Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2013
- 72 participants
- 86 discussions
Before running radius in debug mode, try iptables -F with root privileges, it disables iptables default rules
Phil Mayers <p.mayers(a)imperial.ac.uk> ha scritto:
>On 14/08/13 15:07, Kurt Hillig wrote:
>
>> But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 -
>> tcpdump shows it coming in, but "radiusd -X" shows no indication of
>> this traffic (but is reporting all of the traffic on eth0).
>
>If "radiusd -X" isn't reporting *anything*, then it's not reaching
>FreeRADIUS, which means some part of the network stack is dropping it.
>
>If you're sure your iptables are correct, google "linux log martians"
>and "linux rp filter". RHEL6 has different defaults to previous RHEL
>versions in this regard.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3
3
Hi,
I have installed fr 2.1.10 w openldap and I can authenticate users
against ldap.
I have also added groups in ldap and allowed ldap module to search
groups and it also works fine.
Now the problem is that is huntgroups wont work. I need to restrict
access to NAS for specific groups. I can see that groups match
"rlm_ldap::ldap_groupcmp: User found in group xxxx", huntgroup match
wont work.
file huntgroups:
xxxx NAS-IP-Address == 172.150.0.1
file users:
DEFAULT Ldap-Group == "xxxx"
Huntgroup-Name == "xxxx"
I am very glad for any help and if someone have better solution for
this i'm happy to hear it. There is about 600 NAS (sw's and routers)
for different customers and we need to provide mgmt access to
customers and our NOC staff, so i think we need to use huntgroups w
groups and if someone have example for this one I'm very glad for that
also.
Best regards,
Ville Leinonen
3
7
Dear, I have installed the Easyhotspot captive portal product which
uses the freeradius 2.1.0 service in order to authenticate users.
I can authenticate with Windows, Linux and Android devices, but I
can't authenticate with Apple devices (iphone and ipad) at all.
Is it an intrinsic problem of Freeradius ???
Thanks a lot.
Roberto
4
6
Hi all,
I'm using Freeradius version 2.1.12 with MySQL backend and EAP-TLS
authentication to serve dynamic VLAN and a DHCP server to leases this IP
address. This setup work sucefully but IP address of supplicants doesn't
stored in the database.
Is there any setup to store IP address of supplicants in the database?
How sqlippoll works? does it work as a DHCP server?
Is it posible to setup Freeradius with DHCP module to server diferents
VLANs?
Thanks for all.
Fernando
2
2
Hello.
I am currently trying to install LinOTP with FreeRADIUS. I spent 3-4 hours
to get to work perl script
http://www.howtoforge.com/how-to-use-freeradius-with-linotp-2-to-do-two-fac…
.
There was a problem with LWP::UserAgent and ssl connection (Error:
rlm_perl: perl_embed:: module = /usr/local/etc/raddb/radius.pl , func =
authenticate exit status= Error at
https://172.16.17.18/validate/simplecheck 500 Can't connect to
172.16.17.18:443)
But i change script a little bit and faced other problem that concern
Useridresolving. Is it OK that Comunity Edition reports that "Error saving
sql configuration: No module named useridresolveree.SQLIdResolver"?
I want to have single username database and want to connect LinOTP to
radius mysql database. Is it possible?
--
------------------------------
PRIVILEGED AND CONFIDENTIAL COMMUNICATION
This e-mail transmission, and any documents, files or previous e-mail
messages
attached to it, may contain confidential information that is legally
privileged.
If you are not the intended recipient or a person responsible for
delivering it
to the intended recipient, you are hereby notified that any disclosure,
copying,
distribution or use of any of the information contained in or attached to
this
transmission is strictly prohibited.
If you have received this transmission in error, please: (1) immediately
notify
me by reply e-mail, or by collect telephone call; and (2) destroy the
original
transmission and its attachments without reading or saving in any manner.
3
3
Hi,
First question from beginners
We've found in the freeradius wiki, that the correct way to manage connection to mysql is to initiate the connection in the CLONE function.
But where should we put $dbh->disconnect() to be sure that any connection will also be closed ? Whatever the result of the request treatment, and the stage in which the module may exit.
Thank you
best regards
2
1
If your NAS can't send accounting then there's nothing you can do at the freeradius end to make it do accounting
alan
1
0
Hi
That's just an authentication request.... accounting packets is what you need. Is your kit configured to send accounting to this RADIUS server?
alan
2
1
Hi ,
I want to use the sql_counter module in my radius server.
The SQL module seems to work correct, but the calculating of the
connection time does not return any result because there is no entry
at all in the radius database table "radacct" after a test user has
logged in or stays logged in.
I have no idea where I have to look next. The FreeRadius runs on a
Synology NAS and I'm also not sure if all modules are precompiled and
usable.
My User table radcheck looks like this:
username: attribute: op: value:
tee Cleartext-Password := abc
tee Max-All-Session := 120
the radusergroup is empty.
Attached is the radius -X debug message after one test-user has connected.
Any hints ?
