Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2013
- 72 participants
- 86 discussions
Hi
We have a a supplicant that is our own box doing client 802.1x
authentication using freeradius. We do not establish a TLS/IPSec connection
between the supplicant and freeradius. We need to establish a secure
channel between the supplicant and freeradius.
Can someone please tell me whether any such thing is supported in radius?
Is yes, it would be great if I you could point me to the corresponding
config files and code.
Thanks
Rahul
3
6
05 Aug '13
Hello,
I am trying to run the radtest on local machine which is CentOS 6.0. But am
getting the following error while sending the Access Request message from
client which is another machine.
The user name is defined in users file under /usr/local/etc/raddb. But
still am getting the error. I had provided the snapshot received on radiusd
–Xx in the end. Can you please help me in figuring out the issue?
rad_recv: Access-Request packet from host 10.100.111.2 port 4061, id=60,
length=77
User-Name = "rajeev"
User-Password = "\334a\004\305\355x\321\332G\306\362b\226~\355+"
NAS-IP-Address = 135.250.14.111
NAS-Identifier = "login"
NAS-Port = 3036
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Fri Aug 2 16:45:38 2013 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Fri Aug 2 16:45:38 2013 : Info: +- entering group authorize {...}
Fri Aug 2 16:45:38 2013 : Info: ++[preprocess] returns ok
Fri Aug 2 16:45:38 2013 : Info: [suffix] No '@' in User-Name = "rajeev",
looking up realm NULL
Fri Aug 2 16:45:38 2013 : Info: [suffix] No such realm "NULL"
Radius -X Snapshot:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.08.02 16:40:08
=~=~=~=~=~=~=~=~=~=~=~=
pwdradiusd -Xx
Fri Aug 2 16:45:25 2013 : Info: FreeRADIUS Version 2.2.0, for host
x86_64-unknown-linux-gnu, built on Aug 1 2013 at 17:38:57
Fri Aug 2 16:45:25 2013 : Info: Copyright (C) 1999-2012 The FreeRADIUS
server project and contributors.
Fri Aug 2 16:45:25 2013 : Info: There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A
Fri Aug 2 16:45:25 2013 : Info: PARTICULAR PURPOSE.
Fri Aug 2 16:45:25 2013 : Info: You may redistribute copies of FreeRADIUS
under the terms of the
Fri Aug 2 16:45:25 2013 : Info: GNU General Public License v2.
Fri Aug 2 16:45:25 2013 : Info: Starting - reading configuration files ...
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/radiusd.conf
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/clients.conf
Fri Aug 2 16:45:25 2013 : Debug: including files in directory
/usr/local/etc/raddb/modules/
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/mac2vlan
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/radrelay
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/radutmp
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/files
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/passwd
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/attr_filter
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/digest
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/sql_log
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/policy
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/chap
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/counter
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/preprocess
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/inner-eap
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/opendirectory
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/mac2ip
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/wimax
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/unix
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/rediswho
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/krb5
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/checkval
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/ldap
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/attr_rewrite
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/pam
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/detail.log
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/linelog
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/realm
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/expr
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/dhcp_sqlippool
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/ntlm_auth
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/cui
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/exec
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/etc_group
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/detail.example.com
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/smbpasswd
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/dynamic_clients
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/smsotp
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/logintime
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/replicate
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/acct_unique
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/detail
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/pap
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/ippool
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/expiration
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/redis
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/echo
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/otp
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/cache
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/perl
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/mschap
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/sradutmp
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/soh
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/modules/always
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/eap.conf
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/policy.conf
Fri Aug 2 16:45:25 2013 : Debug: including files in directory
/usr/local/etc/raddb/sites-enabled/
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/sites-enabled/default
Fri Aug 2 16:45:25 2013 : Debug: including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
Fri Aug 2 16:45:25 2013 : Debug: main {
Fri Aug 2 16:45:25 2013 : Debug: allow_core_dumps = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: including dictionary file
/usr/local/etc/raddb/dictionary
Fri Aug 2 16:45:25 2013 : Debug: main {
Fri Aug 2 16:45:25 2013 : Debug: name = "radiusd"
Fri Aug 2 16:45:25 2013 : Debug: prefix = "/usr/local"
Fri Aug 2 16:45:25 2013 : Debug: localstatedir = "/usr/local/var"
Fri Aug 2 16:45:25 2013 : Debug: sbindir = "/usr/local/sbin"
Fri Aug 2 16:45:25 2013 : Debug: logdir = "/usr/local/var/log/radius"
