Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2014
- 101 participants
- 129 discussions
Hi
I wanna use freeradius2 as a radius-server and dhcp-server.
When I try to connect to radius-server,following errors show up.
I think authentication is look fine.then message said sqlippool not defined.
but I set up as below.
What's wrong with my settings?
------------radiusd -X-----------------
... adding new socket proxy address * port 55682
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.5.200 port 50000, id=3,
length=205
User-Password = "test"
User-Name = "user(a)mondomaine.fr"
Acct-Session-Id = "erx FastEthernet 1/6:0011534340"
Service-Type = Framed-User
Framed-Protocol = PPP
ERX-Pppoe-Description = "pppoe 00:1d:72:c6:7b:d5"
Calling-Station-Id = "#ERX-40-b0-7a#E16#0"
NAS-Port-Type = Ethernet
NAS-Port = 369098752
NAS-Port-Id = "FastEthernet 1/6"
NAS-IP-Address = 10.0.5.200
NAS-Identifier = "ERX-40-b0-7a"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "mondomaine.fr" for User-Name = "
user(a)mondomaine.fr"
[suffix] No such realm "mondomaine.fr"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry user(a)mondomaine.fr at line 6
[files] users: Matched entry DEFAULT at line 183
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using clear text password "test"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [user(a)mondomaine.fr] (from client GGSN1 port 369098752 cli
#ERX-40-b0-7a#E16#0)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sqlippool] No Pool-Name defined.
[sqlippool] expand: No Pool-Name defined (did %{Called-Station-Id}
cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> No
Pool-Name defined (did cli #ERX-40-b0-7a#E16#0 port 369098752 user
user(a)mondomaine.fr)
No Pool-Name defined (did cli #ERX-40-b0-7a#E16#0 port 369098752 user
user(a)mondomaine.fr)
++[sqlippool] returns noop
++[exec] returns noop
Sending Access-Accept of id 3 to 10.0.5.200 port 50000
NAS-IP-Address == 10.0.5.200
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.0.5.200 port 50016, id=73,
length=246
Acct-Status-Type = Stop
User-Name = "user(a)mondomaine.fr"
Event-Timestamp = "Apr 27 2014 14:19:10 PDT"
Acct-Delay-Time = 0
NAS-Identifier = "ERX-40-b0-7a"
Acct-Session-Id = "erx FastEthernet 1/6:0011534340"
NAS-IP-Address = 10.0.5.200
Service-Type = Framed-User
Calling-Station-Id = "#ERX-40-b0-7a#E16#0"
Acct-Input-Gigawords = 0
Acct-Input-Octets = 0
Acct-Output-Gigawords = 0
Acct-Output-Octets = 0
ERX-Input-Gigapkts = 0
Acct-Input-Packets = 0
ERX-Output-Gigapkts = 0
Acct-Output-Packets = 0
NAS-Port-Type = Ethernet
NAS-Port = 369098752
NAS-Port-Id = "FastEthernet 1/6"
Acct-Authentic = RADIUS
Acct-Session-Time = 0
Acct-Terminate-Cause = NAS-Request
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 369098752,Client-IP-Address =
10.0.5.200,NAS-IP-Address = 10.0.5.200,Acct-Session-Id = "erx FastEthernet
1/6:0011534340",User-Name = "user(a)mondomaine.fr"'
[acct_unique] Acct-Unique-Session-ID = "fbbf6a6fb6bf3d32".
++[acct_unique] returns ok
[suffix] Looking up realm "mondomaine.fr" for User-Name = "
user(a)mondomaine.fr"
[suffix] No such realm "mondomaine.fr"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.0.5.200
[detail] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-> /var/log/radius/radacct/10.0.5.200/detail-20140427
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.0.5.200/detail-20140427
[detail] expand: %t -> Sun Apr 27 22:49:32 2014
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> user(a)mondomaine.fr
rlm_radutmp: Logout for NAS GGSN1 port 369098752, but no Login record
++[radutmp] returns ok
rlm_sql (sql): Reserving sql socket id: 13
[sqlippool] expand: %{User-Name} -> user(a)mondomaine.fr
[sqlippool] sql_set_user escaped user --> 'user(a)mondomaine.fr'
[sqlippool] expand: START TRANSACTION -> START TRANSACTION
[sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key =
0, callingstationid = '', username = '', expiry_time = NULL WHERE
nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND
username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}'
AND framedipaddress = '%{Framed-IP-Address}' -> UPDATE radippool SET
nasipaddress = '', pool_key = 0, callingstationid = '', username = '',
expiry_time = NULL WHERE nasipaddress = '10.0.5.200' AND pool_key =
'369098752' AND username = 'user(a)mondomaine.fr' AND callingstationid =
'=23ERX-40-b0-7a=23E16=230' AND framedipaddress = ''
[sqlippool] expand: COMMIT -> COMMIT
[sqlippool] expand: Released IP %{Framed-IP-Address} (did
%{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name}) ->
Released IP (did cli #ERX-40-b0-7a#E16#0 user user(a)mondomaine.fr)
Released IP (did cli #ERX-40-b0-7a#E16#0 user user(a)mondomaine.fr)
rlm_sql (sql): Released sql socket id: 13
++[sqlippool] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} ->
user(a)mondomaine.fr
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 73 to 10.0.5.200 port 50016
Finished request 1.
Cleaning up request 1 ID 73 with timestamp +10
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 3 with timestamp +10
Ready to process requests.
------------------------------------------------------------
---------------------sqlippool.conf------------------------------
## Configuration for the SQL based IP Pool module (rlm_sqlippool)
##
## The database schemas are available at:
##
## raddb/sql/DB/ippool.sql
##
## $Id$
sqlippool {
#########################################
## SQL instance to use (from sql.conf) ##
##
## If you have multiple sql instances, such as "sql sql1 {...}",
## use the *instance* name here: sql1.
#########################################
sql-instance-name = "sql"
## SQL table to use for ippool range and lease info
ippool_table = "radippool"
## IP lease duration. (Leases expire even if Acct Stop packet is lost)
lease-duration = 3600
## Attribute which should be considered unique per NAS
## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
## Using Calling-Station-Id works for NAS that send fixed NAS-Port
## ONLY change this if you know what you are doing!
pool-key = "%{NAS-Port}"
# pool-key = "%{Calling-Station-Id}"
################################################################
#
# WARNING: MySQL has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
#
# Use the same database as configured in the "sql" module, "database"
# configuration item. Change the "postgresql" name below to be the
# same as the "database" field of the SQL module referred to in the
# "sql-instance-name", above.
#
#$INCLUDE sql/postgresql/ippool.conf
$INCLUDE sql/mysql/ippool.conf
## Logging configuration. (Comment out to disable logging)
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from
%{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
(did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_nopool = "No Pool-Name defined \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
}
-------------------------------------------------------------------
------------------------------sql.conf---------------------------------
# -*- text -*-
##
## sql.conf -- SQL modules
##
## $Id$
######################################################################
#
# Configuration for the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/DB/schema.sql Schema
# sql/DB/dialup.conf Basic dialup (including policy) queries
# sql/DB/counter.conf counter
# sql/DB/ippool.conf IP Pools in SQL
# sql/DB/ippool.sql schema for IP pools.
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "mysql"
#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "localhost"
#port = 3306
login = "userfreeradius"
password = "pwdfreeradius"
# Database table configuration for everything except Oracle
radius_db = "freeradius"
# If you are using Oracle then use this instead
# radius_db =
"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
# Table to keep group info
usergroup_table = "radusergroup"
# If set to 'yes' (default) we read the group tables
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
read_groups = yes
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 15
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# lifetime of an SQL socket. If you are having network issues
# such as TCP sessions expiring, you may need to set the socket
# lifetime. If set to non-zero, any open connections will be
# closed "lifetime" seconds after they were first opened.
lifetime = 0
# Maximum number of queries used by an SQL socket. If you are
# having issues with SQL sockets lasting "too long", you can
# limit the number of queries performed over one socket. After
# "max_qeuries", the socket will be closed. Use 0 for "no limit".
max_queries = 0
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
readclients = yes
# Table to keep radius client info
nas_table = "nas"
# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}
---------------------------------------------------------------------------
If these information is not enough please let me know.