Thanks and Regards
Lu
FreeRADIUS Version 2.1.10, for host armle-unknown-linux-gnu, built on
Mar 14 2013 at 11:55:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file
/var/packages/RadiusServer/target//etc/raddb/radiusd.conf
including configuration file /usr/local/synoradius/rad_listen
including configuration file /usr/local/synoradius/rad_port_auth
including configuration file /usr/local/synoradius/rad_port_auth
including configuration file /usr/local/synoradius/rad_port_auth
including configuration file
/var/packages/RadiusServer/target//etc/raddb/clients.conf
including configuration file /usr/local/synoradius/rad_clients
including files in directory
/var/packages/RadiusServer/target//etc/raddb/modules/
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/counter
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/checkval
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/logintime
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/perl
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/detail.log
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/linelog
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/attr_rewrite
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/inner-eap
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/sradutmp
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/preprocess
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/dynamic_clients
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/chap
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/unix
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/realm
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/digest
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/files
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/etc_group
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/wimax
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/ippool
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/radutmp
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/expiration
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/echo
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/expr
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/mac2vlan
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/krb5
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/exec
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/always
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/smbpasswd
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/cui
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/pam
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/passwd
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/opendirectory
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/mschap_ad
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/ldap
including configuration file /usr/local/synoradius/rad_ldap
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/detail
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/policy
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/mschap
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/detail.example.com
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/attr_filter
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/smsotp
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/acct_unique
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/pap
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/otp
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/mac2ip
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/sql_log
including configuration file
/var/packages/RadiusServer/target//etc/raddb/modules/ntlm_auth
including configuration file /usr/local/synoradius/rad_ntlm_auth
including configuration file
/var/packages/RadiusServer/target//etc/raddb/eap.conf
including configuration file
/var/packages/RadiusServer/target//etc/raddb/sql.conf
including configuration file
/var/packages/RadiusServer/target//etc/raddb/sql/mysql/dialup.conf
including configuration file
/var/packages/RadiusServer/target//etc/raddb/./counter.conf
including configuration file
/var/packages/RadiusServer/target//etc/raddb/counter.conf
including configuration file
/var/packages/RadiusServer/target//etc/raddb/policy.conf
including files in directory
/var/packages/RadiusServer/target//etc/raddb/sites-enabled/
including configuration file
/var/packages/RadiusServer/target//etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/synoradius/rad_site_inn
including configuration file /usr/local/synoradius/rad_site_inn_local
including configuration file /usr/local/synoradius/rad_port_inner
including configuration file
/var/packages/RadiusServer/target//etc/raddb/sites-enabled/control-socket
including configuration file
/var/packages/RadiusServer/target//etc/raddb/sites-enabled/default
including configuration file /usr/local/synoradius/rad_site_def
including configuration file /usr/local/synoradius/rad_site_def_local
main {
allow_core_dumps = no
}
including dictionary file
/var/packages/RadiusServer/target//etc/raddb/dictionary
main {
prefix = "/var/packages/RadiusServer/target/"
localstatedir = "/var/packages/RadiusServer/target//var"
logdir = "/var/packages/RadiusServer/target//var/log/radius"
libdir = "/var/packages/RadiusServer/target//lib"
radacctdir =
"/var/packages/RadiusServer/target//var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile =
"/var/packages/RadiusServer/target//var/run/radiusd/radiusd.pid"
checkrad = "/var/packages/RadiusServer/target//sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client 192.168.178.25/24 {
require_message_authenticator = no
secret = "xxxx"
shortname = "EASYBOX"
}
client 127.0.0.1/24 {
require_message_authenticator = no
secret = "xxxx"
shortname = "Localhost"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/var/packages/RadiusServer/target//etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/var/packages/RadiusServer/target//etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/var/packages/RadiusServer/target//etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/var/packages/RadiusServer/target//etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file
/var/packages/RadiusServer/target//etc/raddb/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = "3306"
login = "radius"
password = "xxxx"
radius_db = "radius"
read_groups = yes
sqltrace = yes
sqltracefile =
"/var/packages/RadiusServer/target//var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL
AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct
SET framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO
radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress,
nasportid, nasporttype, acctstarttime,
acctsessiontime, acctauthentic, connectinfo_start,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, servicetype, framedprotocol,
framedipaddress, acctstartdelay,
xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}',
'', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO
radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress,
nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay,
xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct
SET acctstarttime = '%S', acctstartdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO
radacct (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0}
+ %{%{Acct-Delay-Time}:-0}) SECOND), '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY
priority"
connect_failure_retry_delay = 6
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid,
username, nasipaddress, nasportid,
framedipaddress, callingstationid,
framedprotocol FROM
radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@localhost:3306/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /usr/local/synoradius/rad_site_inn_local
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/var/packages/RadiusServer/target//etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/var/packages/RadiusServer/target//etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/var/packages/RadiusServer/target//etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/var/packages/RadiusServer/target//etc/raddb/modules/unix
unix {
radwtmp = "/var/packages/RadiusServer/target//var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file
/var/packages/RadiusServer/target//etc/raddb/eap.conf
eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/syno/etc/ssl/ssl.crt"
pem_file_type = yes
private_key_file = "/usr/syno/etc/ssl/ssl.key/server.key"
certificate_file = "/usr/syno/etc/ssl/ssl.crt/server.crt"
CA_file = "/usr/syno/etc/ssl/ssl.crt/ca.crt"
private_key_password = "12345"
dh_file = "/var/packages/RadiusServer/target//etc/raddb/certs/dh"
random_file =
"/var/packages/RadiusServer/target//etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/var/packages/RadiusServer/target//etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/var/packages/RadiusServer/target//etc/raddb/modules/files
files {
usersfile = "/var/packages/RadiusServer/target//etc/raddb/users"
acctusersfile =
"/var/packages/RadiusServer/target//etc/raddb/acct_users"
preproxy_usersfile =
"/var/packages/RadiusServer/target//etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_passwd
Module: Instantiating module "smbpasswd" from file
/var/packages/RadiusServer/target//etc/raddb/modules/smbpasswd
passwd smbpasswd {
filename = "/usr/syno/etc/private/smbpasswd"
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
delimiter = ":"
ignorenislike = no
ignoreempty = yes
allowmultiplekeys = no
hashsize = 100
}
rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/var/packages/RadiusServer/target//etc/raddb/modules/radutmp
radutmp {
filename = "/var/packages/RadiusServer/target//var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/var/packages/RadiusServer/target//etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile =
"/var/packages/RadiusServer/target//etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file
/var/packages/RadiusServer/target//etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/var/packages/RadiusServer/target//etc/raddb/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/var/packages/RadiusServer/target//etc/raddb/modules/preprocess
preprocess {
huntgroups = "/var/packages/RadiusServer/target//etc/raddb/huntgroups"
hints = "/var/packages/RadiusServer/target//etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_sqlcounter
Module: Instantiating module "noresetcounter" from file
/var/packages/RadiusServer/target//etc/raddb/counter.conf
sqlcounter noresetcounter {
counter-name = "Max-All-Session-Time"
check-name = "Max-All-Session"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE
UserName='%{%k}'"
reset = "never"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Reply attribute set to Session-Timeout.