Fri Aug 2 16:45:25 2013 : Debug: run_dir = "/usr/local/var/run/radiusd"
Fri Aug 2 16:45:25 2013 : Debug: libdir = "/usr/local/lib"
Fri Aug 2 16:45:25 2013 : Debug: radacctdir =
"/usr/local/var/log/radius/radacct"
Fri Aug 2 16:45:25 2013 : Debug: hostname_lookups = no
Fri Aug 2 16:45:25 2013 : Debug: max_request_time = 30
Fri Aug 2 16:45:25 2013 : Debug: cleanup_delay = 5
Fri Aug 2 16:45:25 2013 : Debug: max_requests = 1024
Fri Aug 2 16:45:25 2013 : Debug: pidfile =
"/usr/local/var/run/radiusd/radiusd.pid"
Fri Aug 2 16:45:25 2013 : Debug: checkrad = "/usr/local/sbin/checkrad"
Fri Aug 2 16:45:25 2013 : Debug: debug_level = 0
Fri Aug 2 16:45:25 2013 : Debug: proxy_requests = no
Fri Aug 2 16:45:25 2013 : Debug: log {
Fri Aug 2 16:45:25 2013 : Debug: stripped_names = no
Fri Aug 2 16:45:25 2013 : Debug: auth = no
Fri Aug 2 16:45:25 2013 : Debug: auth_badpass = no
Fri Aug 2 16:45:25 2013 : Debug: auth_goodpass = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: security {
Fri Aug 2 16:45:25 2013 : Debug: max_attributes = 200
Fri Aug 2 16:45:25 2013 : Debug: reject_delay = 1
Fri Aug 2 16:45:25 2013 : Debug: status_server = yes
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: radiusd: #### Loading Realms and Home
Servers ####
Fri Aug 2 16:45:25 2013 : Debug: radiusd: #### Loading Clients ####
Fri Aug 2 16:45:25 2013 : Debug: client 10.100.111.0/24 {
Fri Aug 2 16:45:25 2013 : Debug: require_message_authenticator = no
Fri Aug 2 16:45:25 2013 : Debug: secret = "ABC123"
Fri Aug 2 16:45:25 2013 : Debug: shortname = "BTS111"
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: client 10.100.111.2/24 {
Fri Aug 2 16:45:25 2013 : Debug: ipaddr = 10.100.111.2
Fri Aug 2 16:45:25 2013 : Debug: require_message_authenticator = no
Fri Aug 2 16:45:25 2013 : Debug: secret = "ABC123"
Fri Aug 2 16:45:25 2013 : Debug: shortname = "BTS111"
Fri Aug 2 16:45:25 2013 : Debug: nastype = "other"
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: radiusd: #### Instantiating modules ####
Fri Aug 2 16:45:25 2013 : Debug: instantiate {
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_exec, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_exec
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "exec" from
file /usr/local/etc/raddb/modules/exec
Fri Aug 2 16:45:25 2013 : Debug: exec {
Fri Aug 2 16:45:25 2013 : Debug: wait = no
Fri Aug 2 16:45:25 2013 : Debug: input_pairs = "request"
Fri Aug 2 16:45:25 2013 : Debug: shell_escape = yes
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_expr, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_expr
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "expr" from
file /usr/local/etc/raddb/modules/expr
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_expiration, checking if
it's valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_expiration
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module
"expiration" from file /usr/local/etc/raddb/modules/expiration
Fri Aug 2 16:45:25 2013 : Debug: expiration {
Fri Aug 2 16:45:25 2013 : Debug: reply-message = "Password Has Expired "
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_logintime, checking if
it's valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_logintime
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "logintime"
from file /usr/local/etc/raddb/modules/logintime
Fri Aug 2 16:45:25 2013 : Debug: logintime {
Fri Aug 2 16:45:25 2013 : Debug: reply-message = "You are calling outside
your allowed timespan "
Fri Aug 2 16:45:25 2013 : Debug: minimum-timeout = 60
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: radiusd: #### Loading Virtual Servers ####
Fri Aug 2 16:45:25 2013 : Debug: server { # from file
/usr/local/etc/raddb/radiusd.conf
Fri Aug 2 16:45:25 2013 : Debug: modules {
Fri Aug 2 16:45:25 2013 : Debug: Module: Creating Auth-Type = digest
Fri Aug 2 16:45:25 2013 : Debug: Module: Creating Post-Auth-Type = REJECT
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking authenticate {...} for
more modules to load
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_pap, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_pap
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "pap" from
file /usr/local/etc/raddb/modules/pap
Fri Aug 2 16:45:25 2013 : Debug: pap {
Fri Aug 2 16:45:25 2013 : Debug: encryption_scheme = "auto"
Fri Aug 2 16:45:25 2013 : Debug: auto_header = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_chap, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_chap
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "chap" from
file /usr/local/etc/raddb/modules/chap
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_mschap, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_mschap
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "mschap"
from file /usr/local/etc/raddb/modules/mschap
Fri Aug 2 16:45:25 2013 : Debug: mschap {
Fri Aug 2 16:45:25 2013 : Debug: use_mppe = yes
Fri Aug 2 16:45:25 2013 : Debug: require_encryption = no
Fri Aug 2 16:45:25 2013 : Debug: require_strong = no
Fri Aug 2 16:45:25 2013 : Debug: with_ntdomain_hack = no
Fri Aug 2 16:45:25 2013 : Debug: allow_retry = yes
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_digest, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_digest
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "digest"
from file /usr/local/etc/raddb/modules/digest
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_unix, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_unix
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "unix" from
file /usr/local/etc/raddb/modules/unix
Fri Aug 2 16:45:25 2013 : Debug: unix {
Fri Aug 2 16:45:25 2013 : Debug: radwtmp =
"/usr/local/var/log/radius/radwtmp"
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_eap, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_eap
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "eap" from
file /usr/local/etc/raddb/eap.conf
Fri Aug 2 16:45:25 2013 : Debug: eap {
Fri Aug 2 16:45:25 2013 : Debug: default_eap_type = "md5"
Fri Aug 2 16:45:25 2013 : Debug: timer_expire = 60
Fri Aug 2 16:45:25 2013 : Debug: ignore_unknown_eap_types = no
Fri Aug 2 16:45:25 2013 : Debug: cisco_accounting_username_bug = no
Fri Aug 2 16:45:25 2013 : Debug: max_sessions = 4096
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to sub-module rlm_eap_md5
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating eap-md5
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to sub-module rlm_eap_leap
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating eap-leap
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to sub-module rlm_eap_gtc
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating eap-gtc
Fri Aug 2 16:45:25 2013 : Debug: gtc {