Thanks,
2
2
I have having some problems with ldap group checking. Our students do
not have a common group that they are a member of. They are all a member
of a group based on their username (ST_Students for every student that
has a username that start with st). We then have groups based off each
letter of the alphabet (S_Students would contain the SA_Students through
SZ_Students groups). We then have another group called students, that
has the A_Students through Z_Students groups.
I know this is overly complex, but that is how our administrative
computing department has set things up. I would like to use the student
group to allow access to a wireless network. My current rule is as
follows.
if ((Called-Station-SSID == "Test2) && (LDAP-Group == "students")) {
noop
}
When the test user sexample5555 connects, they get denied because their
account is a member of the SE_Students group. The SE_Students group is a
member of the S_Students group, and that group is a member of the
students group....but the user is not a direct member of the students
group.
Is there an easy solution that I am missing?
Here is the full debug output. I know some things are not 100% correct.
We are still in the testing phase.
freeradius: FreeRADIUS Version 3.0.2, for host x86_64-pc-linux-gnu,
built on Apr 7 2014 at 08:43:37
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/ldap
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration
file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/utf8
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/cui
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/wifi
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
realm LOCAL {
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client our-wireless-controller.our.domain {
require_message_authenticator = no
secret = <<< secret >>>
shortname = "ttcbluesocket"
virtual_server = "wifi"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv6addr' field found in client
our-wireless-controller.our.domain. Please fix your configuration
Support for old-style clients will be removed in a future release
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_eap
# Instantiating module "eap" from
file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 4096
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from
file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Loaded module rlm_expiration
# Instantiating module "expiration" from
file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_replicate
# Instantiating module "replicate" from
file /etc/freeradius/mods-enabled/replicate
# Loaded module rlm_radutmp
# Instantiating module "sradutmp" from
file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_detail
# Instantiating module "auth_log" from
file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from
file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from
file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from
file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_exec
# Instantiating module "exec" from
file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from
file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from
file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from
file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from
file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntlm_auth" from
file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=our.domain
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from
file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from
file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from
file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from
file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist
file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from
file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist
file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from
file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist
file /etc/freeradius/mods-config/attr_filter/accounting_response
# Loaded module rlm_files
# Instantiating module "files" from
file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
usersfile = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
compat = "no"
}
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "radutmp" from
file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from
file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=
%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain=
%{%{mschap:NT-Domain}:-our.domain} --challenge=
%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
ntlm_auth_timeout = 10
passchange {
}
allow_retry = yes
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from
file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_always
# Instantiating module "reject" from
file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from
file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from
file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from
file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from
file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from
file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from
file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from
file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from
file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from
file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_unpack
# Instantiating module "unpack" from
file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_ldap
# Instantiating module "ldap" from
file /etc/freeradius/mods-enabled/ldap
ldap {
server = "server.our.domain"
port = 636
password = <<< secret >>>
identity = "ACCOUNT"
user {
filter = "(cn=%{%{mschap:User-Name}:-%{User-Name}})"
scope = "sub"
base_dn = "dc=our,dc=domain"
access_positive = yes
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
base_dn = "dc=our,dc=domain"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=
%{%{mschap:User-Name}:-%{User-Name}}))"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "dc=our,dc=domain"
attribute {
identifier = "radiusClientIdentifier"
shortname = "cn"
secret = "radiusClientSecret"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 4
max = 32
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to server.our.domain:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to server.our.domain:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2)
rlm_ldap (ldap): Connecting to server.our.domain:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3)
rlm_ldap (ldap): Connecting to server.our.domain:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4)
rlm_ldap (ldap): Connecting to server.our.domain:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "detail" from
file /etc/freeradius/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "echo" from
file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from
file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from
file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_utf8
# Instantiating module "utf8" from
file /etc/freeradius/mods-enabled/utf8
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server wifi { # from file /etc/freeradius/sites-enabled/wifi
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server wifi
server inner-tunnel { # from
file /etc/freeradius/sites-enabled/inner-tunnel
# Creating Auth-Type = LDAP
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1912
limit {
max_connections = 26
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 26
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address * port 1912 as server wifi
Listening on acct address * port 1813 as server wifi
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 33306
Ready to process requests.
rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034,
id=39, length=174
User-Name = 'DOMAIN\\sexample5555'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-7E-81:Test2'
Calling-Station-Id = '00-26-5E-31-33-3B'
Framed-MTU = 1400
Attr-26 = 0x000026ef030302
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x025c0016014b5643435c736578616d706c6535353535
Message-Authenticator = 0x8c275779e337acf4e7eaccbf78cad923
(0) # Executing section authorize from
file /etc/freeradius/sites-enabled/wifi
(0) authorize {
(0) if (Called-Station-Id
=~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
(0) if (Called-Station-Id
=~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE
(0) if (Called-Station-Id
=~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {
(0) update request {
(0) EXPAND %{7}
(0) --> Test2
(0) Called-Station-SSID := "Test2"
(0) } # update request = noop
(0) } # if (Called-Station-Id
=~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop
(0) if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
"students"))
(0) Searching for user in group "students"
rlm_ldap (ldap): Reserved connection (4)
(0) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}})
(0) --> (cn=sexample5555)
(0) EXPAND dc=our,dc=domain
(0) --> dc=our,dc=domain
(0) Performing search in 'dc=our,dc=domain' with filter
'(cn=sexample5555)', scope 'sub'
(0) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldaps://domainainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldaps://our.domain/CN=Configuration,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
User object found at DN
"CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain"
(0) Checking for user in group objects
(0) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member=
%{control:Ldap-UserDn})(memberUid=
%{%{mschap:User-Name}:-%{User-Name}})))
(0) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN
\3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents
\2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555)))
(0) EXPAND dc=our,dc=domain
(0) --> dc=our,dc=domain
(0) Waiting for bind result...
(0) Bind successful
(0) Performing search in 'dc=our,dc=domain' with filter
'(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU
\3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC
\3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub'
(0) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldaps://our.dom/CN=Configuration,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(0) Search returned no results
(0) Search returned not found
(0) Checking user object membership (memberOf) attributes
(0) Waiting for bind result...
(0) Bind successful
(0) Performing unfiltered search in
'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain', scope 'base'
(0) Waiting for search result...
(0) Processing group membership value
"CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain"
(0) Converting group DN to group Name
(0) Performing unfiltered search in
'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain',
scope 'base'
(0) Waiting for search result...
(0) Group name is "GROUP1"
(0) Processing group membership value
"CN=GROUP2,OU=groups,DC=our,DC=domain"
(0) Converting group DN to group Name
(0) Performing unfiltered search in
'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base'
(0) Waiting for search result...
