp
including configuration file /etc/raddb-testing/modules/opendirectory
including configuration file /etc/raddb-testing/modules/counter
including configuration file /etc/raddb-testing/modules/detail.example.com
including configuration file /etc/raddb-testing/modules/ippool
including configuration file /etc/raddb-testing/modules/expiration
including configuration file /etc/raddb-testing/modules/dynamic_clients
including configuration file /etc/raddb-testing/modules/detail.log
including configuration file /etc/raddb-testing/modules/redis
including configuration file /etc/raddb-testing/modules/ldap
including configuration file /etc/raddb-testing/modules/unix
including configuration file /etc/raddb-testing/eap.conf
including configuration file /etc/raddb-testing/policy.conf
including files in directory /etc/raddb-testing/sites-enabled/
including configuration file /etc/raddb-testing/sites-enabled/status
including configuration file /etc/raddb-testing/sites-enabled/control-socket
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel
including configuration file /etc/raddb-testing/sites-enabled/default
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb-testing/dictionary
main {
name = "radiusd"
prefix = "/usr/local-test"
localstatedir = "/usr/local-test/var"
sbindir = "/usr/local-test/sbin"
logdir = "/usr/local-test/var/log/radius"
run_dir = "/usr/local-test/var/run/radiusd"
libdir = "/usr/local-test/lib"
radacctdir = "/usr/local-test/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local-test/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "nvam890"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "nvam890"
nastype = "other"
}
client 192.168.1.5 {
require_message_authenticator = no
secret = "nvam890"
shortname = "vivalapepa.sarlanga.edu"
}
client 10.129.100.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-PB"
}
client 10.129.10.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-SS"
}
client 10.129.11.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-1"
}
client 10.129.111.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-1"
}
client 10.129.12.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-2"
}
client 10.129.13.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-3"
}
client 10.129.14.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-4"
}
client 10.129.199.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "PIVOT-LINKSYS"
}
client 10.129.200.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "PIVOT-TPLINK"
}
client 10.129.254.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "Transitional"
}
client 10.129.15.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-5"
}
client 10.129.16.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-6"
}
client 10.129.17.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-7"
}
client 10.129.60.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-0"
}
client 10.129.61.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-I"
}
client 10.129.62.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-I"
}
client 10.129.158.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-SS"
}
client 10.129.80.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-PB"
}
client 10.129.180.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-PB-SUM"
}
client 10.128.255.81 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-I"
}
client 10.129.81.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-I"
}
client 10.128.255.82 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-II"
}
client 10.129.82.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-II"
}
client 10.128.250.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-Bridge"
}
client 10.128.255.172 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-I_bis_test"
}
client 10.128.255.83 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-III"
}
client 10.129.83.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-III"
}
client 10.129.183.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-III"
}
client 10.129.84.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-IV"
}
client 10.129.184.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-IV-Bis"
}
client 10.129.194.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-IV-Bis-2"
}
client 10.128.255.181 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-I_bis"
}
client 10.129.181.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-I_bis"
}
client 10.129.162.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-I_bis_2"
}
client 10.128.255.86 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-VI"
}
client 10.129.86.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-VI"
}
client 10.128.255.87 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-VII"
}
client 10.129.87.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-VII"
}
client 10.129.187.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-VII-Derecho"
}
client 10.129.99.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-Pivot"
}
client 10.129.52.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PV-PB"
}
client 10.128.255.85 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-V"
}
client 10.129.85.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-V"
}
client 10.129.189.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-IX-HD"
}
client 10.129.88.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-VIII"
}
client 10.129.89.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "oficina-test"
}
client 10.129.160.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-Auditorio"
}
client 10.129.182.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-yocadorneotucadorneas-X"
}
client 192.168.2.53 {
require_message_authenticator = no
secret = "akantilad0-Green-22"
shortname = "sarlanga3"
}
client 192.168.45 {
require_message_authenticator = no
secret = "sarlangalad0-black-54"
shortname = "sarlanga4"
}
client 192.168.3.201 {
require_message_authenticator = no
secret = "sarlangalad0-blue-246692"
shortname = "sarlanga7"
}
client 192.168.4 {
require_message_authenticator = no
secret = "Zarag0Za-Muppet5-32"