rlm_sqlcounter: Counter attribute Max-All-Session-Time is number 11273
rlm_sqlcounter: Check attribute Max-All-Session is number 11274
rlm_sqlcounter: Current Time: 1376339087 [2013-08-12 23:24:47], Next
reset 0 [2013-08-12 23:00:00]
rlm_sqlcounter: Current Time: 1376339087 [2013-08-12 23:24:47], Prev
reset 0 [2013-08-12 23:00:00]
Module: Instantiating module "dailycounter" from file
/var/packages/RadiusServer/target//etc/raddb/counter.conf
sqlcounter dailycounter {
counter-name = "Daily-Session-Time"
check-name = "Max-Daily-Session"
reply-name = "Session-Timeout"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(acctsessiontime - GREATEST((%b -
UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username =
'%{%k}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"
reset = "daily"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Reply attribute Session-Timeout is number 27
rlm_sqlcounter: Counter attribute Daily-Session-Time is number 11275
rlm_sqlcounter: Check attribute Max-Daily-Session is number 11276
rlm_sqlcounter: Current Time: 1376339087 [2013-08-12 23:24:47], Next
reset 1376341200 [2013-08-13 00:00:00]
rlm_sqlcounter: Current Time: 1376339087 [2013-08-12 23:24:47], Prev
reset 1376254800 [2013-08-12 00:00:00]
Module: Instantiating module "monthlycounter" from file
/var/packages/RadiusServer/target//etc/raddb/counter.conf
sqlcounter monthlycounter {
counter-name = "Monthly-Session-Time"
check-name = "Max-Monthly-Session"
reply-name = "Session-Timeout"
key = "User-Name"
sqlmod-inst = "sql"
query = "SELECT SUM(acctsessiontime - GREATEST((%b -
UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username='%{%k}'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%b'"
reset = "monthly"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sqlcounter: Reply attribute Session-Timeout is number 27
rlm_sqlcounter: Counter attribute Monthly-Session-Time is number 11277
rlm_sqlcounter: Check attribute Max-Monthly-Session is number 11278
rlm_sqlcounter: Current Time: 1376339087 [2013-08-12 23:24:47], Next
reset 1377982800 [2013-09-01 00:00:00]
rlm_sqlcounter: Current Time: 1376339087 [2013-08-12 23:24:47], Prev
reset 1375304400 [2013-08-01 00:00:00]
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/var/packages/RadiusServer/target//etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/var/packages/RadiusServer/target//etc/raddb/modules/detail
detail {
detailfile =
"/var/packages/RadiusServer/target//var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /var/packages/RadiusServer/target//etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile =
"/var/packages/RadiusServer/target//etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.178.24
port = 1812
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 1812
}
listen {
type = "auth"
ipaddr = 10.8.0.1
port = 1812
}
listen {
type = "control"
listen {
socket =
"/var/packages/RadiusServer/target//var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address 192.168.178.24 port 1812
Listening on authentication address 127.0.0.1 port 1812
Listening on authentication address 10.8.0.1 port 1812
Listening on command file
/var/packages/RadiusServer/target//var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.178.25 port 32888,
id=2, length=148
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202000801746565
Message-Authenticator = 0xf59055370165c1ac3839db5f8195752c
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[smbpasswd] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[sql] expand: %{User-Name} -> tee
[sql] sql_set_user escaped user --> 'tee'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'tee'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'tee'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'tee' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = 'tee' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='%{User-Name}''
[noresetcounter] expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='%{User-Name}' -> SELECT
IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='tee'
sqlcounter_expand: '%{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='tee'}'
[noresetcounter] sql_xlat
[noresetcounter] expand: %{User-Name} -> tee
[noresetcounter] sql_set_user escaped user --> 'tee'
[noresetcounter] expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='tee' -> SELECT IFNULL(SUM(AcctSessionTime),0)
FROM radacct WHERE UserName='tee'
[noresetcounter] expand:
/var/packages/RadiusServer/target//var/log/radius/sqltrace.sql ->
/var/packages/RadiusServer/target//var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='tee'
[noresetcounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[noresetcounter] expand: %{sql:SELECT IFNULL(SUM(AcctSessionTime),0)
FROM radacct WHERE UserName='tee'} -> 0
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user tee, check_item=10, counter=0
rlm_sqlcounter: Sent Reply-Item for user tee, Type=Session-Timeout, value=10
++[noresetcounter] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.178.25 port 32888
Session-Timeout = 10
EAP-Message =
0x0103001d1a01030018102526be8601cef6396823d8998c0b6b83746565
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878580f59d56ed034e3134225de2
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32889,
id=3, length=164
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878580f59d56ed034e3134225de2
EAP-Message = 0x020300060319
Message-Authenticator = 0xee84edb24a2bb9a12f35e3a403393663