(0) Group name is "GROUP2"
(0) Processing group membership value
"CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain"
(0) Converting group DN to group Name
(0) Performing unfiltered search in
'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain', scope 'base'
(0) Waiting for search result...
(0) Group name is "SE_students"
(0) Processing group membership value
"CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain"
(0) Converting group DN to group Name
(0) Performing unfiltered search in
'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain',
scope 'base'
(0) Waiting for search result...
(0) Group name is "GROUP4"
(0) Processing group membership value
"CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain"
(0) Converting group DN to group Name
(0) Performing unfiltered search in
'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base'
(0) Waiting for search result...
(0) Group name is "GROUP5"
rlm_ (ldap): Deleting connection (4)
(0) User is not a member of specified group
(0) if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
"students")) -> FALSE
(0) else else {
(0) [reject] = reject
(0) } # else else = reject
(0) } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/wifi
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> DOMAIN\sexample5555
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request was previously rejected, inserting EAP-Failure
(0) [eap] = updated
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (reply:EAP-Message && reply:Reply-Message)
(0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying reject of request 0 for 1 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed reject
Sending Access-Reject of id 39 from Radius-Server port 1912 to
WIFI-CONTROLLER-IP port 1034
EAP-Message = 0x045c0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host WIFI-CONTROLLER-IP port 1034,
id=40, length=174
User-Name = 'our\\sexample5555'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-7E-81:Test2'
Calling-Station-Id = '00-26-5E-31-33-3B'
Framed-MTU = 1400
Attr-26 = 0x000026ef030302
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x02b00016014b5643435c736578616d706c6535353535
Message-Authenticator = 0xfc98b83654758f9d0071ba123c21ca2e
(1) # Executing section authorize from
file /etc/freeradius/sites-enabled/wifi
(1) authorize {
(1) if (Called-Station-Id
=~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
(1) if (Called-Station-Id
=~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE
(1) if (Called-Station-Id
=~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {
(1) update request {
(1) EXPAND %{7}
(1) --> Test2
(1) Called-Station-SSID := "Test2"
(1) } # update request = noop
(1) } # if (Called-Station-Id
=~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) = noop
(1) if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
"students"))
(1) Searching for user in group "students"
rlm_ldap (ldap): Reserved connection (3)
(1) EXPAND (cn=%{%{mschap:User-Name}:-%{User-Name}})
(1) --> (cn=sexample5555)
(1) EXPAND dc=our,dc=domain
(1) --> dc=our,dc=domain
(1) Performing search in 'dc=our,dc=domain' with filter
'(cn=sexample5555)', scope 'sub'
(1) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldaps://our.domain/CN=Configuration,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(1) User object found at DN
"CN=sexample5555,OU=OUR-OU,OU=OUR-OU,OU=OUR-OU,OU=people,DC=our,DC=domain"
(1) Checking for user in group objects
(1) EXPAND (&(cn=students)(objectClass=posixGroup)(|(member=
%{control:Ldap-UserDn})(memberUid=
%{%{mschap:User-Name}:-%{User-Name}})))
(1) --> (&(cn=students)(objectClass=posixGroup)(|(member=CN
\3dsexample5555\2cOU\3dse_students\2cOU\3dS_students\2cOU\3dstudents
\2cOU\3dpeople\2cDC\3dour\2cDC\3ddom)(memberUid=sexample5555)))
(1) EXPAND dc=our,dc=domain
(1) --> dc=our,dc=domain
(1) Waiting for bind result...
(1) Bind successful
(1) Performing search in 'dc=our,dc=domain' with filter
'(&(cn=students)(objectClass=posixGroup)(|(member=CN\3dsexample5555\2cOU
\3dse_students\2cOU\3dS_students\2cOU\3dstudents\2cOU\3dpeople\2cDC
\3dour\2cDC\3ddom)(memberUid=sexample5555)))', scope 'sub'
(1) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldaps://DomainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldaps://our.domain/CN=Configuration,DC=our,DC=domain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(1) Search returned no results
(1) Search returned not found
(1) Checking user object membership (memberOf) attributes
(1) Waiting for bind result...
(1) Bind successful
(1) Performing unfiltered search in
'CN=sexample5555,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain', scope 'base'
(1) Waiting for search result...
(1) Processing group membership value
"CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain"
(1) Converting group DN to group Name
(1) Performing unfiltered search in
'CN=GROUP1,OU=_Section-Groups,OU=students,OU=people,DC=our,DC=domain',
scope 'base'
(1) Waiting for search result...
(1) Group name is "GROUP1"
(1) Processing group membership value
"CN=GROUP2,OU=groups,DC=our,DC=domain"
(1) Converting group DN to group Name
(1) Performing unfiltered search in
'CN=GROUP2,OU=groups,DC=our,DC=domain', scope 'base'
(1) Waiting for search result...
(1) Group name is "GROUP2"
(1) Processing group membership value
"CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain"
(1) Converting group DN to group Name
(1) Performing unfiltered search in
'CN=SE_students,OU=se_students,OU=S_students,OU=students,OU=people,DC=our,DC=domain', scope 'base'
(1) Waiting for search result...
(1) Group name is "SE_students"
(1) Processing group membership value
"CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain"
(1) Converting group DN to group Name
(1) Performing unfiltered search in
'CN=GROUP4,OU=_Dept-Groups,OU=students,OU=people,DC=our,DC=domain',
scope 'base'
(1) Waiting for search result...
(1) Group name is "GROUP4"
(1) Processing group membership value
"CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain"
(1) Converting group DN to group Name
(1) Performing unfiltered search in
'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base'
(1) Waiting for search result...
(1) Group name is "GROUP5"
rlm_ldap (ldap): Deleting connection (3)
(1) User is not a member of specified group
(1) if ((Called-Station-SSID == "Test2") && (LDAP-Group ==
"students")) -> FALSE
(1) else else {
(1) [reject] = reject
(1) } # else else = reject
(1) } # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/sites-enabled/wifi
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject : EXPAND %{User-Name}
(1) attr_filter.access_reject : --> DOMAIN\sexample5555
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) eap : Request was previously rejected, inserting EAP-Failure
(1) [eap] = updated
(1) remove_reply_message_if_eap remove_reply_message_if_eap {
(1) if (reply:EAP-Message && reply:Reply-Message)
(1) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(1) else else {
(1) [noop] = noop
(1) } # else else = noop
(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying reject of request 1 for 1 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(1) Sending delayed reject
Sending Access-Reject of id 40 from SERVER-IP port 1912 to
WIFI-CONTROLLER-IP port 1034
EAP-Message = 0x04b00004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.3 seconds.
(0) Cleaning up request packet ID 39 with timestamp +6
Waking up in 2.6 seconds.
Thanks!
-Josh
6
18
Hello,
It looks like the pasword size for a user in the radcheck table is 16 characters (if I put one more it fails to login). Is there any easy way to allow bigger passwords?
Thank you
Benoit
3
3
Hi All
I can not find any attribute dictionary VENDOR ZTE (dictionary ID 3902) .
Any one can help me ?
Best regards.
4
11
Hi
I wanna use freeradius2 as a radius-server and dhcp-server.
When I try to connect to radius-server,following errors show up.
I think authentication is look fine.then message said sqlippool not defined.
but I set up as below.
What's wrong with my settings?