shortname = "AP-sarlanga7"
}
client 192.168.142.240 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-1"
}
client 192.168.142.241 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-2"
}
client 192.168.142.242 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-3"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb-testing/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb-testing/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb-testing/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb-testing/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb-testing/radiusd.conf
modules {
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb-testing/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb-testing/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/raddb-testing/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_pam
Module: Instantiating module "pam" from file /etc/raddb-testing/modules/pam
pam {
pam_auth = "radiusd"
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb-testing/modules/unix
unix {
radwtmp = "/usr/local-test/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb-testing/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 600
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/pki/tls/certs/ips-vivalapepa-key.pem"
certificate_file = "/etc/pki/tls/certs/vivalapepa.sarlanga.edu.cer"
CA_file = "/etc/pki/tls/certs/IPS-IPSCABUNDLE.crt"
dh_file = "/etc/raddb-testing/certs/dh"
random_file = "/etc/raddb-testing/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = yes
lifetime = 6
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb-testing/modules/preprocess
preprocess {
huntgroups = "/etc/raddb-testing/huntgroups"
hints = "/etc/raddb-testing/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file
/etc/raddb-testing/modules/detail.log
detail auth_log {
detailfile = "/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/raddb-testing/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb-testing/modules/files
files {
usersfile = "/etc/raddb-testing/users"
acctusersfile = "/etc/raddb-testing/acct_users"
preproxy_usersfile = "/etc/raddb-testing/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb-testing/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file
/etc/raddb-testing/modules/detail
detail {
detailfile = "/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = yes
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/raddb-testing/modules/radutmp
radutmp {
filename = "/usr/local-test/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/raddb-testing/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb-testing/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_linelog
Module: Instantiating module "linelog" from file
/etc/raddb-testing/modules/linelog
linelog {
filename = "/usr/local-test/var/log/radius/linelog"
permissions = 384
format = "%{Packet-Type} %{reply:Packet-Type} %{User-Name}
%{EAP-Type:-PAP} %{NAS-IP-Address} %{NAS-Identifier}"
}
Module: Instantiating module "reply_log" from file
/etc/raddb-testing/modules/detail.log
detail reply_log {
detailfile = "/usr/local-test/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb-testing/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb-testing/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server status { # from file /etc/raddb-testing/sites-enabled/status
modules {
Module: Creating Autz-Type = Status-Server
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_always
Module: Instantiating module "ok" from file /etc/raddb-testing/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb-testing/sites-enabled/inner-tunnel
modules {
Module: Creating Auth-Type = LDAP
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb-testing/modules/ldap
ldap {
server = "ldap.sarlanga.edu"
port = 636
password = "sarlanga"
identity = "cn=freeradius,ou=applications,dc=sarlanga,dc=edu"
net_timeout = 10
timeout = 120
timelimit = 30
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile = "/etc/raddb-testing/cacert.pem"
randfile = "/dev/urandom"
require_cert = "demand"
}
basedn = "ou=people,dc=sarlanga,dc=edu"
filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr = "radiusAllowed"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb-testing/ldap.attrmap"
ldap_debug = 40
ldap_connections_number = 15
compare_check_items = no
do_xlat = yes
set_auth_type = yes
keepalive {
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/etc/raddb-testing/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusPassword mapped to RADIUS Cleartext-Password
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x6cb0ac0
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server inner-tunnel-peap { # from file
/etc/raddb-testing/sites-enabled/inner-tunnel-peap
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.1.5
port = 0
}
listen {
type = "acct"
ipaddr = 192.168.1.5
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local-test/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "status"
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "YellowSubmarine"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18121
}
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock
Listening on status address 127.0.0.1 port 18120 as server status
Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=58, length=167
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a1000b016d6c656e6f69
Message-Authenticator = 0x88fcf4ca35b563fb01a0f63ff55a27d4
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 161 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 58 to 10.129.180.1 port 55764
EAP-Message = 0x01a200160410eba586f1a4e43e386b7cba670d11fc58
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb88b6daa97df52ad5b75d5386
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=59, length=180
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a200060319
State = 0x8814deeb88b6daa97df52ad5b75d5386
Message-Authenticator = 0x1e5fcf13dc906487e9bc6138d2def512
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 162 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 59 to 10.129.180.1 port 55764