Fri Aug 2 16:45:25 2013 : Debug: challenge = "Password: "
Fri Aug 2 16:45:25 2013 : Debug: auth_type = "PAP"
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to sub-module rlm_eap_tls
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating eap-tls
Fri Aug 2 16:45:25 2013 : Debug: tls {
Fri Aug 2 16:45:25 2013 : Debug: rsa_key_exchange = no
Fri Aug 2 16:45:25 2013 : Debug: dh_key_exchange = yes
Fri Aug 2 16:45:25 2013 : Debug: rsa_key_length = 512
Fri Aug 2 16:45:25 2013 : Debug: dh_key_length = 512
Fri Aug 2 16:45:25 2013 : Debug: verify_depth = 0
Fri Aug 2 16:45:25 2013 : Debug: CA_path = "/usr/local/etc/raddb/certs"
Fri Aug 2 16:45:25 2013 : Debug: pem_file_type = yes
Fri Aug 2 16:45:25 2013 : Debug: private_key_file =
"/usr/local/etc/raddb/certs/server.pem"
Fri Aug 2 16:45:25 2013 : Debug: certificate_file =
"/usr/local/etc/raddb/certs/server.pem"
Fri Aug 2 16:45:25 2013 : Debug: CA_file =
"/usr/local/etc/raddb/certs/ca.pem"
Fri Aug 2 16:45:25 2013 : Debug: private_key_password = "whatever"
Fri Aug 2 16:45:25 2013 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh"
Fri Aug 2 16:45:25 2013 : Debug: random_file =
"/usr/local/etc/raddb/certs/random"
Fri Aug 2 16:45:25 2013 : Debug: fragment_size = 1024
Fri Aug 2 16:45:25 2013 : Debug: include_length = yes
Fri Aug 2 16:45:25 2013 : Debug: check_crl = no
Fri Aug 2 16:45:25 2013 : Debug: cipher_list = "DEFAULT"
Fri Aug 2 16:45:25 2013 : Debug: make_cert_command =
"/usr/local/etc/raddb/certs/bootstrap"
Fri Aug 2 16:45:25 2013 : Debug: cache {
Fri Aug 2 16:45:25 2013 : Debug: enable = no
Fri Aug 2 16:45:25 2013 : Debug: lifetime = 24
Fri Aug 2 16:45:25 2013 : Debug: max_entries = 255
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: verify {
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: ocsp {
Fri Aug 2 16:45:25 2013 : Debug: enable = no
Fri Aug 2 16:45:25 2013 : Debug: override_cert_url = yes
Fri Aug 2 16:45:25 2013 : Debug: url = "http://127.0.0.1/ocsp/"
Fri Aug 2 16:45:25 2013 : Debug: use_nonce = yes
Fri Aug 2 16:45:25 2013 : Debug: timeout = 0
Fri Aug 2 16:45:25 2013 : Debug: softfail = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to sub-module rlm_eap_ttls
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating eap-ttls
Fri Aug 2 16:45:25 2013 : Debug: ttls {
Fri Aug 2 16:45:25 2013 : Debug: default_eap_type = "md5"
Fri Aug 2 16:45:25 2013 : Debug: copy_request_to_tunnel = no
Fri Aug 2 16:45:25 2013 : Debug: use_tunneled_reply = no
Fri Aug 2 16:45:25 2013 : Debug: virtual_server = "inner-tunnel"
Fri Aug 2 16:45:25 2013 : Debug: include_length = yes
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to sub-module rlm_eap_peap
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating eap-peap
Fri Aug 2 16:45:25 2013 : Debug: peap {
Fri Aug 2 16:45:25 2013 : Debug: default_eap_type = "mschapv2"
Fri Aug 2 16:45:25 2013 : Debug: copy_request_to_tunnel = no
Fri Aug 2 16:45:25 2013 : Debug: use_tunneled_reply = no
Fri Aug 2 16:45:25 2013 : Debug: proxy_tunneled_request_as_eap = yes
Fri Aug 2 16:45:25 2013 : Debug: virtual_server = "inner-tunnel"
Fri Aug 2 16:45:25 2013 : Debug: soh = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to sub-module
rlm_eap_mschapv2
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating eap-mschapv2
Fri Aug 2 16:45:25 2013 : Debug: mschapv2 {
Fri Aug 2 16:45:25 2013 : Debug: with_ntdomain_hack = no
Fri Aug 2 16:45:25 2013 : Debug: send_error = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking authorize {...} for
more modules to load
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_preprocess, checking if
it's valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_preprocess
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module
"preprocess" from file /usr/local/etc/raddb/modules/preprocess
Fri Aug 2 16:45:25 2013 : Debug: preprocess {
Fri Aug 2 16:45:25 2013 : Debug: huntgroups =
"/usr/local/etc/raddb/huntgroups"
Fri Aug 2 16:45:25 2013 : Debug: hints = "/usr/local/etc/raddb/hints"
Fri Aug 2 16:45:25 2013 : Debug: with_ascend_hack = no
Fri Aug 2 16:45:25 2013 : Debug: ascend_channels_per_line = 23
Fri Aug 2 16:45:25 2013 : Debug: with_ntdomain_hack = no
Fri Aug 2 16:45:25 2013 : Debug: with_specialix_jetstream_hack = no
Fri Aug 2 16:45:25 2013 : Debug: with_cisco_vsa_hack = no
Fri Aug 2 16:45:25 2013 : Debug: with_alvarion_vsa_hack = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: reading pairlist file
/usr/local/etc/raddb/huntgroups
Fri Aug 2 16:45:25 2013 : Debug: reading pairlist file
/usr/local/etc/raddb/hints
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_realm, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_realm
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "suffix"
from file /usr/local/etc/raddb/modules/realm
Fri Aug 2 16:45:25 2013 : Debug: realm suffix {
Fri Aug 2 16:45:25 2013 : Debug: format = "suffix"
Fri Aug 2 16:45:25 2013 : Debug: delimiter = "@"
Fri Aug 2 16:45:25 2013 : Debug: ignore_default = no
Fri Aug 2 16:45:25 2013 : Debug: ignore_null = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking preacct {...} for more
modules to load
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_acct_unique, checking if
it's valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_acct_unique
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module
"acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
Fri Aug 2 16:45:25 2013 : Debug: acct_unique {
Fri Aug 2 16:45:25 2013 : Debug: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, NAS-Identifier, NAS-Port"
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_files, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_files
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "files"
from file /usr/local/etc/raddb/modules/files
Fri Aug 2 16:45:25 2013 : Debug: files {
Fri Aug 2 16:45:25 2013 : Debug: usersfile = "/usr/local/etc/raddb/users"
Fri Aug 2 16:45:25 2013 : Debug: acctusersfile =
"/usr/local/etc/raddb/acct_users"
Fri Aug 2 16:45:25 2013 : Debug: preproxy_usersfile =
"/usr/local/etc/raddb/preproxy_users"
Fri Aug 2 16:45:25 2013 : Debug: compat = "no"
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: reading pairlist file
/usr/local/etc/raddb/users
Fri Aug 2 16:45:25 2013 : Debug: reading pairlist file
/usr/local/etc/raddb/acct_users
Fri Aug 2 16:45:25 2013 : Debug: reading pairlist file
/usr/local/etc/raddb/preproxy_users
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking accounting {...} for
more modules to load
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_detail, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_detail
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "detail"
from file /usr/local/etc/raddb/modules/detail
Fri Aug 2 16:45:25 2013 : Debug: detail {