------------radiusd -X-----------------
... adding new socket proxy address * port 55682
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.5.200 port 50000, id=3,
length=205
User-Password = "test"
User-Name = "user(a)mondomaine.fr"
Acct-Session-Id = "erx FastEthernet 1/6:0011534340"
Service-Type = Framed-User
Framed-Protocol = PPP
ERX-Pppoe-Description = "pppoe 00:1d:72:c6:7b:d5"
Calling-Station-Id = "#ERX-40-b0-7a#E16#0"
NAS-Port-Type = Ethernet
NAS-Port = 369098752
NAS-Port-Id = "FastEthernet 1/6"
NAS-IP-Address = 10.0.5.200
NAS-Identifier = "ERX-40-b0-7a"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "mondomaine.fr" for User-Name = "
user(a)mondomaine.fr"
[suffix] No such realm "mondomaine.fr"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry user(a)mondomaine.fr at line 6
[files] users: Matched entry DEFAULT at line 183
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using clear text password "test"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [user(a)mondomaine.fr] (from client GGSN1 port 369098752 cli
#ERX-40-b0-7a#E16#0)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sqlippool] No Pool-Name defined.
[sqlippool] expand: No Pool-Name defined (did %{Called-Station-Id}
cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> No
Pool-Name defined (did cli #ERX-40-b0-7a#E16#0 port 369098752 user
user(a)mondomaine.fr)
No Pool-Name defined (did cli #ERX-40-b0-7a#E16#0 port 369098752 user
user(a)mondomaine.fr)
++[sqlippool] returns noop
++[exec] returns noop
Sending Access-Accept of id 3 to 10.0.5.200 port 50000
NAS-IP-Address == 10.0.5.200
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.0.5.200 port 50016, id=73,
length=246
Acct-Status-Type = Stop
User-Name = "user(a)mondomaine.fr"
Event-Timestamp = "Apr 27 2014 14:19:10 PDT"
Acct-Delay-Time = 0
NAS-Identifier = "ERX-40-b0-7a"
Acct-Session-Id = "erx FastEthernet 1/6:0011534340"
NAS-IP-Address = 10.0.5.200
Service-Type = Framed-User
Calling-Station-Id = "#ERX-40-b0-7a#E16#0"
Acct-Input-Gigawords = 0
Acct-Input-Octets = 0
Acct-Output-Gigawords = 0
Acct-Output-Octets = 0
ERX-Input-Gigapkts = 0
Acct-Input-Packets = 0
ERX-Output-Gigapkts = 0
Acct-Output-Packets = 0
NAS-Port-Type = Ethernet
NAS-Port = 369098752
NAS-Port-Id = "FastEthernet 1/6"
Acct-Authentic = RADIUS
Acct-Session-Time = 0
Acct-Terminate-Cause = NAS-Request
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 369098752,Client-IP-Address =
10.0.5.200,NAS-IP-Address = 10.0.5.200,Acct-Session-Id = "erx FastEthernet
1/6:0011534340",User-Name = "user(a)mondomaine.fr"'
[acct_unique] Acct-Unique-Session-ID = "fbbf6a6fb6bf3d32".
++[acct_unique] returns ok
[suffix] Looking up realm "mondomaine.fr" for User-Name = "
user(a)mondomaine.fr"
[suffix] No such realm "mondomaine.fr"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.0.5.200
[detail] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
-> /var/log/radius/radacct/10.0.5.200/detail-20140427
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.0.5.200/detail-20140427
[detail] expand: %t -> Sun Apr 27 22:49:32 2014
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> user(a)mondomaine.fr
rlm_radutmp: Logout for NAS GGSN1 port 369098752, but no Login record
++[radutmp] returns ok
rlm_sql (sql): Reserving sql socket id: 13
[sqlippool] expand: %{User-Name} -> user(a)mondomaine.fr
[sqlippool] sql_set_user escaped user --> 'user(a)mondomaine.fr'
[sqlippool] expand: START TRANSACTION -> START TRANSACTION
[sqlippool] expand: UPDATE radippool SET nasipaddress = '', pool_key =
0, callingstationid = '', username = '', expiry_time = NULL WHERE
nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND
username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}'
AND framedipaddress = '%{Framed-IP-Address}' -> UPDATE radippool SET
nasipaddress = '', pool_key = 0, callingstationid = '', username = '',
expiry_time = NULL WHERE nasipaddress = '10.0.5.200' AND pool_key =
'369098752' AND username = 'user(a)mondomaine.fr' AND callingstationid =
'=23ERX-40-b0-7a=23E16=230' AND framedipaddress = ''
[sqlippool] expand: COMMIT -> COMMIT
[sqlippool] expand: Released IP %{Framed-IP-Address} (did
%{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name}) ->
Released IP (did cli #ERX-40-b0-7a#E16#0 user user(a)mondomaine.fr)
Released IP (did cli #ERX-40-b0-7a#E16#0 user user(a)mondomaine.fr)
rlm_sql (sql): Released sql socket id: 13
++[sqlippool] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} ->
user(a)mondomaine.fr
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 73 to 10.0.5.200 port 50016
Finished request 1.
Cleaning up request 1 ID 73 with timestamp +10
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 3 with timestamp +10
Ready to process requests.
------------------------------------------------------------
---------------------sqlippool.conf------------------------------
## Configuration for the SQL based IP Pool module (rlm_sqlippool)
##
## The database schemas are available at:
##
## raddb/sql/DB/ippool.sql
##
## $Id$
sqlippool {
#########################################
## SQL instance to use (from sql.conf) ##
##
## If you have multiple sql instances, such as "sql sql1 {...}",
## use the *instance* name here: sql1.
#########################################
sql-instance-name = "sql"
## SQL table to use for ippool range and lease info
ippool_table = "radippool"
## IP lease duration. (Leases expire even if Acct Stop packet is lost)
lease-duration = 3600
## Attribute which should be considered unique per NAS
## Using NAS-Port gives behaviour similar to rlm_ippool. (And ACS)
## Using Calling-Station-Id works for NAS that send fixed NAS-Port
## ONLY change this if you know what you are doing!
pool-key = "%{NAS-Port}"
# pool-key = "%{Calling-Station-Id}"
################################################################
#
# WARNING: MySQL has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################
#
# Use the same database as configured in the "sql" module, "database"
# configuration item. Change the "postgresql" name below to be the
# same as the "database" field of the SQL module referred to in the
# "sql-instance-name", above.
#
#$INCLUDE sql/postgresql/ippool.conf
$INCLUDE sql/mysql/ippool.conf
## Logging configuration. (Comment out to disable logging)
sqlippool_log_exists = "Existing IP: %{reply:Framed-IP-Address} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_success = "Allocated IP: %{reply:Framed-IP-Address} from
%{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_clear = "Released IP %{Framed-IP-Address}\
(did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
sqlippool_log_failed = "IP Allocation FAILED from %{control:Pool-Name} \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
sqlippool_log_nopool = "No Pool-Name defined \
(did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user
%{User-Name})"