EAP-Message = 0x01a300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb89b7c7a97df52ad5b75d5386
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=60, length=240
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a30042190016030100370100003303014ffc4751a6a0a85eeb3cb3cc0924f3d862ce97c74999acb91562f01c3c4ccef500000c0013000a0033002f000500040100
State = 0x8814deeb89b7c7a97df52ad5b75d5386
Message-Authenticator = 0x3fba2ff705f2bf305cb8c711deff0b96
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 163 length 66
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0037], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 004a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 1324], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 60 to 10.129.180.1 port 55764
EAP-Message = 0x01a4040019c000001381160301004a0200004603014ffc4812c847086e3bf550b27dec5092792445e353e4d1a3e2db9eaa97196478205c12f92d381891c8b63481c5b06d636edd829eb656da4bb5fe754809f8f741f8000a0016030113240b00132000131d00071730820713308205fba0030201020214101b7f691cb7a76e4d2434f172207f0d6457bfd6300d06092a864886f70d01010505003081b0310b3009060355040613024553310f300d060355040813064d4144524944310f300d060355040713064d414452494431243022060355040a131b6970732043657274696669636174696f6e20417574686f7269747931183016060355040b130f
EAP-Message = 0x43657274696669636163696f6e657331193017060355040313106970734341204c6576656c20312043413124302206092a864886f70d010901161569707363616c6576656c314069707363612e636f6d301e170d3132303132373132303731335a170d3134303230313132303731335a30818d310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311d301b06035504031314737065637472756d2e70616c65726d6f2e
EAP-Message = 0x65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100a8efabc6c785b1314fc7a643f75a6b1e1ae645b4ad47d23a5ce062cd3fa5a998112d48b88960da17628181430eb1e6dbcd806eb3b77ad9ca5728e86d333f9a910107d90c0e2dad1951587fb6ebe0b1f99665fad04e352e1d87dbf1a1292ae3cc8bb936511b10cc25facb79db7df50a443359a5c46213253cfbee9db5a262221e23d6961c6f2e4bff6c7702fe05eeff8c97c3c4558f84d3d61a1571017d5638863ec4f341613113aca1b385ae7598065503f28f78c83c632ebb0183d6d8ffd21edd8cd4db50c1550443f12706847a053769c1c5c7f94eff9fff
EAP-Message = 0x8c3091d3892db2f35ab46dc208d1e03f37b82fb96d7fba474b42279ecb74157fdc521c038949dd0203010001a38203443082034030090603551d1304023000301106096086480186f8420101040403020640300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414d57dbba6130341755d2138e3ed9faacb3e65cdcb301f0603551d230418301680147d9e6b0efc13e1c48ba77f61ae6021cfcda0d30630090603551d1104023000305b0603551d1204543052a450304e310b300906035504061302455331243022060355040a131b6970732043657274696669636174696f6e20417574686f
EAP-Message = 0x726974793119301706035504
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb8ab0c7a97df52ad5b75d5386
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=61, length=180
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a400061900
State = 0x8814deeb8ab0c7a97df52ad5b75d5386
Message-Authenticator = 0x6151ed5595147071dcca331db578ce31
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 164 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 61 to 10.129.180.1 port 55764
EAP-Message = 0x01a503fc19400313106970734341204c6576656c2031204341307106096086480186f842010d046416624f7267616e697a6174696f6e20496e666f726d6174696f6e204e4f542056414c4944415445442e204c4556454c3120536572766572204365727469666963617465206973737565642062792068747470733a2f2f7777772e69707363612e636f6d2f302906096086480186f8420102041c161a687474703a2f2f6c6576656c3130312e69707363612e636f6d2f303c06096086480186f8420104042f162d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c3043060960864801
EAP-Message = 0x86f842010304361634687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f7265766f636174696f6e4c4556454c312e68746d6c3f304006096086480186f842010704331631687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f72656e6577616c4c4556454c312e68746d6c3f303e06096086480186f84201080431162f687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f706f6c6963794c4556454c312e68746d6c30730603551d1f046c306a3033a031a02f862d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63
EAP-Message = 0x726c3033a031a02f862d687474703a2f2f6c6576656c3130322e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c303e06082b0601050507010104323030302e06082b060105050730018622687474703a2f2f6f6373706c6576656c3130312e69707363612e636f6d2f6f637370300d06092a864886f70d010105050003820101004b61ec4cf7163dad3601e3de9938175ec4ec75d60f658eabf37b1e331283419e7438e584e8cfc47c087c7cba005dcd9d7d165a470bd7aaea70b69b1a18ad2a6cc136cf2ff5cb948ae2866b1c46bbf8ef999ecb510407f28a091e7aa75684d90938f85c3fcd39580112b6979f3284c581f86b
EAP-Message = 0x998bc211c1de82e87fd57ee7a975905e9dec75020feda29cf4f29dc59dc3946ccf328f7380c6f3f4064d3f6f496fffd640ed2c813c44d648f9ee0143f894d41f4970f30e158064b305a4ae264887a62b5ee51f4f7f3241ddeebcd1153f836262d7c24c4cd7a09f2ab6bc052cd2ecf78e948f240e526538478893fb776f27d44d620c8e58641b4231958c85d758080005f2308205ee308204d6a00302010202141000000000000000000000000000000000000011300d06092a864886f70d01010505003081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d06035504
EAP-Message = 0x0a13264950532043
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb8bb1c7a97df52ad5b75d5386
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=62, length=180
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a500061900
State = 0x8814deeb8bb1c7a97df52ad5b75d5386
Message-Authenticator = 0x67cd523cc7b68fde1645669d61b7fd97
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 165 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 62 to 10.129.180.1 port 55764
EAP-Message = 0x01a603fc1940657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d301e170d3039313231303131333835325a170d3239313232343131333835325a3081b0310b3009060355040613024553310f300d060355040813064d4144524944310f300d060355040713064d414452494431243022060355040a131b6970732043657274696669636174696f6e20417574686f7269747931183016060355040b130f43