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[smbpasswd] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[sql] expand: %{User-Name} -> tee
[sql] sql_set_user escaped user --> 'tee'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'tee'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'tee'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'tee' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = 'tee' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct
WHERE UserName='%{User-Name}''
[noresetcounter] expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='%{User-Name}' -> SELECT
IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE UserName='tee'
sqlcounter_expand: '%{sql:SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='tee'}'
[noresetcounter] sql_xlat
[noresetcounter] expand: %{User-Name} -> tee
[noresetcounter] sql_set_user escaped user --> 'tee'
[noresetcounter] expand: SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='tee' -> SELECT IFNULL(SUM(AcctSessionTime),0)
FROM radacct WHERE UserName='tee'
[noresetcounter] expand:
/var/packages/RadiusServer/target//var/log/radius/sqltrace.sql ->
/var/packages/RadiusServer/target//var/log/radius/sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT IFNULL(SUM(AcctSessionTime),0) FROM
radacct WHERE UserName='tee'
[noresetcounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 1
[noresetcounter] expand: %{sql:SELECT IFNULL(SUM(AcctSessionTime),0)
FROM radacct WHERE UserName='tee'} -> 0
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user tee, check_item=10, counter=0
rlm_sqlcounter: Sent Reply-Item for user tee, Type=Session-Timeout, value=10
++[noresetcounter] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[dailycounter] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[monthlycounter] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.178.25 port 32889
Session-Timeout = 10
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878581f29e56ed034e3134225de2
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32890,
id=4, length=358
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878581f29e56ed034e3134225de2
EAP-Message =
0x020400c81980000000be16030100b9010000b503015209453a90c3ad1dc68b3867c87da1c17aca3b3104bd3f8411b2f706669db885000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
Message-Authenticator = 0xa061bb8038b36017614af4150749eb45
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 200
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 190
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00b9], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 068d], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.178.25 port 32890
EAP-Message =
0x0105040019c00000086316030100310200002d0301520944b6b2e68061e8cb6e0810d75b046a7fc240531e641cc6ca21bd7fe212ae000039000005ff01000100160301068d0b00068900068600032f3082032b30820294a00302010202051132211a60300d06092a864886f70d01010505003081a7310b3009060355040613025457310f300d0603550408130654616977616e310f300d0603550407130654616970656931163014060355040a130d53796e6f6c6f677920496e632e311e301c060355040b1315436572746966696361746520417574686f72697479311930170603550403131053796e6f6c6f677920496e632e204341312330210609
EAP-Message =
0x2a864886f70d010901161470726f647563744073796e6f6c6f67792e636f6d301e170d3133303733313136313431335a170d3333303431373136313431335a308196310b3009060355040613025457310f300d0603550408130654616977616e310f300d0603550407130654616970656931163014060355040a130d53796e6f6c6f677920496e632e3111300f060355040b1308465450205465616d311530130603550403130c73796e6f6c6f67792e636f6d3123302106092a864886f70d010901161470726f647563744073796e6f6c6f67792e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cb8bd49b3ff39917
EAP-Message =
0x1a0e21017d6b4d5c453d099ea419d8b6936d113e108f35aa2479645bd2b9c1f41759efd7c4386c4db0a2931e9d55d3bb8592c9861a56eca4080d40ba4b1854f9d754d076c1a73293c1f80ef990d1c4f115a9a3b2911f16af46cb894772f166323ae0b863d88a1b2a234c5f94ce518875b461fab3ee875a850203010001a3723070301f0603551d1104183016811470726f647563744073796e6f6c6f67792e636f6d303a06096086480186f842010d042d162b6d6f645f73736c2067656e65726174656420637573746f6d20736572766572206365727469666963617465301106096086480186f8420101040403020640300d06092a864886f70d0101
EAP-Message =
0x050500038181009215bcd8253932c648f6a14119b66f48438125886dcbc96eeee7b4cb3e56389c9b6ff5932a9b184e913aacc14408d82f7fe5eb371080139aa50d28326d4bd535f95bb3fd2de3dcb48a9b0d1a7c341e803bf4a76250883d716dca25f0821889a9363896f788462613e51e705dc112cfbb830d4f2b4a92939fa38a47d5c08ed6070003513082034d308202b6a0030201020209009fd19fa01a036ca5300d06092a864886f70d01010505003081a7310b3009060355040613025457310f300d0603550408130654616977616e310f300d0603550407130654616970656931163014060355040a130d53796e6f6c6f677920496e632e311e
EAP-Message = 0x301c060355040b1315436572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878582f39e56ed034e3134225de2
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32891,
id=5, length=164
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878582f39e56ed034e3134225de2
EAP-Message = 0x020500061900
Message-Authenticator = 0xafa2dd19e749573ebea82436d5b89cad
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.178.25 port 32891
EAP-Message =