}
-------------------------------------------------------------------
------------------------------sql.conf---------------------------------
# -*- text -*-
##
## sql.conf -- SQL modules
##
## $Id$
######################################################################
#
# Configuration for the SQL module
#
# The database schemas and queries are located in subdirectories:
#
# sql/DB/schema.sql Schema
# sql/DB/dialup.conf Basic dialup (including policy) queries
# sql/DB/counter.conf counter
# sql/DB/ippool.conf IP Pools in SQL
# sql/DB/ippool.sql schema for IP pools.
#
# Where "DB" is mysql, mssql, oracle, or postgresql.
#
sql {
#
# Set the database to one of:
#
# mysql, mssql, oracle, postgresql
#
database = "mysql"
#
# Which FreeRADIUS driver to use.
#
driver = "rlm_sql_${database}"
# Connection info:
server = "localhost"
#port = 3306
login = "userfreeradius"
password = "pwdfreeradius"
# Database table configuration for everything except Oracle
radius_db = "freeradius"
# If you are using Oracle then use this instead
# radius_db =
"(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2
acct_table1 = "radacct"
acct_table2 = "radacct"
# Allow for storing data after authentication
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
# Table to keep group info
usergroup_table = "radusergroup"
# If set to 'yes' (default) we read the group tables
# If set to 'no' the user MUST have Fall-Through = Yes in the radreply table
read_groups = yes
# Remove stale session if checkrad does not see a double login
deletestalesessions = yes
# Print all SQL statements when in debug mode (-x)
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
# number of sql connections to make to server
num_sql_socks = 15
# number of seconds to dely retrying on a failed database
# connection (per_socket)
connect_failure_retry_delay = 60
# lifetime of an SQL socket. If you are having network issues
# such as TCP sessions expiring, you may need to set the socket
# lifetime. If set to non-zero, any open connections will be
# closed "lifetime" seconds after they were first opened.
lifetime = 0
# Maximum number of queries used by an SQL socket. If you are
# having issues with SQL sockets lasting "too long", you can
# limit the number of queries performed over one socket. After
# "max_qeuries", the socket will be closed. Use 0 for "no limit".
max_queries = 0
# Set to 'yes' to read radius clients from the database ('nas' table)
# Clients will ONLY be read on server startup. For performance
# and security reasons, finding clients via SQL queries CANNOT
# be done "live" while the server is running.
#
readclients = yes
# Table to keep radius client info
nas_table = "nas"
# Read driver-specific configuration
$INCLUDE sql/${database}/dialup.conf
}
---------------------------------------------------------------------------
If these information is not enough please let me know.
Thanks,
1
0
HI, I'm really new of freeradius.
I wanna use freeradius as a radius server and dhcp server.
When I try to connect to radius server from pppoe client(windwos vista
laptop) via ERX310(juniper), freeradius shows following error messages. I
have no clue what's wrong. I'm really confused.
Message said no post-auth type found. But man page said it should not be
set.
How can I resolve this problem ?
Any advice will help me!
------------
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.5.200 port 50000, id=2,
length=205
User-Password = "test"
User-Name = "user(a)mondomaine.fr"
Acct-Session-Id = "erx FastEthernet 1/6:0010485762"
Service-Type = Framed-User
Framed-Protocol = PPP
ERX-Pppoe-Description = "pppoe 00:1d:72:c6:7b:d5"
Calling-Station-Id = "#ERX-40-b0-7a#E16#0"
NAS-Port-Type = Ethernet
NAS-Port = 369098752
NAS-Port-Id = "FastEthernet 1/6"
NAS-IP-Address = 10.0.5.200
NAS-Identifier = "ERX-40-b0-7a"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "mondomaine.fr" for User-Name = "
user(a)mondomaine.fr"
[suffix] No such realm "mondomaine.fr"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Login incorrect: [user(a)mondomaine.fr/test] (from client GGSN1 port
369098752 cli #ERX-40-b0-7a#E16#0)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user(a)mondomaine.fr
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 2 to 10.0.5.200 port 50000
Waking up in 4.9 seconds.
Cleaning up request 0 ID 2 with timestamp +12
Ready to process requests.
------------
thanks in advance.
4
7
Hello,
Is there any way I can terminate a specific user's session server side? Any solution as close to PHP as it gets would be great. Maybee I can immitate somehow the package sent to the access point to notice the session is terminated, or maybee there is a command line or something...
At this point in my script I have the user's credentials, the access point's IP and listening port. I hope I can get somewhere from there.
Thanks in advance.
Benoit
2
1
Sorry if this is a stupid question, but is there a way to control the
Phase 2 Authentication method when doing PEAP?
My aim is to only allow MSCHAPV2, however, I also get a good reply from
the Server if I select
None, PAP, MD5, MSCHAP, or MSCHAPv2 on the supplicant.
Or is phase 2 Authentication the prerogative of the supplicant?
I've attached the Debug output for When I tried to long on via no Phase
2 Authentication, though there was an interesting line that Appears in
my debug output for many different modes (None, PAP, MD5, MSCHAP,
MSCHAPv2) that worked. Is freeradius forcing the supplicant into a
MSCHAPv2 for the 2nd Phase ignoring what was selected?
(8) eap_peap : EAP type MSCHAPv2 (26)
However when I tried using GTC as the Phase 2 Authentication method it
fails out (as expected) and I get
(7) eap_peap : EAP type NAK (3)
I've tried this or two different two of Supplicants (Android Phone, and
Linux PC)
I've commented out any reference to pap, etc in config files and removed
the link from mods-enabled.
Thank You,
Casey
Starting FreeRadius Daemon (Test Mode)...[1mradiusd: FreeRADIUS
Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Oct 26 2013
at 18:29:10[0m
[1mCopyright (C) 1999-2013 The FreeRADIUS server project and
contributors.[0m
[1mThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A[0m
[1mPARTICULAR PURPOSE.[0m
[1mYou may redistribute copies of FreeRADIUS under the terms of the[0m
[1mGNU General Public License.[0m
[1mFor more information about these matters, see the file named
COPYRIGHT.[0m
[1mStarting - reading configuration files ...[0m
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/logintime
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/filter
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/wifi
main {
security {
user = "radius"
group = "radius"
chroot = "/srv/freeradius"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log"
run_dir = "/var/run"
libdir = "/lib"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 5096
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
}
security {
max_attributes = 200
reject_delay = 3
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client localhost {
ipv6addr = ::1 IPv6 address [::1]
netmask = 128
require_message_authenticator = yes
secret = "testing123"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client wlan-west {
ipaddr = 10.50.1.2
netmask = 32
require_message_authenticator = yes
secret = "test123"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_radutmp
# Instantiating module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 4096
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/prouter-radius.pem"
certificate_file = "/etc/raddb/certs/prouter-radius_crt.pem"
ca_file = "/etc/raddb/certs/cacert.pem"
private_key_password = "2rU36=L-mdKYVbG"
dh_file = "/etc/raddb/certs/dh_radius"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "radutmp" from file
/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file
/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file
/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "no"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-auth {...}
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module filter_username
# Loading preacct {...}
# Loading virtual module acct_unique
# Loading accounting {...}
# Loading post-auth {...}
# Loading virtual module remove_reply_message_if_eap
# Loading virtual module remove_reply_message_if_eap
} # server
server wifi { # from file /etc/raddb/sites-enabled/wifi
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module filter_username