EAP-Message = 0x657274696669636163696f6e657331193017060355040313106970734341204c6576656c20312043413124302206092a864886f70d010901161569707363616c6576656c314069707363612e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009f4db33023c13a798527825d45ce5b64f82bafe15d6001e2940ed501863645858c0c8e76e1a0a40d935417986aeeb2840b23eabf217cc0ee49c026791954d6311890f7fb970be3a8c51640de2eb88c655b32d953f7c8ff06fb896654f8ea44420fb74fc7b0e94fd1d0bbfa968a33e346b7fa64bc65b11fb1e0e105f80cdd4af58b3097b4480a94feaf1d63f269
EAP-Message = 0x2c6b1b446afd3bd9dae70df0c68ab6e0190160a309a2b320401b14073a8c22df33f476c185b862b849b975c196ed1108af3c3f4e59e840dc995a134747e3b2840a7e8130b71c969f2e0d1cd0e5845e5bad3cce4a6b7d684522f54d5ae79f5c19004827a5787882d3e2ffb1e680dfeb2a125bb10203010001a38201fa308201f6302a06096086480186f8420102041d161b68747470733a2f2f6c6576656c3130312e69707363612e636f6d2f302106096086480186f84201030414161265737461646f2f65737461646f2e6173703f302706096086480186f8420104041a161865737461646f4341544553542f65737461646f2e6173703f3022060960
EAP-Message = 0x86480186f84201070415161365737461646f2f72656e756576612e6173703f302006096086480186f84201080413161165737461646f2f706f6c6963792e617370302406096086480186f842010d04171615436572746966696361646f20706f72206970734341301106096086480186f8420101040403020007300c0603551d13040530030101ff301d0603551d0e041604147d9e6b0efc13e1c48ba77f61ae6021cfcda0d306303e0603551d1f043730353033a031a02f862d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c303a06082b06010505070101042e302c302a06082b06
EAP-Message = 0x010505073001861e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb8cb2c7a97df52ad5b75d5386
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=63, length=180
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a600061900
State = 0x8814deeb8cb2c7a97df52ad5b75d5386
Message-Authenticator = 0xf9928a64da7f9a2233d6f45dd4ddd309
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 166 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 63 to 10.129.180.1 port 55764
EAP-Message = 0x01a703fc1940687474703a2f2f6f6373706c6576656c3130312e69707363612e636f6d2f300b0603551d0f04040302010630470603551d250440303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304300d06092a864886f70d010105050003820101008737bf8f76d31d2eca683935839d2958fe74add252963aff06e84cb0308e3316c5972d29aebe28e77e10ab20e1ed509ecfbbd394fe1da47370d27e6239b31cd636e1d4782bace12bedc753a14dd4281f588e56e2c924f956ec0ad0df5268575ea4393bb9e46619c4cff0a7fbb7717f
EAP-Message = 0xd7f247a501f8245587996ac61064ada017958080eb6d4bd3e9171685a951ae6e69419776e8de7f43fb891b853397030059549676d110ed837018f76ca7231a20647365211bee7e1e67f8026ad21c2e37a31e7001bb866076bc7adc7eff3475f2e33e94c60ed70ce792cc33c31c32df09e853cf3587c59453f98efa685cce193a482a52f3da46c2e6bd5d02b5471eb9954000060b30820607308204efa003020102020100300d06092a864886f70d01010505003081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a132649505320436572746966696361
EAP-Message = 0x74696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d301e170d3039303930373134333834345a170d3239313232353134333834345a3081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b130569707343
EAP-Message = 0x41311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7efcc8030b091244fb068f8c3ca2d1538555882e23863b0f7a3926f83b8b05eb08cac54b177d050e097b390ad8ab31f392b4556f7aae2df7cb2ec6f532f9acbd0e666cbc913e872e2b4cd31578712b593e8fa72ceea47f28cb4b063d70400b764363997e895f188f9710d03278c61cf0883964f83c54ee85cf80670f102aa1c1ea9c8aa7ee75dcd8d3c146f67d01ba923488b21283a8a4ce6
EAP-Message = 0x1131f9212eb26766
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb8db3c7a97df52ad5b75d5386
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=64, length=180
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a700061900
State = 0x8814deeb8db3c7a97df52ad5b75d5386
Message-Authenticator = 0xed341e6a8b2de2aae596dcc6c65dc1c9
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 167 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 64 to 10.129.180.1 port 55764
EAP-Message = 0x01a803af1900c6296e9493cf4096fcb03dbfb2b493bf5671b6a54187b058b559232849b898f9501e2d15280b4cac49d184a99b9ae77254b738d0dbc9fea973d56d10cd8e75ebfe97fd803cfcb4d848f499460b8814a4b62edb4c60f421c16c809514d5afd50203010001a382022430820220301d0603551d0e0416041415a69680b1154b31c3c29cf6e7130b4bf318cd863081df0603551d230481d73081d4801415a69680b1154b31c3c29cf6e7130b4bf318cd86a181b8a481b53081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043
EAP-Message = 0x657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d820100300c0603551d13040530030101ff300b0603551d0f04040302010630470603551d250440303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304301d0603551d11041630148112676c6f62616c30314069707363612e636f6d301d0603
EAP-Message = 0x551d12041630148112676c6f62616c30314069707363612e636f6d30410603551d1f043a30383036a034a0328630687474703a2f2f63726c676c6f62616c30312e69707363612e636f6d2f63726c2f63726c676c6f62616c30312e63726c303806082b06010505070101042c302a302806082b06010505073001861c687474703a2f2f63726c676c6f62616c30312e69707363612e636f6d300d06092a864886f70d0101050500038201010018f4aefe800f8ec1776fa25a47489f2355a1536bf95da730a524be432ff8c1d157f93e2c8025cc46a936f3495b1df67cd763b34d3e78f6a7b40277f8790d3e6acb1860b8fd00af0cdd54e3548f223df310
EAP-Message = 0x6f110db51e7a8d27cc08b85bc3b81a5f2ba7603f001cf70f5c4266649e8712807089e0fa57280e4e1f102fd90580b6802f1c69f0f6b66534056fcad93ef8d45d3732c7b82bccff73930071e001c8aa43bda9f1cefa80f9f1431291a665e560074d47ba2b2f04f64a8529886510c9b253629c6c9b605c1a1bd3aec51d729906ff05cc862673b4d45405dd1e6b003bb789e8e391022012ebefe9fe0a29238123a300da70cc925f3723d01c7b355c037a16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb8ebcc7a97df52ad5b75d5386
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=65, length=500
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a8014419001603010106100001020100422704cd2992a92b33a0a1516a61525d92c4dfb23f82f13d7b5f56317b8668a17155e3e2db2f75abdc226796641cb7b202dbb1848b69d8dfbc9516be04e509aea5daa181ff82a299d1461247d5eaeac52c51c4e0fd970eda3675f726e29e528089f432cf1969857b47a5589ae03dedc4b2504710c7bff51ec058c224cb9d9c03e67635e9491f822d5f2b7b4cc325df76f6d7b4f95ae47a83d736e4013e02e4636b883d00cd9efd5faab5074cd2d5d2ef6200d92c35ef95a04c8943228e3d54f9c864bd52472a461a4f4a001a34004855f560759d43b008102d6ca5316311ac5d169ad14ff2ae6de1df49f05c