0x010603fc1940746966696361746520417574686f72697479311930170603550403131053796e6f6c6f677920496e632e2043413123302106092a864886f70d010901161470726f647563744073796e6f6c6f67792e636f6d301e170d3133303733313136313431325a170d3333303431373136313431325a3081a7310b3009060355040613025457310f300d0603550408130654616977616e310f300d0603550407130654616970656931163014060355040a130d53796e6f6c6f677920496e632e311e301c060355040b1315436572746966696361746520417574686f72697479311930170603550403131053796e6f6c6f677920496e632e204341
EAP-Message =
0x3123302106092a864886f70d010901161470726f647563744073796e6f6c6f67792e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b5b133c2343ee72c325b5567566e16984e3ad4f964f71d5c676cada2e7a55a8957fd5aa30f7647f72d58206bfd7f13d65be2f1252a12a8dbfa999bc4bfced5676e0604bce97bc997c7c464be66d45af768e05e44dd0f03d4f6e53031c14e078637e764e161ac6b2f90047b7afa8c277c9520ae95491517d552aca0841f3215b10203010001a37f307d301f0603551d1104183016811470726f647563744073796e6f6c6f67792e636f6d300f0603551d13040830060101ff020100
EAP-Message =
0x303606096086480186f842010d042916276d6f645f73736c2067656e65726174656420637573746f6d204341206365727469666963617465301106096086480186f8420101040403020204300d06092a864886f70d0101050500038181002456f5d7e49a3cf41f5cd5b7f785e9880ad4748e80a614f20b311b44b38e3473b057088573cf4c4b4a78c0447b290964bf09c31f9f7aba5135f3afec170ebd75d978971ede94fd8790ab4e1cf34044f6e5b81cf3d50043195de029497756df668ab2f30b9eb59b32eaddd5cc8ac37e0dafdf87c13f976a1d9557e56f1e703315160301018d0c0001890080ba686466df6626c54cb03b6bbb2eb1522c8d2c8b
EAP-Message =
0xcdec316e5dceff84790a957f998ba7f1f109022e0e0c1f488cf51205d0d52a037fd93eb516aa86077df28d768f06c9a5538c860e17447be3d586bd2eba6930a1f07bd0b6abf3411783100e25d2b072097153a03081a6ced3e1ba10949d76a45c7e45f7a21ffe9ebc356bf2db00010200806b20fdffec6f7616b1ac0792a9ee1f111049b7f8071650e56d23fcdd7f3415fc04dc2f5be34de147b3b0ac318d0417ffe53e92f66712f1cafcebe3f1393b90563d5efd20a07ce8bc537cb002dd9ecc8d8cc638d0e4f489af364445e2dabee94c19213b4b64a28ce00d2ef4e6b73a50635d7287f0a7320a8ca7c1d5e244f8d72e00803f5fca5ed430815840c6
EAP-Message = 0xca51c8a72b134129
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878583f09e56ed034e3134225de2
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32892,
id=6, length=164
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878583f09e56ed034e3134225de2
EAP-Message = 0x020600061900
Message-Authenticator = 0xad5cb37a135449788276514fb81fb9fd
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.178.25 port 32892
EAP-Message =
0x0107007d19005de838683537a84f610da2c4f9a1369bd6e9ca9fd0aa2b44cd7d84186e925f4c2db27fb7d62b54caa6830c26a0160954a854648dc84a6205ad79d9cceafae9732b8d41d72935baeff7ce5c37dc82b4574ffe9cca9d7c460e1a15badc88c75a6d43f843c3108256f4ade50967559816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878584f19e56ed034e3134225de2
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32893,
id=7, length=366
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878584f19e56ed034e3134225de2
EAP-Message =
0x020700d01980000000c616030100861000008200808bdd91a9487dccff09234e723cee7ba21725e2a670592009c304699865f930e253859f4b20ba934f14dda2549b720816e2b91162a41e36ed46e0a1959e7072400110121bfee72de20d31145db146f527147ebecd9c1f454c025b5d023b689ab64afba2ad9f20924f18a392ebaf2c0a5130b5f9fa444c25f817f7ecfa4972f192140301000101160301003060d9a90b7ed3fd213a43238d564c566728df397a55a7eee655ddb648c1740bd72181631eb7261cc0eceb52424e8fbfc8
Message-Authenticator = 0x256730f0831061eae27cb1af7157bfe9
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 7 to 192.168.178.25 port 32893
EAP-Message =
0x0108004119001403010001011603010030b8d1cdfe3b2fe4ea114acf6db4bc356e3985ce457b3a1149c84cbfcb02ac65bc4d33d0eb2f8a6e950401633ce4600303
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878585fe9e56ed034e3134225de2
Finished request 5.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32894,
id=8, length=164
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878585fe9e56ed034e3134225de2
EAP-Message = 0x020800061900
Message-Authenticator = 0xd8b885a775bd422295146389e760a062
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.178.25 port 32894
EAP-Message =
0x0109002b190017030100200fd631ca65f225634251679efe7524102e6ad544f576ef00a2f996ac9c4dad67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878586ff9e56ed034e3134225de2
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32895,
id=9, length=238
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878586ff9e56ed034e3134225de2
EAP-Message =
0x0209005019001703010020a08078622a79e75a566a35e37ef4bf984a4bb904335403eadcdc445bc7bd908a1703010020b0718794786e96045ed88030e9a94236d4ad1672637efb413176da2c3ad27586
Message-Authenticator = 0xf5b1df8093a72c9530258fe6969a9fc2
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - tee
[peap] Got inner identity 'tee'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0209000801746565
server {
PEAP: Setting User-Name to tee
Sending tunneled request
EAP-Message = 0x0209000801746565
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tee"
server inner-tunnel {
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_inn_local
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[smbpasswd] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
[sql] expand: %{User-Name} -> tee
[sql] sql_set_user escaped user --> 'tee'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'tee'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'tee'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'tee' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = 'tee' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
Cancelling invalid proxy request.