# Loading preacct {...}
# Loading virtual module acct_unique
# Loading accounting {...}
# Loading post-auth {...}
# Loading virtual module remove_reply_message_if_eap
# Loading virtual module remove_reply_message_if_eap
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipv6addr = ::1 IPv6 address [::1]
port = 18120
}
listen {
type = "auth"
ipaddr = 10.50.1.1
port = 0
}
listen {
type = "acct"
ipaddr = 10.50.1.1
port = 0
}
listen {
type = "auth"
ipv6addr = ::1 IPv6 address [::1]
port = 1812
}
listen {
type = "acct"
ipv6addr = ::1 IPv6 address [::1]
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address ::1 port 18120 as server inner-tunnel
Listening on auth interface br0 address 10.50.1.1 port 1812 as server
default
Listening on acct interface br0 address 10.50.1.1 port 1813 as server
default
Listening on auth interface lo address ::1 port 1812 as server wifi
Listening on acct interface lo address ::1 port 1813 as server wifi
[1mReady to process requests.[0m
rad_recv: Access-Request packet from host ::1 port 48165, id=0, length=180
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message = 0x0267000a017374657665
Message-Authenticator = 0xd79bddbc4667890f34d4075e791ad2a4
(0) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'steve'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /(a)\\./)
(0) ? if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(0) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(0) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(0) [auth_log] = ok
(0) files : users: Matched entry steve at line 73
(0) [files] = ok
(0) ? if (control:wifi_key != "true")
(0) expand: "true" -> 'true'
(0) ? if (control:wifi_key != "true") -> FALSE
(0) eap : EAP packet type response id 103 length 10
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/wifi
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918a8c56083
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge of id 0 from ::1 port 1812 to ::1 port 48165
EAP-Message = 0x016800061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918a8c560834e7c8f387fecd2a4
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=1, length=396
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026800d01980000000c616030100c1010000bd030153583d21bd49160c44cfa32bf122061d9455306e0281a1d48613ca7be42cdb68000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011
State = 0xa8ad7918a8c560834e7c8f387fecd2a4
Message-Authenticator = 0x97948d30a20d05e55e7847bef6bb35ef
(1) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(1) authorize {
(1) filter_username filter_username {
(1) ? if (User-Name != "%{tolower:%{User-Name}}")
(1) expand: "%{tolower:%{User-Name}}" -> 'steve'
(1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) ? if (User-Name =~ / /)
(1) ? if (User-Name =~ / /) -> FALSE
(1) ? if (User-Name =~ /@.*@/ )
(1) ? if (User-Name =~ /@.*@/ ) -> FALSE
(1) ? if (User-Name =~ /\\.\\./ )
(1) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(1) ? if (User-Name =~ /\\.$/)
(1) ? if (User-Name =~ /\\.$/) -> FALSE
(1) ? if (User-Name =~ /(a)\\./)
(1) ? if (User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(1) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(1) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(1) [auth_log] = ok
(1) files : users: Matched entry steve at line 73
(1) [files] = ok
(1) ? if (control:wifi_key != "true")
(1) expand: "true" -> 'true'
(1) ? if (control:wifi_key != "true") -> FALSE
(1) eap : EAP packet type response id 104 length 208
(1) eap : Continuing tunnel setup.
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/wifi
(1) authenticate {
(1) eap : Expiring EAP session with state 0xa8ad7918a8c56083
(1) eap : Finished EAP session with state 0xa8ad7918a8c56083
(1) eap : Previous EAP request found for state 0xa8ad7918a8c56083,
released from the list
(1) eap : Peer sent PEAP (25)
(1) eap : EAP PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : processing EAP-TLS
TLS Length 198
(1) eap_peap : Length Included
(1) eap_peap : eaptls_verify returned 11
(1) eap_peap : (other): before/accept initialization
(1) eap_peap : TLS_accept: before/accept initialization
(1) eap_peap : <<< TLS 1.0 Handshake [length 00c1], ClientHello
(1) eap_peap : TLS_accept: SSLv3 read client hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap : TLS_accept: SSLv3 write server hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 06cd], Certificate
(1) eap_peap : TLS_accept: SSLv3 write certificate A
(1) eap_peap : >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
(1) eap_peap : TLS_accept: SSLv3 write key exchange A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap : TLS_accept: SSLv3 write server done A
(1) eap_peap : TLS_accept: SSLv3 flush data
(1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap : eaptls_process returned 13
(1) eap_peap : FR_TLS_HANDLED
(1) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918a9c46083
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge of id 1 from ::1 port 1812 to ::1 port 48165
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918a9c460834e7c8f387fecd2a4
(1) Finished request 1.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=2, length=194
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message = 0x026900061900
State = 0xa8ad7918a9c460834e7c8f387fecd2a4
Message-Authenticator = 0x98d32114182bbaf058b8ef095dd350f6
(2) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(2) authorize {
(2) filter_username filter_username {
(2) ? if (User-Name != "%{tolower:%{User-Name}}")
(2) expand: "%{tolower:%{User-Name}}" -> 'steve'
(2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) ? if (User-Name =~ / /)
(2) ? if (User-Name =~ / /) -> FALSE
(2) ? if (User-Name =~ /@.*@/ )
(2) ? if (User-Name =~ /@.*@/ ) -> FALSE
(2) ? if (User-Name =~ /\\.\\./ )
(2) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(2) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(2) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(2) ? if (User-Name =~ /\\.$/)
(2) ? if (User-Name =~ /\\.$/) -> FALSE
(2) ? if (User-Name =~ /(a)\\./)
(2) ? if (User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(2) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(2) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(2) [auth_log] = ok
(2) files : users: Matched entry steve at line 73
(2) [files] = ok
(2) ? if (control:wifi_key != "true")
(2) expand: "true" -> 'true'
(2) ? if (control:wifi_key != "true") -> FALSE
(2) eap : EAP packet type response id 105 length 6
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/wifi
(2) authenticate {
(2) eap : Expiring EAP session with state 0xa8ad7918a9c46083
(2) eap : Finished EAP session with state 0xa8ad7918a9c46083
(2) eap : Previous EAP request found for state 0xa8ad7918a9c46083,
released from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
(2) eap_peap : Received TLS ACK
(2) eap_peap : Received TLS ACK
(2) eap_peap : ACK handshake fragment handler
(2) eap_peap : eaptls_verify returned 1
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918aac76083
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge of id 2 from ::1 port 1812 to ::1 port 48165
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918aac760834e7c8f387fecd2a4
(2) Finished request 2.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=3, length=194
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message = 0x026a00061900
State = 0xa8ad7918aac760834e7c8f387fecd2a4
Message-Authenticator = 0xddba5abc747ee013a391120cd5aaf0eb
(3) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(3) authorize {
(3) filter_username filter_username {
(3) ? if (User-Name != "%{tolower:%{User-Name}}")
(3) expand: "%{tolower:%{User-Name}}" -> 'steve'
(3) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) ? if (User-Name =~ / /)
(3) ? if (User-Name =~ / /) -> FALSE
(3) ? if (User-Name =~ /@.*@/ )
(3) ? if (User-Name =~ /@.*@/ ) -> FALSE
(3) ? if (User-Name =~ /\\.\\./ )
(3) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(3) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(3) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(3) ? if (User-Name =~ /\\.$/)
(3) ? if (User-Name =~ /\\.$/) -> FALSE
(3) ? if (User-Name =~ /(a)\\./)
(3) ? if (User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(3) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(3) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(3) [auth_log] = ok