EAP-Message = 0x8381e6e6b4115f6cea0ee09eb3e6d38b1358d7781403010001011603010028d07f0c5c09b511758626eb89bb222bd25ea4a04957e579211de5c394aa80202f9f928fe9b2cfef6f
State = 0x8814deeb8ebcc7a97df52ad5b75d5386
Message-Authenticator = 0x5e5b913676276daf39e1c9ff83c259aa
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 168 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
SSL: adding session
5c12f92d381891c8b63481c5b06d636edd829eb656da4bb5fe754809f8f741f8 to
cache
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 65 to 10.129.180.1 port 55764
EAP-Message = 0x01a9003919001403010001011603010028d821d133aa4769658355f7b458637264e48e690e4e79bdb4b0d2d18ef509335e35e751de3bf1d351
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb8fbdc7a97df52ad5b75d5386
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=66, length=180
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02a900061900
State = 0x8814deeb8fbdc7a97df52ad5b75d5386
Message-Authenticator = 0xca4cc7ef534339b7d9aeaf0a2a352aa5
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 169 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.129.180.1 port 55764
EAP-Message = 0x01aa002b1900170301002086365ff559740ef850f6911a41fa412f9b1630f7051310898c0fc537065e9e2e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb80bec7a97df52ad5b75d5386
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=67, length=246
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02aa0048190017030100185c83e2174ed058a36cc14e00cc4fae5a9179da770e44ac83170301002078727b4506bc63126fa2517afc18e439fd9f2f4ffdd00d99700217f127b402dd
State = 0x8814deeb80bec7a97df52ad5b75d5386
Message-Authenticator = 0xecc9f19ff811e3e27e70eae209dbb6e9
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 170 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - yyyyy
[peap] Got inner identity 'yyyyy'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02aa000b016d6c656e6f69
server {
[peap] Setting User-Name to yyyyy
Sending tunneled request
EAP-Message = 0x02aa000b016d6c656e6f69
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 10.129.180.1
server inner-tunnel {
# Executing section authorize from file
/etc/raddb-testing/sites-enabled/inner-tunnel
+- entering group authorize {...}
[auth_log] expand: %{Virtual-Server} -> inner-tunnel
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-inner-tunnel-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-inner-tunnel-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 170 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for yyyyy
[ldap] expand: (uid=%u) -> (uid=yyyyy)
[ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.sarlanga.edu:636, authentication 0
[ldap] setting TLS mode to 1
[ldap] setting TLS CACert File to /etc/raddb-testing/cacert.pem
[ldap] setting TLS Require Cert to demand
[ldap] setting TLS Key File to /dev/urandom
[ldap] bind as
cn=freeradius,ou=applications,dc=sarlanga,dc=edu/sarlanga to
ldap.sarlanga.edu:636
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=people,dc=sarlanga,dc=edu, with
filter (uid=yyyyy)
[ldap] checking if remote access for yyyyy is allowed by radiusAllowed
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{crypt}5.glupOqHA"
[ldap] radiusPassword -> Cleartext-Password == "pulgas"
[ldap] looking for reply items in directory...
[ldap] user yyyyy authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x01ab00201a01ab001b109bf4c3c47d874e0e30116053130d22176d6c656e6f69
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbb51c5a6bbfadfaf825abcaa22d694a6
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x01ab00201a01ab001b109bf4c3c47d874e0e30116053130d22176d6c656e6f69
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbb51c5a6bbfadfaf825abcaa22d694a6
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 67 to 10.129.180.1 port 55764
EAP-Message = 0x01ab0043190017030100384becf00fe9503ff392eb0ef0d3775f51ebbbdc99abb097e7e43649e4cf5a6b045b10dd51fae88ce51dd17e63c292e1d3b6bc4d2b5e524350
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb81bfc7a97df52ad5b75d5386
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=68, length=302
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02ab008019001703010018e5c8db5aac6c066c485ed9d84349c06661d80cb88cac9bd71703010058f95b5203bf5406a11f8204e5c9ff3c031497b8c48e2c4ed596a8f9cfa51ff75e2b9bf76ac3c68495721e19293d195ed2d472041ba9539e60d5c703a1829363d37341dddc900803343450801dbcd56b5ebae15794da693e6d
State = 0x8814deeb81bfc7a97df52ad5b75d5386
Message-Authenticator = 0x692eac82692b4c4c30c5e03ca653c1de
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 171 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x02ab00411a02ab003c313eb695228fced3448bf448185a1b560b0000000000000000f252c6370bc3705bdfe5555ae9338a10b5ba72288de07e4a006d6c656e6f69
server {
[peap] Setting User-Name to yyyyy
Sending tunneled request
EAP-Message = 0x02ab00411a02ab003c313eb695228fced3448bf448185a1b560b0000000000000000f252c6370bc3705bdfe5555ae9338a10b5ba72288de07e4a006d6c656e6f69
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "yyyyy"
State = 0xbb51c5a6bbfadfaf825abcaa22d694a6
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 10.129.180.1
server inner-tunnel {
# Executing section authorize from file
/etc/raddb-testing/sites-enabled/inner-tunnel
+- entering group authorize {...}
[auth_log] expand: %{Virtual-Server} -> inner-tunnel
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-inner-tunnel-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-inner-tunnel-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 171 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for yyyyy
[ldap] expand: (uid=%u) -> (uid=yyyyy)
[ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=sarlanga,dc=edu, with
filter (uid=yyyyy)
[ldap] checking if remote access for yyyyy is allowed by radiusAllowed
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{crypt}5.glupOqHA"
[ldap] radiusPassword -> Cleartext-Password == "pulgas"
[ldap] looking for reply items in directory...