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_inn_local
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a001d1a010a001810d3f23e8332d772ee6ed7d8e7e96aa314746565
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x84e0dc4b84eac6443eb91adc9df1aaf2
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a001d1a010a001810d3f23e8332d772ee6ed7d8e7e96aa314746565
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x84e0dc4b84eac6443eb91adc9df1aaf2
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 9 to 192.168.178.25 port 32895
EAP-Message =
0x010a003b19001703010030712667073febde764e5f2c9db3f756e283ff2180010ab6ce8279b275dd91f1dab7b11915d8ee1b08d53646ca76c74294
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878587fc9e56ed034e3134225de2
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32896,
id=10, length=286
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878587fc9e56ed034e3134225de2
EAP-Message =
0x020a00801900170301002003b67ac299e85321ff1f02a3fc4882edd957bc03194e8c379bb77f1c79dd009f1703010050b262cbf37cc08590f1736c2e90141e8457f4b7af8e7abbfaef9060ff03a5a2ada76be693ba95f5a159215119aaab21924173f17ec2dbe6d6da2cb99804725379fbd6272198e5cab8587acceaea7dda0b
Message-Authenticator = 0x44e004b74fa78cf01a38d274530d7614
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020a003e1a020a003931d5f758f1aeada35c250ccbf62fdedb1200000000000000001d3c61fd341515c0c945528dc1af927b453748b44030955400746565
server {
PEAP: Setting User-Name to tee
Sending tunneled request
EAP-Message =
0x020a003e1a020a003931d5f758f1aeada35c250ccbf62fdedb1200000000000000001d3c61fd341515c0c945528dc1af927b453748b44030955400746565
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tee"
State = 0x84e0dc4b84eac6443eb91adc9df1aaf2
server inner-tunnel {
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_inn_local
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 62
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[smbpasswd] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
[sql] expand: %{User-Name} -> tee
[sql] sql_set_user escaped user --> 'tee'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'tee'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'tee'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'tee' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = 'tee' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
Cancelling invalid proxy request.
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_inn_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/synoradius/rad_site_inn_local
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: tee
[mschap] Told to do MS-CHAPv2 for tee with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010b00331a030a002e533d32454434413437374342463839453230343834304331374634463043353430354332304645444245
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x84e0dc4b85ebc6443eb91adc9df1aaf2
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010b00331a030a002e533d32454434413437374342463839453230343834304331374634463043353430354332304645444245
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x84e0dc4b85ebc6443eb91adc9df1aaf2
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 10 to 192.168.178.25 port 32896
EAP-Message =
0x010b005b1900170301005020edf875c62bb996bc491fcb19c1123e1096f555e9ba6ee0f34c057c5c4c3e2211b14d6c3a1ee5d7ab2640d0745727308bcfd4cfdfa2e35da333788efc3c56999be2ef703b63f5c41dc1fb594803acf6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878588fd9e56ed034e3134225de2
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32897,
id=11, length=238
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878588fd9e56ed034e3134225de2
EAP-Message =
0x020b0050190017030100207d3776e8c3c71e5d5abf3b53d0169beea9e8992f69e2e0bcd672964a460e841617030100206780143ad9c9892791d2440461e354dc14baf8e535682315095dfea3ecd6b3a1
Message-Authenticator = 0x4977fb9bef33eaa2d73876471b3a527c
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020b00061a03
server {
PEAP: Setting User-Name to tee
Sending tunneled request
EAP-Message = 0x020b00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tee"
State = 0x84e0dc4b85ebc6443eb91adc9df1aaf2
server inner-tunnel {
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_inn_local
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[smbpasswd] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
[sql] expand: %{User-Name} -> tee
[sql] sql_set_user escaped user --> 'tee'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'tee'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'tee' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'tee'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'tee' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM
radusergroup WHERE username = 'tee' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
Cancelling invalid proxy request.