(3) files : users: Matched entry steve at line 73
(3) [files] = ok
(3) ? if (control:wifi_key != "true")
(3) expand: "true" -> 'true'
(3) ? if (control:wifi_key != "true") -> FALSE
(3) eap : EAP packet type response id 106 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/wifi
(3) authenticate {
(3) eap : Expiring EAP session with state 0xa8ad7918aac76083
(3) eap : Finished EAP session with state 0xa8ad7918aac76083
(3) eap : Previous EAP request found for state 0xa8ad7918aac76083,
released from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918abc66083
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge of id 3 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016b0023190027d0ad5942b830c50f432697e5a588b8afbade4516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918abc660834e7c8f387fecd2a4
(3) Finished request 3.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=4, length=332
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026b0090198000000086160301004610000042410492d0d71260ecb28182a7a04abf0fe0f9252a84a956e2fd903a8e13836d460b23c9296726d0c1f971f367cc6cfbc11285f0e60a40513b2ab6bfbab088dd618419140301000101160301003095e5112ba7cdc234ff9508a9549e3b4941505303a3dc9e9e4bea804c11040dd25efaba55305c75573e27f82cc0ce4a0f
State = 0xa8ad7918abc660834e7c8f387fecd2a4
Message-Authenticator = 0x2f89a733b9060aac852a3bc51ca6da47
(4) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(4) authorize {
(4) filter_username filter_username {
(4) ? if (User-Name != "%{tolower:%{User-Name}}")
(4) expand: "%{tolower:%{User-Name}}" -> 'steve'
(4) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) ? if (User-Name =~ / /)
(4) ? if (User-Name =~ / /) -> FALSE
(4) ? if (User-Name =~ /@.*@/ )
(4) ? if (User-Name =~ /@.*@/ ) -> FALSE
(4) ? if (User-Name =~ /\\.\\./ )
(4) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(4) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(4) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(4) ? if (User-Name =~ /\\.$/)
(4) ? if (User-Name =~ /\\.$/) -> FALSE
(4) ? if (User-Name =~ /(a)\\./)
(4) ? if (User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(4) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(4) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(4) [auth_log] = ok
(4) files : users: Matched entry steve at line 73
(4) [files] = ok
(4) ? if (control:wifi_key != "true")
(4) expand: "true" -> 'true'
(4) ? if (control:wifi_key != "true") -> FALSE
(4) eap : EAP packet type response id 107 length 144
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/wifi
(4) authenticate {
(4) eap : Expiring EAP session with state 0xa8ad7918abc66083
(4) eap : Finished EAP session with state 0xa8ad7918abc66083
(4) eap : Previous EAP request found for state 0xa8ad7918abc66083,
released from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
TLS Length 134
(4) eap_peap : Length Included
(4) eap_peap : eaptls_verify returned 11
(4) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap : TLS_accept: SSLv3 read client key exchange A
(4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 read finished A
(4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 write finished A
(4) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session
63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a to cache
(4) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918acc16083
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge of id 4 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016c00411900140301000101160301003009545d7f94b5e5e3e8f070d78a9404478773a978dda13146eed6d71884901a1d04dc032f3554330c8e2d60ea23524163
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918acc160834e7c8f387fecd2a4
(4) Finished request 4.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=5, length=194
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message = 0x026c00061900
State = 0xa8ad7918acc160834e7c8f387fecd2a4
Message-Authenticator = 0xae54d80b044b43fa45d718577351a2d3
(5) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(5) authorize {
(5) filter_username filter_username {
(5) ? if (User-Name != "%{tolower:%{User-Name}}")
(5) expand: "%{tolower:%{User-Name}}" -> 'steve'
(5) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) ? if (User-Name =~ / /)
(5) ? if (User-Name =~ / /) -> FALSE
(5) ? if (User-Name =~ /@.*@/ )
(5) ? if (User-Name =~ /@.*@/ ) -> FALSE
(5) ? if (User-Name =~ /\\.\\./ )
(5) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(5) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(5) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(5) ? if (User-Name =~ /\\.$/)
(5) ? if (User-Name =~ /\\.$/) -> FALSE
(5) ? if (User-Name =~ /(a)\\./)
(5) ? if (User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(5) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(5) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(5) [auth_log] = ok
(5) files : users: Matched entry steve at line 73
(5) [files] = ok
(5) ? if (control:wifi_key != "true")
(5) expand: "true" -> 'true'
(5) ? if (control:wifi_key != "true") -> FALSE
(5) eap : EAP packet type response id 108 length 6
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/wifi
(5) authenticate {
(5) eap : Expiring EAP session with state 0xa8ad7918acc16083
(5) eap : Finished EAP session with state 0xa8ad7918acc16083
(5) eap : Previous EAP request found for state 0xa8ad7918acc16083,
released from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
(5) eap_peap : Received TLS ACK
(5) eap_peap : Received TLS ACK
(5) eap_peap : ACK handshake is finished
(5) eap_peap : eaptls_verify returned 3
(5) eap_peap : eaptls_process returned 3
(5) eap_peap : FR_TLS_SUCCESS
(5) eap_peap : Session established. Decoding tunneled attributes.
(5) eap_peap : Peap state TUNNEL ESTABLISHED
(5) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918adc06083
(5) [eap] = handled
(5) } # authenticate = handled
Sending Access-Challenge of id 5 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016d002b1900170301002059df3c16dae8dc16851faddfa9adf66b5d377c8d77d4a94b8ddb3dd641a7ff7f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918adc060834e7c8f387fecd2a4
(5) Finished request 5.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=6, length=268
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026d0050190017030100204cbd0844571c6a95c351b861ffeb20871e1a268e30eade06b683ab8d37f6b0681703010020a0f7d4d3cb51269adedeebc1a2c50ab9ce06544aa25177e6c47420e308459d98
State = 0xa8ad7918adc060834e7c8f387fecd2a4
Message-Authenticator = 0xc6f194f2722da7c403d8d2b1f3e30e82
(6) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(6) authorize {
(6) filter_username filter_username {
(6) ? if (User-Name != "%{tolower:%{User-Name}}")
(6) expand: "%{tolower:%{User-Name}}" -> 'steve'
(6) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(6) ? if (User-Name =~ / /)
(6) ? if (User-Name =~ / /) -> FALSE
(6) ? if (User-Name =~ /@.*@/ )
(6) ? if (User-Name =~ /@.*@/ ) -> FALSE
(6) ? if (User-Name =~ /\\.\\./ )
(6) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(6) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(6) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(6) ? if (User-Name =~ /\\.$/)
(6) ? if (User-Name =~ /\\.$/) -> FALSE
(6) ? if (User-Name =~ /(a)\\./)
(6) ? if (User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(6) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(6) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(6) [auth_log] = ok
(6) files : users: Matched entry steve at line 73
(6) [files] = ok
(6) ? if (control:wifi_key != "true")
(6) expand: "true" -> 'true'
(6) ? if (control:wifi_key != "true") -> FALSE
(6) eap : EAP packet type response id 109 length 80
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/wifi
(6) authenticate {
(6) eap : Expiring EAP session with state 0xa8ad7918adc06083
(6) eap : Finished EAP session with state 0xa8ad7918adc06083
(6) eap : Previous EAP request found for state 0xa8ad7918adc06083,
released from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : eaptls_verify returned 7
(6) eap_peap : Done initial handshake
(6) eap_peap : eaptls_process returned 7
(6) eap_peap : FR_TLS_OK
(6) eap_peap : Session established. Decoding tunneled attributes.
(6) eap_peap : Peap state WAITING FOR INNER IDENTITY
(6) eap_peap : Identity - steve
(6) eap_peap : Got inner identity 'steve'
(6) eap_peap : Setting default EAP type for tunneled EAP session.