[ldap] user yyyyy authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb-testing/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: yyyyy
[mschap] Told to do MS-CHAPv2 for yyyyy with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x01ac00331a03ab002e533d39413841374339354142433645443831334534384146373535453037463639433846314244443044
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbb51c5a6bafddfaf825abcaa22d694a6
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x01ac00331a03ab002e533d39413841374339354142433645443831334534384146373535453037463639433846314244443044
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbb51c5a6bafddfaf825abcaa22d694a6
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 68 to 10.129.180.1 port 55764
EAP-Message = 0x01ac005319001703010048582dc8183c53ae3d2134db71275f243f43601712a6c44627b4d1381f1c2141a19c9aaba8810d9d9de13075eec7e6a1cff66065961e308bf24cf9a473d8f5d0dc43be68270b31990c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb82b8c7a97df52ad5b75d5386
Finished request 10.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=69, length=238
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02ac004019001703010018b43d2d7c7f82555756d2fd3b16e87a5af6b0ac44b0b5d2a61703010018fd3842857f995c59fa42e79d67210d7146eec97a1d953fd1
State = 0x8814deeb82b8c7a97df52ad5b75d5386
Message-Authenticator = 0xbdc84070e732333a170a84aceec7dd0a
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 172 length 64
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x02ac00061a03
server {
[peap] Setting User-Name to yyyyy
Sending tunneled request
EAP-Message = 0x02ac00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "yyyyy"
State = 0xbb51c5a6bafddfaf825abcaa22d694a6
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 10.129.180.1
server inner-tunnel {
# Executing section authorize from file
/etc/raddb-testing/sites-enabled/inner-tunnel
+- entering group authorize {...}
[auth_log] expand: %{Virtual-Server} -> inner-tunnel
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-inner-tunnel-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-inner-tunnel-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 172 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for yyyyy
[ldap] expand: (uid=%u) -> (uid=yyyyy)
[ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=sarlanga,dc=edu, with
filter (uid=yyyyy)
[ldap] checking if remote access for yyyyy is allowed by radiusAllowed
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{crypt}5.glupOqHA"
[ldap] radiusPassword -> Cleartext-Password == "pulgas"
[ldap] looking for reply items in directory...
[ldap] user yyyyy authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [yyyyy] (from client AP-yocadorneotucadorneas-PB-SUM port 5
cli A8-FF-FF-AA-E7-48 via TLS tunnel)
# Executing section post-auth from file
/etc/raddb-testing/sites-enabled/inner-tunnel
+- entering group post-auth {...}
[linelog] expand: /usr/local-test/var/log/radius/linelog ->
/usr/local-test/var/log/radius/linelog
[linelog] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[linelog] expand: %{Packet-Type} %{reply:Packet-Type} %{User-Name}
%{EAP-Type:-PAP} %{NAS-IP-Address} %{NAS-Identifier} -> Access-Request
Access-Accept yyyyy MS-CHAP-V2 10.129.180.1
AP-yocadorneotucadorneas-PB-SUM
++[linelog] returns ok
[reply_log] expand: %{Virtual-Server} -> inner-tunnel
[reply_log] expand:
/usr/local-test/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/replies/10.129.180.1/reply-detail-inner-tunnel-20120710
[reply_log] /usr/local-test/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/replies/10.129.180.1/reply-detail-inner-tunnel-20120710
[reply_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[reply_log] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x016b3d4d79555d8ffdd2999bdc4ed987
MS-MPPE-Recv-Key = 0xb01b2bb020cf345a4141d5d2d6c82ca9
EAP-Message = 0x03ac0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "yyyyy"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x016b3d4d79555d8ffdd2999bdc4ed987
MS-MPPE-Recv-Key = 0xb01b2bb020cf345a4141d5d2d6c82ca9
EAP-Message = 0x03ac0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "yyyyy"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 69 to 10.129.180.1 port 55764
EAP-Message = 0x01ad002b19001703010020be08b0114c9fff08b9bec860f8bea503abcbdafac449467b0b92a56001336215
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8814deeb83b9c7a97df52ad5b75d5386
Finished request 11.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.129.180.1 port 55764,
id=70, length=246
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02ad004819001703010018256b110d9946f17c6d89933febaccaf415e820c89ea931981703010020af0105fc0964b833222e642a69e790f244caea25a0a4219d56da823f8c03ed88
State = 0x8814deeb83b9c7a97df52ad5b75d5386
Message-Authenticator = 0x187841b23947f774d7a9ce533effc1db
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 173 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "yyyyy"
[peap] Saving response in the cache
[eap] Freeing handler
++[eap] returns ok
Login OK: [yyyyy] (from client AP-yocadorneotucadorneas-PB-SUM port 5
cli A8-FF-FF-AA-E7-48)
# Executing section post-auth from file /etc/raddb-testing/sites-enabled/default
+- entering group post-auth {...}
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.180.1/auth-detail-AP-yocadorneotucadorneas-PB-SUM-DEFAULT-20120710
[auth_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[auth_log] returns ok
[linelog] expand: /usr/local-test/var/log/radius/linelog ->
/usr/local-test/var/log/radius/linelog
[linelog] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[linelog] expand: %{Packet-Type} %{reply:Packet-Type} %{User-Name}
%{EAP-Type:-PAP} %{NAS-IP-Address} %{NAS-Identifier} -> Access-Request