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_inn_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [tee] (from client EASYBOX port 0 via TLS tunnel)
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/usr/local/synoradius/rad_site_inn_local
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x40d8b3413d25f4013c2a3ae154c437ac
MS-MPPE-Recv-Key = 0xf5a477c13c1244e08cd8f0d853c4865e
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "tee"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x40d8b3413d25f4013c2a3ae154c437ac
MS-MPPE-Recv-Key = 0xf5a477c13c1244e08cd8f0d853c4865e
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "tee"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 11 to 192.168.178.25 port 32897
EAP-Message =
0x010c002b190017030100209b99f254f989d6a0e266af1df740bfd7f858aa9be34ded07ca32eea655c957d9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80f6878589fa9e56ed034e3134225de2
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.178.25 port 32898,
id=12, length=238
User-Name = "tee"
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "7C-4F-B5-FE-BD-14:SEHR_GEHEIM"
Calling-Station-Id = "14-89-FD-DA-ED-19"
NAS-Identifier = "BOSS-SYNOLOGY"
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x80f6878589fa9e56ed034e3134225de2
EAP-Message =
0x020c0050190017030100203457dd4974e320f48bb2ea9959f91a702adc65898bb24317aca624fc47854c43170301002011476f7edc9a493c77d431caf59a5d613cf8bfc339c4c150ca2381ca5e7191ba
Message-Authenticator = 0x00f7c3ad38840def38f7aa0c62632bbc
SYNOUserGet failed. [0x1D00 user_db_get.c:63]
# Executing section authorize from file
/usr/local/synoradius/rad_site_def_local
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tee", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/synoradius/rad_site_def_local
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
Login OK: [tee] (from client EASYBOX port 29 cli 14-89-FD-DA-ED-19)
# Executing section post-auth from file
/usr/local/synoradius/rad_site_def_local
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 12 to 192.168.178.25 port 32898
MS-MPPE-Recv-Key =
0xe3cd1d3d8847bb78c279ac58d6e6c42cdaebdc4c82cb41b506ee08c319b6b748
MS-MPPE-Send-Key =
0x24cef9cb1a537db7be194b7dd4465ad0a374a79a30926c05f1e8e549b0ca92d9
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "tee"
Finished request 10.
Going to the next request
Waking up in 4.6 seconds.
Cleaning up request 0 ID 2 with timestamp +39
Cleaning up request 1 ID 3 with timestamp +39
Cleaning up request 2 ID 4 with timestamp +39
Cleaning up request 3 ID 5 with timestamp +39
Cleaning up request 4 ID 6 with timestamp +39
Cleaning up request 5 ID 7 with timestamp +39
Cleaning up request 6 ID 8 with timestamp +39
Cleaning up request 7 ID 9 with timestamp +39
Cleaning up request 8 ID 10 with timestamp +39
Cleaning up request 9 ID 11 with timestamp +39
Cleaning up request 10 ID 12 with timestamp +40
Ready to process requests.
1
0
Talloc sanity error (3.0 release branch, reproxying from PEAP inner tunnel)
by Brian Julin 12 Aug '13
by Brian Julin 12 Aug '13
12 Aug '13
I finally got around to trying some RC code (the release_branch_3.0.0 on github) on our
production configurations, after a bit of massaging got them looking like they were working,
but not so much the one that re-proxies the inner tunnel contents to an internal
server after unwrapping EAP-PEAP:
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = yes
copy_request_to_tunnel = no
use_tunneled_reply = yes
tls = eduroam-eap-tls
}
Any request that tries to go to the proxy causes this to happen:
Wed Aug 7 11:57:35 2013 : Debug: (5) - entering if ("%{FreeRADIUS-Proxied-To}" == 127.0.0.1) {...}
Wed Aug 7 11:57:35 2013 : Debug: (5) update control {
Wed Aug 7 11:57:35 2013 : Debug: (5) Proxy-To-Realm := "idpi"
...
Wed Aug 7 11:57:35 2013 : Debug: (5) } # update control = ok
Wed Aug 7 11:57:35 2013 : Debug: (5) - if ("%{FreeRADIUS-Proxied-To}" == 127.0.0.1) returns ok
Wed Aug 7 11:57:35 2013 : Debug: (5) ... skipping else for request 5: Preceding "if" was taken
} # server eduroam_idp
Wed Aug 7 11:57:35 2013 : Debug: (5) eap_peap : Got tunneled reply code 0
Wed Aug 7 11:57:35 2013 : Debug: PEAP: Tunneled authentication will be proxied to idpi
Wed Aug 7 11:57:35 2013 : Info: talloc: access after free error - first free may be at src/main/util.c:230
Wed Aug 7 11:57:35 2013 : Info: Bad talloc magic value - access after free
... I don't know if this is of any use, being so far removed from the free():
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff5eb4700 (LWP 27579)]
0x0000003fe54328a5 in raise () from /lib64/libc.so.6
...
(gdb) bt
#0 0x0000003fe54328a5 in raise () from /lib64/libc.so.6
#1 0x0000003fe5434085 in abort () from /lib64/libc.so.6
#2 0x00007ffff7782c3c in ?? () from /usr/lib64/libtalloc.so.2
#3 0x00007ffff7782dd8 in talloc_get_name () from /usr/lib64/libtalloc.so.2
#4 0x00007ffff77857eb in _talloc_get_type_abort ()
from /usr/lib64/libtalloc.so.2
#5 0x00007ffff7bb4d95 in pairnext (cursor=0x7ffff5eb2950)
at src/lib/valuepair.c:290
#6 0x00007ffff7bb4b42 in pairfind (vp=0x7fffe8007d80, attr=80, vendor=0,
tag=-128 '\200') at src/lib/valuepair.c:209
#7 0x00007ffff6f58d45 in mod_authenticate (instance=0x7f8b30,
request=0x844e40) at src/modules/rlm_eap/rlm_eap.c:360
#8 0x0000000000421812 in call_modsingle (component=0, sp=0x81ce30,
request=0x844e40) at src/main/modcall.c:311
#9 0x0000000000422f93 in modcall (component=0, c=0x81cf30, request=0x844e40)
at src/main/modcall.c:782
#10 0x000000000041f4c6 in indexed_modcall (comp=0, idx=6, request=0x844e40)
at src/main/modules.c:758
#11 0x0000000000421127 in process_authenticate (auth_type=6, request=0x844e40)
at src/main/modules.c:1648
#12 0x000000000040c910 in rad_check_password (request=0x844e40)
at src/main/auth.c:252
#13 0x000000000040cee4 in rad_authenticate (request=0x844e40)
---Type <return> to continue, or q <return> to quit---
at src/main/auth.c:490
#14 0x0000000000430b79 in request_running (request=0x844e40, action=1)
at src/main/process.c:1185
#15 0x000000000042d02e in request_handler_thread (arg=0x8397c0)
at src/main/threads.c:685
#16 0x0000003fe5c07851 in start_thread () from /lib64/libpthread.so.0
#17 0x0000003fe54e811d in clone () from /lib64/libc.so.6
(gdb)
(gdb) up
#1 0x0000003fe5434085 in abort () from /lib64/libc.so.6
(gdb) up
#2 0x00007ffff7782c3c in ?? () from /usr/lib64/libtalloc.so.2
(gdb) up
#3 0x00007ffff7782dd8 in talloc_get_name () from /usr/lib64/libtalloc.so.2
(gdb) up
#4 0x00007ffff77857eb in _talloc_get_type_abort ()
from /usr/lib64/libtalloc.so.2
(gdb) up
#5 0x00007ffff7bb4d95 in pairnext (cursor=0x7ffff5eb2950)
at src/lib/valuepair.c:290
290 VERIFY_VP(cursor->current);
(gdb) list
285 */
286 VALUE_PAIR *pairnext(vp_cursor_t *cursor)
287 {
288 cursor->current = cursor->next;
289 if (cursor->current) {
290 VERIFY_VP(cursor->current);
291
292 /*
293 * Set this now in case 'current' gets freed before
294 * pairnext is called again.