Fri Aug 2 16:45:25 2013 : Debug: detailfile =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
Fri Aug 2 16:45:25 2013 : Debug: header = "%t"
Fri Aug 2 16:45:25 2013 : Debug: detailperm = 384
Fri Aug 2 16:45:25 2013 : Debug: dirperm = 493
Fri Aug 2 16:45:25 2013 : Debug: locking = no
Fri Aug 2 16:45:25 2013 : Debug: log_packet_header = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_attr_filter, checking if
it's valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_attr_filter
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module
"attr_filter.accounting_response" from file
/usr/local/etc/raddb/modules/attr_filter
Fri Aug 2 16:45:25 2013 : Debug: attr_filter
attr_filter.accounting_response {
Fri Aug 2 16:45:25 2013 : Debug: attrsfile =
"/usr/local/etc/raddb/attrs.accounting_response"
Fri Aug 2 16:45:25 2013 : Debug: key = "%{User-Name}"
Fri Aug 2 16:45:25 2013 : Debug: relaxed = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: reading pairlist file
/usr/local/etc/raddb/attrs.accounting_response
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking session {...} for more
modules to load
Fri Aug 2 16:45:25 2013 : Debug: (Loaded rlm_radutmp, checking if it's
valid)
Fri Aug 2 16:45:25 2013 : Debug: Module: Linked to module rlm_radutmp
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module "radutmp"
from file /usr/local/etc/raddb/modules/radutmp
Fri Aug 2 16:45:25 2013 : Debug: radutmp {
Fri Aug 2 16:45:25 2013 : Debug: filename =
"/usr/local/var/log/radius/radutmp"
Fri Aug 2 16:45:25 2013 : Debug: username = "%{User-Name}"
Fri Aug 2 16:45:25 2013 : Debug: case_sensitive = yes
Fri Aug 2 16:45:25 2013 : Debug: check_with_nas = yes
Fri Aug 2 16:45:25 2013 : Debug: perm = 384
Fri Aug 2 16:45:25 2013 : Debug: callerid = yes
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking post-auth {...} for
more modules to load
Fri Aug 2 16:45:25 2013 : Debug: Module: Instantiating module
"attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
Fri Aug 2 16:45:25 2013 : Debug: attr_filter attr_filter.access_reject {
Fri Aug 2 16:45:25 2013 : Debug: attrsfile =
"/usr/local/etc/raddb/attrs.access_reject"
Fri Aug 2 16:45:25 2013 : Debug: key = "%{User-Name}"
Fri Aug 2 16:45:25 2013 : Debug: relaxed = no
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: reading pairlist file
/usr/local/etc/raddb/attrs.access_reject
Fri Aug 2 16:45:25 2013 : Debug: } # modules
Fri Aug 2 16:45:25 2013 : Debug: } # server
Fri Aug 2 16:45:25 2013 : Debug: server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
Fri Aug 2 16:45:25 2013 : Debug: modules {
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking authenticate {...} for
more modules to load
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking authorize {...} for
more modules to load
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking session {...} for more
modules to load
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking post-proxy {...} for
more modules to load
Fri Aug 2 16:45:25 2013 : Debug: Module: Checking post-auth {...} for
more modules to load
Fri Aug 2 16:45:25 2013 : Debug: } # modules
Fri Aug 2 16:45:25 2013 : Debug: } # server
Fri Aug 2 16:45:25 2013 : Debug: radiusd: #### Opening IP addresses and
Ports ####
Fri Aug 2 16:45:25 2013 : Debug: listen {
Fri Aug 2 16:45:25 2013 : Debug: type = "auth"
Fri Aug 2 16:45:25 2013 : Debug: ipaddr = 10.100.111.3
Fri Aug 2 16:45:25 2013 : Debug: port = 0
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: listen {
Fri Aug 2 16:45:25 2013 : Debug: type = "acct"
Fri Aug 2 16:45:25 2013 : Debug: ipaddr = 10.100.111.3
Fri Aug 2 16:45:25 2013 : Debug: port = 0
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: listen {
Fri Aug 2 16:45:25 2013 : Debug: type = "control"
Fri Aug 2 16:45:25 2013 : Debug: listen {
Fri Aug 2 16:45:25 2013 : Debug: socket =
"/usr/local/var/run/radiusd/radiusd.sock"
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: listen {
Fri Aug 2 16:45:25 2013 : Debug: type = "auth"
Fri Aug 2 16:45:25 2013 : Debug: ipaddr = 127.0.0.1
Fri Aug 2 16:45:25 2013 : Debug: port = 18120
Fri Aug 2 16:45:25 2013 : Debug: }
Fri Aug 2 16:45:25 2013 : Debug: Listening on authentication address
10.100.111.3 port 1812
Fri Aug 2 16:45:25 2013 : Debug: Listening on accounting interface eth1
address 10.100.111.3 port 1813
Fri Aug 2 16:45:25 2013 : Debug: Listening on command file
/usr/local/var/run/radiusd/radiusd.sock
Fri Aug 2 16:45:25 2013 : Debug: Listening on authentication address
127.0.0.1 port 18120 as server inner-tunnel
Fri Aug 2 16:45:25 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.100.111.2 port 4061, id=60,
length=77
User-Name = "rajeev"
User-Password = "\334a\004\305\355x\321\332G\306\362b\226~\355+"
NAS-IP-Address = 135.250.14.111
NAS-Identifier = "login"
NAS-Port = 3036
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Fri Aug 2 16:45:38 2013 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Fri Aug 2 16:45:38 2013 : Info: +- entering group authorize {...}
Fri Aug 2 16:45:38 2013 : Info: ++[preprocess] returns ok
Fri Aug 2 16:45:38 2013 : Info: [suffix] No '@' in User-Name = "rajeev",
looking up realm NULL
Fri Aug 2 16:45:38 2013 : Info: [suffix] No such realm "NULL"
Fri Aug 2 16:45:38 2013 : Info: ++[suffix] returns noop
Fri Aug 2 16:45:38 2013 : Info: ++[expiration] returns noop
Fri Aug 2 16:45:38 2013 : Info: ++[logintime] returns noop
Fri Aug 2 16:45:38 2013 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Aug 2 16:45:38 2013 : Info: ++[pap] returns noop
Fri Aug 2 16:45:38 2013 : Info: ERROR: No authenticate method (Auth-Type)
found for the request: Rejecting the user
Fri Aug 2 16:45:38 2013 : Info: Failed to authenticate the user.
Fri Aug 2 16:45:38 2013 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Fri Aug 2 16:45:38 2013 : Info: Using Post-Auth-Type REJECT
Fri Aug 2 16:45:38 2013 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Fri Aug 2 16:45:38 2013 : Info: +- entering group REJECT {...}
Fri Aug 2 16:45:38 2013 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> rajeev
Fri Aug 2 16:45:38 2013 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Aug 2 16:45:38 2013 : Info: ++[attr_filter.access_reject] returns
updated
Fri Aug 2 16:45:38 2013 : Info: Delaying reject of request 0 for 1 seconds
Fri Aug 2 16:45:38 2013 : Debug: Going to the next request
Fri Aug 2 16:45:38 2013 : Debug: Waking up in 0.9 seconds.
Fri Aug 2 16:45:39 2013 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 60 to 10.100.111.2 port 4061
Fri Aug 2 16:45:39 2013 : Debug: Waking up in 4.9 seconds.
Fri Aug 2 16:45:44 2013 : Info: Cleaning up request 0 ID 60 with timestamp
+13
Fri Aug 2 16:45:44 2013 : Info: Ready to process requests.