Access-Accept yyyyy PEAP 10.129.180.1 AP-yocadorneotucadorneas-PB-SUM
++[linelog] returns ok
[reply_log] expand: %{Virtual-Server} ->
[reply_log] ... expanding second conditional
[reply_log] expand:
/usr/local-test/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/replies/10.129.180.1/reply-detail-DEFAULT-20120710
[reply_log] /usr/local-test/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/replies/10.129.180.1/reply-detail-DEFAULT-20120710
[reply_log] expand: %t -> Tue Jul 10 12:19:46 2012
++[reply_log] returns ok
++[exec] returns noop
Sending Access-Accept of id 70 to 10.129.180.1 port 55764
User-Name = "yyyyy"
MS-MPPE-Recv-Key =
0xe51a247fdc7439415a900365b5d85218ff058272cf645fdbef6c6e90b5bb1dea
MS-MPPE-Send-Key =
0x9fc773164859d4fe14b4890fb97748a4253016cde71c265c05fd7436040a4569
EAP-Message = 0x03ad0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 12.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Accounting-Request packet from host 10.129.180.1 port 48923,
id=71, length=161
Acct-Session-Id = "4FFC46F9-00000004"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "yyyyy"
NAS-Identifier = "AP-yocadorneotucadorneas-PB-SUM"
NAS-Port = 5
Called-Station-Id = "00-XX-XX-XX-25-D0:sarlanga-I"
Calling-Station-Id = "A8-FF-FF-AA-E7-48"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
# Executing section preacct from file /etc/raddb-testing/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 5,Client-IP-Address =
10.129.180.1,NAS-IP-Address = 10.129.180.1,Acct-Session-Id =
"4FFC46F9-00000004",User-Name = "yyyyy"'
[acct_unique] Acct-Unique-Session-ID = "dddf83abe2685566".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "yyyyy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file
/etc/raddb-testing/sites-enabled/default
+- entering group accounting {...}
[detail] expand:
/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/10.129.180.1/detail-20120710
[detail] /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/10.129.180.1/detail-20120710
[detail] expand: %t -> Tue Jul 10 12:19:46 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local-test/var/log/radius/radutmp ->
/usr/local-test/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> yyyyy
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> yyyyy
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 71 to 10.129.180.1 port 48923
Finished request 13.
Cleaning up request 13 ID 71 with timestamp +2
Going to the next request
Waking up in 4.6 seconds.
Thanks in advance
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
5
10
(sorry if this is duplicate)
i have modified the sql queries and removed unnecessary whitespace,
but am still getting some queries cut-off in the log.
the main issue is with accounting stop requests.
(i am using the default queries provided with freeradius 2.1.12 - dialup.conf)
is there a way to increase the space/memory available for sql queries?
the main issue is with accounting stop requests.
in addition i have found the following in the logs:
rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0
++[sql] returns fail
number of DB connections has already been raised from the default 5 to 25,
this is a rare error, but it still exists, might be related.
Amir.
From: Amir Tal
Sent: Wednesday, July 11, 2012 4:48 PM
To: 'freeradius-users(a)lists.freeradius.org'
Subject: sql returns fail for some stop requests
Freeradius ver 2.1.12, configured to use ldap for auth, sql for acct.
Sometimes users' sessions get stuck and have to be closed manualy (simultaneous use is turned on for all users).
After extensive debugging I have found the following in the logs (radius -X)
[<thread>] # Executing section preacct from file /etc/raddb/sites-enabled/default
[<thread>] +- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 14117776,Client-IP-Address = xx.xx.xx.xx,NAS-IP-Address = xx.xx.xx.xx,Acct-Session-Id = "erx ip:109.226.0.9:147.235.234.115:1e47:6248:14c2:8b6a:5dac845:0060992452",Use
r-Name = "xxxxxxxxx@ccc"'
[acct_unique] Acct-Unique-Session-ID = "d49ba42fa077f5f0".
++[acct_unique] returns ok
[suffix] Looking up realm "ccc" for User-Name = "xxxxxxxxx@ccc"
[suffix] Found realm "ccc"
[suffix] Adding Stripped-User-Name = "xxxxxxxxx"
[suffix] Adding Realm = "ccc"
[suffix] Accounting realm is LOCAL.
++[suffix] returns ok
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> xx.xx.xx.xx
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/xx.xx.xx.xx/detail-20120711
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/xx.xx.xx.xx/detail-20120711
[detail] expand: %t -> Wed Jul 11 02:03:45 2012
Cleaning up request 12612249 ID 93 with timestamp +729235
++[detail] returns ok
[detail.moreshet] expand: /var/log/radius/radacct/moreshet.relay -> /var/log/radius/radacct/moreshet.relay
[detail.moreshet] /var/log/radius/radacct/moreshet.relay expands to /var/log/radius/radacct/moreshet.relay
[detail.moreshet] expand: %t -> Wed Jul 11 02:03:45 2012
++[detail.moreshet] returns ok
++[unix] returns ok
[sql] expand: %{Stripped-User-Name} -> xxxxxxxxx
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> xxxxxxxxx
[sql] sql_set_user escaped user --> 'xxxxxxxxx'
[sql] expand: %{Acct-Input-Gigawords} -> 0
[sql] expand: %{Acct-Input-Octets} -> 4001
[sql] expand: %{Acct-Output-Gigawords} -> 0
[sql] expand: %{Acct-Output-Octets} -> 8134
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2012-07-11 02:03:45', acctsessiontime = '517', acctinputoctets = '0' << 32 | '4001', acctoutputoctets = '0' << 32 |
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
Cleaning up request 12612250 ID 95 with timestamp +729235
++[sql] returns fail
Thread 20 got semaphore
Thread 19 got semaphore
It seems the last SQL query line is cut off for some reason, this only happens on some connections, while others are stopped correctly.
Not specific to users or time of day.