(gdb) print cursor->current
$1 = (VALUE_PAIR *) 0x7fffe8007820
(gdb) print cursor->current->da
$2 = (const DICT_ATTR *) 0x6c6c617420646142
(gdb) print *cursor->current->da
Cannot access memory at address 0x6c6c617420646142
(gdb) up
#6 0x00007ffff7bb4b42 in pairfind (vp=0x7fffe8007d80, attr=80, vendor=0,
tag=-128 '\200') at src/lib/valuepair.c:209
209 i = pairnext(&cursor)) {
(gdb) list
204 vp_cursor_t cursor;
205 VALUE_PAIR *i;
206
207 for (i = paircursor(&cursor, &vp);
208 i;
209 i = pairnext(&cursor)) {
210 VERIFY_VP(i);
211 if ((i->da->attr == attr) && (i->da->vendor == vendor)
212 && ((tag == TAG_ANY) || (i->da->flags.has_tag &&
213 (i->tag == tag)))) {
(gdb) print attr
$3 = 80
(gdb) print vendor
$4 = 0
(gdb) print tag
$5 = -128 '\200'
(gdb) print i->da->name
$6 = "U"
(gdb) print *(char *)i->da->name
$7 = 85 'U'
(gdb) print *(char *)i->da->name + 1
$8 = 86
(gdb) print *(char *)(i->da->name + 1)
$9 = 115 's'
(gdb) print *(char *)(i->da->name + 2)
$10 = 101 'e'
(gdb) print *(char *)(i->da->name + 3)
$11 = 114 'r'
(gdb) print *(char *)(i->da->name + 4)
$12 = 45 '-'
(gdb) print *(char *)(i->da->name + 5)
$13 = 78 'N'
(gdb) up
#7 0x00007ffff6f58d45 in mod_authenticate (instance=0x7f8b30,
request=0x844e40) at src/modules/rlm_eap/rlm_eap.c:360
360 vp = pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY);
(gdb) print request
$14 = (REQUEST *) 0x844e40
(gdb) print request->proxy
$15 = (RADIUS_PACKET *) 0x7fffe8007bc0
(gdb) print request->proxy->vps
$16 = (VALUE_PAIR *) 0x7fffe8007d80
(gdb) print request->proxy->vps->da
$17 = (const DICT_ATTR *) 0x66dbf0
(gdb) print request->proxy->vps->da->name
$18 = "E"
(gdb) print (char *)request->proxy->vps->da->name
$19 = 0x66dc00 "EAP-Message"
(gdb) print (char *)request->proxy->vps->da->type
$20 = 0x6 <Address 0x6 out of bounds>
(gdb) print request->proxy->vps->da->type
$21 = PW_TYPE_OCTETS
(gdb) print (char *)request->proxy->vps->next->da->name
$22 = 0x6d8b08 "FreeRADIUS-Proxied-To"
(gdb) print (char *)request->proxy->vps->next->next->da->name
$23 = 0x66c280 "User-Name"
(gdb) print (char *)request->proxy->vps->next->next->next->da->name
$24 = 0x6c6c617420646152 <Address 0x6c6c617420646152 out of bounds>
(gdb) up
#8 0x0000000000421812 in call_modsingle (component=0, sp=0x81ce30,
request=0x844e40) at src/main/modcall.c:311
311 myresult = sp->modinst->entry->module->methods[component](
(gdb) list
306 /*
307 * For logging unresponsive children.
308 */
309 request->module = sp->modinst->name;
310
311 myresult = sp->modinst->entry->module->methods[component](
312 sp->modinst->insthandle, request);
313
314 request->module = "";
315 safe_unlock(sp->modinst);
(gdb)
The good news is the outbound instance for RadSec proxy seems to be holding up so far.
I've got another few weeks to test that before EDUROAM-US retracts RadSec service
pending getting their PKI in order, so I'll try to bang on it a bit stress and endurance-wise
before it goes away.
4
9