^C
]0;root@radioserver:/usr/local/etc/raddb [root@radioserver raddb]#
Br,
Rajeev
4
3
Version: FreeRADIUS Version 2.2.0, for host x86_64-pc-linux-gnu, built
on Jul 31 2013 at 15:36:48
OS: Ubuntu 12.04.2 LTS
Hi all-
Having some difficulties with Freeradius connecting to a SQL Server
2008 backend using the unixodbc module. I've recompiled the source
using the --with-rlm_sql_unixodbc flag and the module appears to be
loading fine. However, Freeradius does not seem to be able to
establish a connection with the server. I've configured my
freetds.conf, odbc.ini, and odbcinst.ini files properly because tsql
and isql can both connect to and query the server, but the debug
output from Freeradius gives me the following:
rlm_sql (sql): Driver rlm_sql_unixodbc (module rlm_sql_unixodbc)
loaded and linked
rlm_sql (sql): Attempting to connect to admin@10.10.100.24:49355/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0
rlm_sql_unixodbc: SQL down 08001 [unixODBC][FreeTDS][SQL Server]Unable
to connect to data source
rlm_sql_unixodbc: Connection failed
rlm_sql (sql): Failed to connect DB handle #0
rlm_sql (sql): starting 1
rlm_sql (sql): starting 2
rlm_sql (sql): starting 3
rlm_sql (sql): starting 4
rlm_sql (sql): Failed to connect to any SQL server.
I'm using the mssql.conf template found at
https://github.com/FreeRADIUS/www.freeradius.org/blob/master/radiusd/raddb/…
with the only changes being the connect info (server, login, port,
password), radius_db, and sqltrace, and radiusd.conf has an include
for mssql.conf.
I've tried running Wireshark on the SQL server and both tsql and isql
generate traffic to the server. Upon loading Freeradius, I see
absolutely no traffic coming from the radius server's IP. Any ideas
where my problem could lie?
2
5
Freeradius won't bind to port if running as user AND started as root, but works fine if started as the radius user.
by Matthew Schumacher 02 Aug '13
by Matthew Schumacher 02 Aug '13
02 Aug '13
List,
This is odd, I can't seem to figure out what the deal is with this.
This works:
As root user; /usr/sbin/radius -X
As root user; /usr/sbin/radius (when user= and group= is commented out
and running as root)
As radius user; /usr/sbin/radius -X
As radius user; /usr/sbin/radius (when user=radius and group=user)
This doesn't work:
As root user; /usr/sbin/radius (when user=radius and group=user)
I don't think this is a permissions issue as it works fine when invoked
as the radius user in daemon mode (so we can read the config and write
to logs), but starting as root and letting radius switch to the radius
user doesn't work.
What is interesting is that the logs show:
.......
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
When running as root user; /usr/sbin/radiusd -xx (when user=radius and
group=user)
So it stops just shy of thread pool and binding to the port. The same
command and config run as the radius user shows:
.......
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
thread pool {
start_servers = 10
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
}
Thread spawned new child 1. Total threads in pool: 1
Thread 1 waiting to be assigned a request
Thread spawned new child 2. Total threads in pool: 2
Thread 2 waiting to be assigned a request
Thread spawned new child 3. Total threads in pool: 3
Thread 3 waiting to be assigned a request
Thread spawned new child 4. Total threads in pool: 4
Thread 4 waiting to be assigned a request
Thread spawned new child 5. Total threads in pool: 5
Thread 5 waiting to be assigned a request
Thread spawned new child 6. Total threads in pool: 6
Thread 6 waiting to be assigned a request
Thread spawned new child 7. Total threads in pool: 7
Thread 7 waiting to be assigned a request
Thread spawned new child 8. Total threads in pool: 8
Thread 8 waiting to be assigned a request
Thread spawned new child 9. Total threads in pool: 9
Thread 9 waiting to be assigned a request
Thread spawned new child 10. Total threads in pool: 10
Thread pool initialized
Thread 10 waiting to be assigned a request
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1645
}
listen {
type = "acct"
ipaddr = *
port = 1646
}
Listening on authentication address * port 1645
Listening on accounting address * port 1646
Ready to process requests.
Any ideas?
Thanks,
schu
2
2
01 Aug '13
Version info:
radiusd: FreeRADIUS Version 2.2.0, for host i686-redhat-linux-gnu, built
on Oct 9 2012 at 17:47:30
Copyright (C) 1999-2011 The FreeRADIUS server project and contributors.
Hello Everyone,
I've probably missed something or buggered an option, but I've searched
and searched and cannot find an answer to this. This is for a WiMAX
deployment and am using the built in dictionaries. The issue is with the
WiMAX-Packet-Flow-Descriptor tlv .
Below is what's configured in my DB:
id | groupname | attribute | op | value
-----+-----------+----------------------------+----+-------
100 | Business | Session-Timeout | := | 86400
101 | Business | Acct-Interim-Interval | := | 60
110 | Business | WiMAX-Packet-Data-Flow-Id | := | 14
111 | Business | WiMAX-Service-Data-Flow-Id | := | 14
112 | Business | WiMAX-Service-Profile-Id | := | 14
120 | Business | WiMAX-Packet-Data-Flow-Id | += | 17
121 | Business | WiMAX-Service-Data-Flow-Id | += | 17
122 | Business | WiMAX-Service-Profile-Id | += | 17
>From a debug I get this (relevant section):
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3
[ttls] eaptls_process returned 3
[ttls] Using saved attributes from the original Access-Accept
Session-Timeout := 86400
Acct-Interim-Interval := 60
WiMAX-Packet-Data-Flow-Id := 14
WiMAX-Service-Data-Flow-Id := 14
WiMAX-Service-Profile-Id := 14
WiMAX-Packet-Data-Flow-Id += 17
WiMAX-Service-Data-Flow-Id += 17
WiMAX-Service-Profile-Id += 17
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
[wimax] MIP-RK =
0x00b0ce41e978a30ec9b196bdea7bd74def743761ddc81add6cb19ca577056e59ea814c5b54891482a045773e861657260658939502a9babd7c0a59a92a99cf87
[wimax] MIP-SPI = 42f4fa35
[wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply.
[wimax] WARNING: We cannot calculate MN-HA keys.
[wimax] WARNING: WiMAX-IP-Technology not found in reply.