Versions information:
cat /etc/issue :
CentOS release 5.6 (Final)
Kernel \r on an \m
rpm -qa | grep radius :
freeradius2-python-2.1.12-7
freeradius2-ldap-2.1.12-7
freeradius2-2.1.12-7
freeradius2-krb5-2.1.12-7
freeradius2-mysql-2.1.12-7
freeradius2-utils-2.1.12-7
freeradius2-postgresql-2.1.12-7
freeradius2-perl-2.1.12-7
freeradius2-unixODBC-2.1.12-7
additional logs and/or information can be provided if required.
Help would be appreciated.
The Cloud has no limit !
[cid:image001.jpg@01CD629C.B663DAB0]<http://www.ccc.co.il/>
Amir Tal
Systems Automation Expert
Cloud Services
Direct: 972-(0)3-9201471
Fax: 972-(0)-3-9201442
www.ccc.co.il<http://www.ccc.co.il/> [cid:image002.png@01CD629C.B663DAB0] <http://www.facebook.com/triplec.il>
2
1
The following questions about changing default_md and default_eap_type
is solely for the matter that I should have RADIUS work on some
Linux-machines and some Windows-machines all of them hopefully with TLS
client sertificates mainly.
There are some diversities as to MD5 and post SP1 WinXP:
http://freeradius.org/doc/EAP-MD5.html
QUOTE:
Windows XP (before SP1)
Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!!
EAP-MD5 is only available for wired devices.
Go to the Network Connections window. Right-click the connection
corresponding to the adapter which is going to use EAP authentication.
Go to the "Authentication" tab. If it doesn’t appear (yes, it’s weird
sometimes) try to unplug and plug your adapter till it does (if
PCMCIA...) Otherwise, download the software for the adapter
configuration like e.g. ACU for the Cisco adapters and try to de- and
reactivate the card.
In the Authentication dialog, assure the box "Use IEEE802.1X network
authentication" is checked. Set your EAP type there (EAP/MD5 Challenge).
That’s all. Now deactivate and reactivate your LAN-connection on this
adapter and it should work.
ENDQUOTE.
This recommendation is put forth in the etc/raddb/certs/README:
QUOTE:
MD5 has known weaknesses and is discouraged in favor of SHA1 (see
http://www.kb.cert.org/vuls/id/836068 for details). If your network
equipment supports the SHA1 signature algorithm, we recommend that you
change the "ca.cnf", "server.cnf", and "client.cnf" files to specify
the use of SHA1 for the certificates. To do this, change the
'default_md' entry in those files from 'md5' to 'sha1'.
ENDQUOTE.
In the eap.conf this is put forth:
QUOTE:
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
ENDQUOTE.
QUESTIONS:
->Should I stick only to the changes of default_md in ca.*,server.*, and
client.cnf and leave the eap.conf unchanged, or should I add a module
like:
sha1 {
}
or change the md5{} to sha1{}
or should it be done differently? . I count for the postulate in
eap.conf that:
QUOTE:
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
ENDQUOTE
and therefore I do no not need to change so much in eap.conf
->Should I by all means keep winXP-userclient to a PEAP solution because
the nice doc in:
http://freeradius.org/doc/EAPTLS.pdf
for Windows is outdated or wont work today?
It could be that I complicate the matter here by mixing together parts
that do not belong to each other, but I have to ask....
--
Si St
sigbj-st(a)operamail.com
--
http://www.fastmail.fm - The professional email service
2
2
Hello list,
is there a way to gather statistics for an IPv6 Socket with the status
server?
For example my radius server has the following listen sections:
udp 0 0 127.0.0.1:18120 0.0.0.0:*
2355/radiusd
udp 0 0 0.0.0.0:1645 0.0.0.0:*
2355/radiusd
udp 0 0 0.0.0.0:1646 0.0.0.0:*
2355/radiusd
udp 0 0 0.0.0.0:1812 0.0.0.0:*
2355/radiusd
udp 0 0 0.0.0.0:1813 0.0.0.0:*
2355/radiusd
udp 0 0 ::1:18120 :::*
2355/radiusd
udp 0 0 :::1812 :::*
2355/radiusd
udp 0 0 :::1813 :::*
2355/radiusd
I am able to gather statistics for the IPv4 Sockets like:
# echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 67,
FreeRADIUS-Stats-Server-IP-Address = 192.168.1.14,
FreeRADIUS-Stats-Server-Port = 1812" | radclient localhost:18120 status
adminsecret
Received response ID 52, code 2, length = 248
FreeRADIUS-Stats-Server-IP-Address = 192.168.1.14
FreeRADIUS-Stats-Server-Port = 1812
FreeRADIUS-Total-Access-Requests = 0
FreeRADIUS-Total-Access-Accepts = 0
FreeRADIUS-Total-Access-Rejects = 0
FreeRADIUS-Total-Access-Challenges = 0
FreeRADIUS-Total-Auth-Responses = 0
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Auth-Unknown-Types = 0
FreeRADIUS-Total-Accounting-Requests = 0
FreeRADIUS-Total-Accounting-Responses = 0
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
FreeRADIUS-Total-Acct-Malformed-Requests = 0
FreeRADIUS-Total-Acct-Invalid-Requests = 0
FreeRADIUS-Total-Acct-Dropped-Requests = 0
FreeRADIUS-Total-Acct-Unknown-Types = 0
1. How can I gather statistics for the IPv6 sockets, I didn't find any
IPv6 attributes like "FreeRADIUS-Stats-Server-IPv6-Address".
2. Is there a way to query the IPv6 localhost socket for status server?
echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 67,
FreeRADIUS-Stats-Server-IP-Address = 192.168.1.14,
FreeRADIUS-Stats-Server-Port = 1812" | radclient [::1]:18120 status
adminsecret
did not work.
Regards,
Tobias Hachmer
2
1