[wimax] WARNING: Not calculating MN-HA keys
++[wimax] returns updated
Sending Access-Accept of id 2 to 10.199.20.240 port 6219
Session-Timeout := 86400
Acct-Interim-Interval := 60
WiMAX-Packet-Data-Flow-Id := 14
WiMAX-Service-Data-Flow-Id := 14
WiMAX-Service-Profile-Id := 14
WiMAX-Packet-Data-Flow-Id += 17
WiMAX-Service-Data-Flow-Id += 17
WiMAX-Service-Profile-Id += 17
MS-MPPE-Recv-Key =
0x6b033615247e78ea0e225bea745bba8c33634e0bf28ea0388174965a980b1642
MS-MPPE-Send-Key =
0x1a21679697b923cc88f4b4ba4fa37ded7f00c035811cd6ff18b4fb4e64956077
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
Finished request 14.
Everything looks good but on a pcap / radsniff I get this:
Access-Accept Id 2 10.199.10.14:1812 -> 10.199.20.240:6219 +31.411
Session-Timeout = 86400
Acct-Interim-Interval = 60
WiMAX-Packet-Data-Flow-Id = 17079 <--????
WiMAX-Service-Data-Flow-Id = 13496 <--????
WiMAX-Service-Profile-Id = 918034516 <--????
WiMAX-Packet-Data-Flow-Id = 17079 <--????
WiMAX-Service-Data-Flow-Id = 17079 <--????
WiMAX-Service-Profile-Id = 884473856 <--????
Microsoft-Attr-17 =
0x812038c3de66aec29f91928f3e5346f5911aa110d4c33dfd5556b1aebeb7c637b53c2420b3cd73763eb7c06f5386e6cef612
MS-MPPE-Send-Key = 0x1be2107278
EAP-Message = 0x03070004
Message-Authenticator = 0x70f2a2f9037b10be87a6ad954a205159
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
As can be seen, Session-Timeout and Acct-Interim-Interval all match up,
but the others don't, and even change from time to time without anything
other than a restart of radiusd.
I see the definition in the wimax dictionary is "short"
Anyhow, if there's a bug / solution / setting that I've blatantly
missed, please let me know.
I am attaching more debug below.
Thanks,
James
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.199.20.240 port 6216, id=0,
length=274
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "\000&\202g\023p"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
EAP-Message =
0x020000320131333230434437333737444342314141364241434242414431413233414545354078706c6f726e65742e636f6d
Message-Authenticator = 0x624b00fa55a8e8df65355066f4257c1a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-26-82-67-13-70
++[wimax] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 50
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} ->
1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com
[sql] sql_set_user escaped user -->
'1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE
UserName='1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com' ORDER BY
priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 1
[sql] User 1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.199.20.240 port 6216
EAP-Message = 0x010100160410c8f730871835d03c590829b8055f149a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d1b22fe3d1a26c4e21bc6380caaf462
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.199.20.240 port 6217, id=0,
length=248
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
State = 0x3d1b22fe3d1a26c4e21bc6380caaf462
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "\000&\202g\023p"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
EAP-Message = 0x020100060315
Message-Authenticator = 0xc216081e84e230c02e8da5c94ef5f567
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-26-82-67-13-70
++[wimax] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} ->
1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com
[sql] sql_set_user escaped user -->
'1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE
UserName='1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com' ORDER BY
priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 0
[sql] User 1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.199.20.240 port 6217
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d1b22fe3c1937c4e21bc6380caaf462
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.199.20.240 port 6218, id=0,
length=336
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
State = 0x3d1b22fe3c1937c4e21bc6380caaf462
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "\000&\202g\023p"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
EAP-Message =
0x0202005e150016030100530100004f030151f6843e3ba9c0e04d448b5995f9376ddeeb021c600b2c88fd4c4f067d8472e200002800390038003500160013000a00330032002f000700050004001500120009001400110008000600030100
Message-Authenticator = 0x8d3b616e15c812e5046a994903eb4c55
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-26-82-67-13-70
++[wimax] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 94
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0053], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.199.20.240 port 6218
EAP-Message =
0x0103040015c000000aad160301002a02000026030151f6843ea7a068fcf005cd02ab7c253e507ec85b627c50a9dbbb09dad980eb8800003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3132303932373230323931365a170d3132313132363230323931365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c4c5b27c8989fbe23730ed64c341b3eec198c4f61c849694879bb5682e817a3bd36ee0f288703cdd2d01afad09eaa3094a530fd50b1c3051f1578f89033e
EAP-Message =
0x9294b51efc7988e06054e1b2db74c33354f26e32d65a208a4f2919a133bf9f1ab8b210deb180f16ebce470e38bd51865630e59fa15fedb01d3b58dcbf3029a01b2e3c21f2ebd3d2e410824d1a8655bfc171fa834c0f4e4ceaf1d9f0aa76f3fd2349fda57a65d785b106a5faecb3520b3fa5b32b07785d466b1f91e2d695126b043b804f5326f55981922a1eeaf4d6565ade837cf4fbe86f276f0d0913f0a5878a1f0f45202cd32bbbae72c923b6b171e81ab9b03c4713ad95c6aba20e61764214b4f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100adecc8bc38709cc6cb
EAP-Message =
0x650791e1531ca63c113770c53ab08e0da3decd3e2807b4ab1c602bbc3e04a4259e50dcc583170bf0cfa7720cd57a8e6982017deb231253b4d7de4497af9cee50dd48e34db2af5a318f9969319313b488af1e6576f18000b26f146cf3fa5fb434cd9f5657feb79ca0c46eb156d2f797b6e4325015052adcc7dde58b8ef9f8d8f2e9695d3e26d7802a2c5f69ca1106a082c8b4f6b5cd84873db14e847b2e95a711658d8477c4a53e3531778a09f7feac12b58bd19836b619cbc454920e3c17550eaa47b2986758c41a5059dfe4dbc3eac5653b84b4978da6fb0de56d2bee0a79bbabe09f3c79441bd198d2fd87aa1f21b47cae4add220e9b0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d1b22fe3f1837c4e21bc6380caaf462
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.199.20.240 port 6219, id=1,
length=248
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
State = 0x3d1b22fe3f1837c4e21bc6380caaf462
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "\000&\202g\023p"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
EAP-Message = 0x020300061500
Message-Authenticator = 0xb874df56087b707cfc085595cef29766
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-26-82-67-13-70
++[wimax] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.199.20.240 port 6219
EAP-Message =
0x0104040015c000000aad00f69a36800c93c0e9300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3132303932373230323931365a170d3132313132363230323931365a308193310b3009060355040613024652310f300d0603550408130652616469757331123010
EAP-Message =
0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d9416f4a53fae50a7026bb1ca7127d27924843f1f61433e89abd8c00a1d41a4eb95ae44df2c49ac28c3a5492d9f751e91e4648b3fc28130d65e57a6ed7b4c9da2c094f55c7dabafef975d013112a4b4b335aac29fd325d7befc35ecc083e4d914e83043699b04add11ec8e
EAP-Message =
0xb285b7c47c0cf057bd6fea3fab8c2b184489a5bf8ace00b216ce27c01a066f92c28bb1688cd7a085b2ef1e548cbc7f07fdb8d37b65ede2a6b39d2e5c28010fa22220ac4148277f2c183851c02c4b93d719ddc25b764fc2dd3230f11c24bd8a5d82e25129b7758ea6ed17fd3b0f748a2c56c5b30ea43e64642b850bf791c833d9de05445bceb00bf78c12f21a6eba2a333cca0c7ad90203010001a381fb3081f8301d0603551d0e04160414fae95dc6e57d9997440f8c45a9360970a8a5c2843081c80603551d230481c03081bd8014fae95dc6e57d9997440f8c45a9360970a8a5c284a18199a48196308193310b3009060355040613024652310f300d
EAP-Message =
0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900f69a36800c93c0e9300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007abe5079ce7fc50a7960020c5ee7e33191e24c14d469f00ce6b22c16ab8d9e6cb16e3add64e352094e45ffda438e92a39d47ef639b6594240ab3a0e101138e279660c1083d7cffef6f01923fb674
EAP-Message = 0x51cc96f02f1763e5388aaa08
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d1b22fe3e1f37c4e21bc6380caaf462
Finished request 10.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.199.20.240 port 6216, id=1,
length=248
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
State = 0x3d1b22fe3e1f37c4e21bc6380caaf462
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "\000&\202g\023p"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
EAP-Message = 0x020400061500
Message-Authenticator = 0x4b4a3e988fdc78cb60e7fc872f0291ec
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-26-82-67-13-70
++[wimax] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.199.20.240 port 6216
EAP-Message =
0x010502cb158000000aad921ee4f1071e8d4860225e19af0554bde1421a6647aa33e46d9f9691aff69c875e8229e1baac4394bc1e1f2e857e474b5d181ae344d260691d845bcad5a4ee58b2bdfe0cb103335c0a642b6ecf4ea630836a22c41dd506a930b32544e00486d264bfdb49fc26cf00e96598911d2569ad3d7d10f9a1be2941bb56f8b684d6f08fc5cd3834cf8006f80638cb34fc65f38811592256d8b7fcfaa87301f958e056d943f621ec10b7160301020d0c0002090080ab08979de861c27c1e0ddf489d2a715a6362fdcabac2ba673e46a96be8209efaa298dff3532c0ca4fc593a6fa0cf7eb6959fcc17447028de57788e84644ec5e4d6ad
EAP-Message =
0xd7ed1c67c5006738d3b00aa2bd6921a2dacda4dba0eb2cfe668b7eb60dde719053f7b92f55f8bda32784dc0a5cec065fb3e233969cbfc47662576a44c8e300010200802e479e29f0f795052aff8a81b01b5673343d287e439aad873fe9ee0133262c123e48fdc4344c9fa2f5e169609796a1e180f34aa0e932b4e69ae7cbee22362a3a0704b515774883d97dc9723c9e9e08fed3f2658abe681f51e0ce14bac33284fdfe0910295155c6c145e9b3d1495c19fa8d3ff7176a1c08fb5dd63b2d119b0229010052587f03ecb2cf51f55b0bdf8aaff7d7140b19f79ee6fe27e7f971c63c99902625587503d9f7f5f21f7cfb71ec9befa7336d290840c0a8d1
EAP-Message =
0x3d04b449eb53f890f1939d6d270d30742f3a6c98c4562b2f9f982838b358cf520d24ed6925026050f0621c930e766d0669965ba2dde17673b9cae7931ff7cca15f85c8ab6f7973b70db1bb3f548d7eea7994f9332f333bdd29e12b5ae7667abdf94c95bbf5a56df10714938ae43e9f34c1fbe9f5628fa0455f6f7883ad0cc7d2f8b75c6c9572a814ededb5158c9435a8ff47240696cc155788f8d5397aa5388867d3f08cc9fcb9c62d9d368658a8c0b71774055bd23ff3f0d50b03422f5dec055516afce6b16d31516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d1b22fe391e37c4e21bc6380caaf462
Finished request 11.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.199.20.240 port 6217, id=1,
length=446
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
State = 0x3d1b22fe391e37c4e21bc6380caaf462
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "\000&\202g\023p"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
EAP-Message =
0x020500cc150016030100861000008200805bf0ee4eff60c428c48178565c479d314285d7e56b92715d94000a39febd071764f7d993ad7bf536e6045d9c7d939e5a7ca26db24ae358123b274a762bebb91398543c9696fb166c37e4acc90ece7156e2e785c35792ac2497a2275d79816c54f420fb0b0ef368ceaa6ff732dc7ab700d1594a4f53eb722fd670c324c2f74b7814030100010116030100303fb2196d56b8c5db3a8d286d13a3e7be1525c540e847b03753ff8dcd44b722a22eaebbfdae4733e348234f2c79332fa6
Message-Authenticator = 0xd9c5455c464de79980b501e138efcbc3
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-26-82-67-13-70
++[wimax] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.199.20.240 port 6217
EAP-Message =
0x0106004515800000003b14030100010116030100300d420f69ee784d90337c123e3ad17333f33afd4785266a8495af2cd5bd00c57f9b5250ab81d6abacad9f0a3b06a6a76a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d1b22fe381d37c4e21bc6380caaf462
Finished request 12.
Going to the next request
Waking up in 3.6 seconds.
rad_recv: Access-Request packet from host 10.199.20.240 port 6218, id=1,
length=450
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
State = 0x3d1b22fe381d37c4e21bc6380caaf462
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "\000&\202g\023p"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
EAP-Message =
0x020600d0150017030100202efd8b68040fc99d7215fc82ddb19fcc9d5d7db5d6bf00feab83065c3c66904e17030100a08d9c6735ac0f310c1a1b40fc8b8b830001ad22a156e365fb7c7a3a172bb37b2936605498f2249045b9e90b8d078a50b9308ccc874344e52912a6ef295c7ab21e6a110effee3fe5fdb09aa3340455e22b5c29903d4cbc38b91756b75e551f21f71b9a3f73655188839f65cc8d01ed3fa072b892d664b5a82caed9fd110f88727b00321d304fe9f0d62ff61bb07eacde6670bc8f3fe688820431254c4fe8ca8493
Message-Authenticator = 0xba312fe00908947881503e3743208d95
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-26-82-67-13-70
++[wimax] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "002682671370(a)undisclosed.com"
MS-CHAP-Challenge = 0xc919ad25030747b5b148f0012fe58cb6
MS-CHAP2-Response =
0x4a004b1aed39e592b691d44948ff62f2e0af00000000000000005c32a2d43a9b7763656058b7685e4fff541653c66a69e82c
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "002682671370(a)undisclosed.com"
MS-CHAP-Challenge = 0xc919ad25030747b5b148f0012fe58cb6
MS-CHAP2-Response =
0x4a004b1aed39e592b691d44948ff62f2e0af00000000000000005c32a2d43a9b7763656058b7685e4fff541653c66a69e82c
FreeRADIUS-Proxied-To = 127.0.0.1
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "00-26-82-67-13-70"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"002682671370(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> 002682671370(a)undisclosed.com
[sql] sql_set_user escaped user --> '002682671370(a)undisclosed.com'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'002682671370(a)undisclosed.com' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,
UserName, Attribute, Value, Op FROM radreply WHERE Username =
'002682671370(a)undisclosed.com' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='002682671370(a)undisclosed.com' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sql] expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT
id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE
GroupName = 'Business' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] User found in group Business
[sql] expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT
id, GroupName, Attribute, Value, op FROM radgroupreply WHERE
GroupName = 'Business' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 8 , fields = 5
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: 002682671370(a)undisclosed.com
[mschap] Client is using MS-CHAPv2 for 002682671370(a)undisclosed.com, we
need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Session-Timeout := 86400
Acct-Interim-Interval := 60
WiMAX-Packet-Data-Flow-Id := 14
WiMAX-Service-Data-Flow-Id := 14
WiMAX-Service-Profile-Id := 14
WiMAX-Packet-Data-Flow-Id += 17
WiMAX-Service-Data-Flow-Id += 17
WiMAX-Service-Profile-Id += 17
MS-CHAP2-Success =
0x4a533d30353933303244453938323444463545414642463738433642313742443639433239343131363541
MS-MPPE-Recv-Key = 0xe47e60276cf546b4d154c7a4312fed43
MS-MPPE-Send-Key = 0xae6450ff89cc6be810f6663c9c64877f
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.199.20.240 port 6218
EAP-Message =
0x0107005f158000000055170301005077724abe9bda2c3ab4c2a5b6e9133fff07ae7a253430c9ffe1670894562729f17314560024cb5e27684002a9cb7ac3d92f5ffed2a5a86acd16452736910513e429e1107846c729aa7475e84238443733
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d1b22fe3b1c37c4e21bc6380caaf462
Finished request 13.
Going to the next request
Waking up in 3.5 seconds.
rad_recv: Access-Request packet from host 10.199.20.240 port 6219, id=2,
length=248
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
State = 0x3d1b22fe3b1c37c4e21bc6380caaf462
Chargeable-User-Identity = "null"
NAS-IP-Address = 10.199.20.240
NAS-Port = 5
NAS-Port-Type = Wireless-802.16
Framed-MTU = 1400
NAS-Identifier = "test"
Calling-Station-Id = "\000&\202g\023p"
Service-Type = Framed-User
WiMAX-GMT-Timezone-offset = 0
WiMAX-BS-Id = 0x000083010102
WiMAX-Release = "1.2"
WiMAX-Accounting-Capabilities = 3
WiMAX-Hotlining-Capabilities = Hotline-Profile-Id
WiMAX-Idle-Mode-Notification-Cap = Supported
WiMAX-Attr-1281 = 0x01
WiMAX-Attr-1537 = 0x0000006a
WiMAX-Available-In-Client = 67
WiMAX-Attr-36 = 0x000001
EAP-Message = 0x020700061500
Message-Authenticator = 0x59a914ec4b16deb92b5f027659f5c712
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
rlm_wimax: Fixing WiMAX binary Calling-Station-Id to 00-26-82-67-13-70
++[wimax] returns ok
[suffix] Looking up realm "undisclosed.com" for User-Name =
"1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
[suffix] No such realm "undisclosed.com"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3
[ttls] eaptls_process returned 3
[ttls] Using saved attributes from the original Access-Accept
Session-Timeout := 86400
Acct-Interim-Interval := 60
WiMAX-Packet-Data-Flow-Id := 14
WiMAX-Service-Data-Flow-Id := 14
WiMAX-Service-Profile-Id := 14
WiMAX-Packet-Data-Flow-Id += 17
WiMAX-Service-Data-Flow-Id += 17
WiMAX-Service-Profile-Id += 17
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
[wimax] MIP-RK =
0x00b0ce41e978a30ec9b196bdea7bd74def743761ddc81add6cb19ca577056e59ea814c5b54891482a045773e861657260658939502a9babd7c0a59a92a99cf87
[wimax] MIP-SPI = 42f4fa35
[wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply.
[wimax] WARNING: We cannot calculate MN-HA keys.
[wimax] WARNING: WiMAX-IP-Technology not found in reply.
[wimax] WARNING: Not calculating MN-HA keys
++[wimax] returns updated
Sending Access-Accept of id 2 to 10.199.20.240 port 6219
Session-Timeout := 86400
Acct-Interim-Interval := 60
WiMAX-Packet-Data-Flow-Id := 14
WiMAX-Service-Data-Flow-Id := 14
WiMAX-Service-Profile-Id := 14
WiMAX-Packet-Data-Flow-Id += 17
WiMAX-Service-Data-Flow-Id += 17
WiMAX-Service-Profile-Id += 17
MS-MPPE-Recv-Key =
0x6b033615247e78ea0e225bea745bba8c33634e0bf28ea0388174965a980b1642
MS-MPPE-Send-Key =
0x1a21679697b923cc88f4b4ba4fa37ded7f00c035811cd6ff18b4fb4e64956077
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "1320CD7377DCB1AA6BACBBAD1A23AEE5(a)undisclosed.com"
Finished request 14.
Going to the next request
Waking up in 3.4 seconds.
3
18
Good day,
We have several branches configured for RADIUS. We are using freeradius
2.1.12 from CentOS 6.4 repo, plus daloradius 0.9.9, and MySQL. The problem
is that accounting packets are not received here in our head office when
accessing other branches' switches. When we access our own switches,
everything is logged into the db.
Branches connection is Head office > firewall > point-to-point to retail >
retail > isp > branch
Firewall connection to branches is allow-all, so this is the confusing part
Requests are logged in freeradius log file, but it is incomplete and what
we would like to accomplish is accounting packets to be recorded
With accounting packet: http://pastebin.com/M5XPYjQG
Without accounting packet: http://pastebin.com/XVCTxug6
3
7