(6) eap_peap : Got tunneled request
EAP-Message = 0x026d000a017374657665
server wifi {
(6) eap_peap : Setting User-Name to steve
Sending tunneled request
EAP-Message = 0x026d000a017374657665
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'steve'
server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) update control {
(6) Proxy-To-Realm := 'LOCAL'
(6) } # update control = noop
(6) eap : EAP packet type response id 109 length 10
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
[1m[33m(6) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does
not exist! Cancelling invalid proxy request.[0m
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap : Peer sent Identity (1)
(6) eap : Calling eap_mschapv2 to process EAP data
(6) eap_mschapv2 : Issuing Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0x7fd644537fb85e09
(6) [eap] = handled
(6) } # authenticate = handled
} # server inner-tunnel
(6) eap_peap : Got tunneled reply code 11
EAP-Message =
0x016e001f1a016e001a1099100e6ba285ffc3d073d4e27ed041457374657665
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fd644537fb85e0993bf77b0297ba359
(6) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x016e001f1a016e001a1099100e6ba285ffc3d073d4e27ed041457374657665
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fd644537fb85e0993bf77b0297ba359
(6) eap_peap : Got tunneled Access-Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918aec36083
(6) [eap] = handled
(6) } # authenticate = handled
Sending Access-Challenge of id 6 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016e005b19001703010050be2d19115eeec52f8ef7f3924d3e06b1414ac02b93abeabf9b93868a35a635cd8103f213946df5b276e49ebc329d332c3a8b0ea3910c655fe4cb333e2119dd2f87e0c0c816ea7a97744a0e1163a2c8c8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918aec360834e7c8f387fecd2a4
(6) Finished request 6.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=7, length=332
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026e009019001703010020c6ef33f59aafabdcbc8e0606fce5b8186e58ff23be26cffd63bc3a9aaba245b61703010060ac4916496f2d9fc82d01c90f2a384f495bc5cad349a90215e8982b81e51084189924a9a22e85ab15c85bf058b0a8742ef055876f95cc446a8dcb0c20160408687c2f1b26e4badf300c802f146318c1cb1c9b2d5ed72aac629b0e3c411aa0aeb5
State = 0xa8ad7918aec360834e7c8f387fecd2a4
Message-Authenticator = 0xe81eb90fcfa5aaf86bf6c12d41a0fb73
(7) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(7) authorize {
(7) filter_username filter_username {
(7) ? if (User-Name != "%{tolower:%{User-Name}}")
(7) expand: "%{tolower:%{User-Name}}" -> 'steve'
(7) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(7) ? if (User-Name =~ / /)
(7) ? if (User-Name =~ / /) -> FALSE
(7) ? if (User-Name =~ /@.*@/ )
(7) ? if (User-Name =~ /@.*@/ ) -> FALSE
(7) ? if (User-Name =~ /\\.\\./ )
(7) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(7) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(7) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(7) ? if (User-Name =~ /\\.$/)
(7) ? if (User-Name =~ /\\.$/) -> FALSE
(7) ? if (User-Name =~ /(a)\\./)
(7) ? if (User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(7) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(7) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(7) [auth_log] = ok
(7) files : users: Matched entry steve at line 73
(7) [files] = ok
(7) ? if (control:wifi_key != "true")
(7) expand: "true" -> 'true'
(7) ? if (control:wifi_key != "true") -> FALSE
(7) eap : EAP packet type response id 110 length 144
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/wifi
(7) authenticate {
(7) eap : Expiring EAP session with state 0x7fd644537fb85e09
(7) eap : Finished EAP session with state 0xa8ad7918aec36083
(7) eap : Previous EAP request found for state 0xa8ad7918aec36083,
released from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes.
(7) eap_peap : Peap state phase2
(7) eap_peap : EAP type MSCHAPv2 (26)
(7) eap_peap : Got tunneled request
EAP-Message =
0x026e00401a026e003b31428de007ac0fdd2b2cceb02df8b1a42f0000000000000000fbc267c343bceaf89088ea12252a9bb2dcd001fc2d44b63b007374657665
server wifi {
(7) eap_peap : Setting User-Name to steve
Sending tunneled request
EAP-Message =
0x026e00401a026e003b31428de007ac0fdd2b2cceb02df8b1a42f0000000000000000fbc267c343bceaf89088ea12252a9bb2dcd001fc2d44b63b007374657665
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'steve'
State = 0x7fd644537fb85e0993bf77b0297ba359
server inner-tunnel {
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : EAP packet type response id 110 length 64
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) files : users: Matched entry steve at line 73
(7) [files] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) } # authorize = updated
[1m[33m(7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does
not exist! Cancelling invalid proxy request.[0m
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Expiring EAP session with state 0x7fd644537fb85e09
(7) eap : Finished EAP session with state 0x7fd644537fb85e09
(7) eap : Previous EAP request found for state 0x7fd644537fb85e09,
released from the list
(7) eap : Peer sent MSCHAPv2 (26)
(7) eap : EAP MSCHAPv2 (26)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2 : Auth-Type MS-CHAP {
(7) mschap : Creating challenge hash with username: steve
(7) mschap : Client is using MS-CHAPv2 for steve, we need NT-Password
(7) mschap : adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(7) eap : New EAP session, adding 'State' attribute to reply
0x7fd644537eb95e09
(7) [eap] = handled
(7) } # authenticate = handled
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
EAP-Message =
0x016f00331a036e002e533d31383634364643383531363741383643463942363038383739423942413331364333353331394638
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fd644537eb95e0993bf77b0297ba359
(7) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x016f00331a036e002e533d31383634364643383531363741383643463942363038383739423942413331364333353331394638
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fd644537eb95e0993bf77b0297ba359
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918afc26083
(7) [eap] = handled
(7) } # authenticate = handled
Sending Access-Challenge of id 7 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016f008b19001703010080c56df7652dbf41fee6b4832b29090561a9fd805201afb233e16d79603cbaeb60b8a3f94a479bce399c00c3e88102df06050b5323c9a637591e8ba44a5432d66405fcb8defc54563ee88021742024f1db54b1563b7712336ac82a8e00b4ca6772e1af90cb871ce1f6c47c44abb26785bcfa666f5831f2fc182c75d9cfa4adfa6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918afc260834e7c8f387fecd2a4
(7) Finished request 7.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=8, length=268
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026f005019001703010020404ffa3d8eeb64f193cbd53ce3f076375e056bdfad2bd18e1872a531f0255d8d1703010020692b6b2267cca6f533fefe2ef002ffa43dc996478e67f0b5616525b6b42e6734
State = 0xa8ad7918afc260834e7c8f387fecd2a4
Message-Authenticator = 0x9e18d6688f17f7809fc45666b204cfae
(8) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(8) authorize {
(8) filter_username filter_username {
(8) ? if (User-Name != "%{tolower:%{User-Name}}")
(8) expand: "%{tolower:%{User-Name}}" -> 'steve'
(8) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(8) ? if (User-Name =~ / /)
(8) ? if (User-Name =~ / /) -> FALSE
(8) ? if (User-Name =~ /@.*@/ )
(8) ? if (User-Name =~ /@.*@/ ) -> FALSE
(8) ? if (User-Name =~ /\\.\\./ )
(8) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(8) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(8) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(8) ? if (User-Name =~ /\\.$/)
(8) ? if (User-Name =~ /\\.$/) -> FALSE
(8) ? if (User-Name =~ /(a)\\./)
(8) ? if (User-Name =~ /(a)\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(8) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(8) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(8) [auth_log] = ok
(8) files : users: Matched entry steve at line 73
(8) [files] = ok
(8) ? if (control:wifi_key != "true")
(8) expand: "true" -> 'true'
(8) ? if (control:wifi_key != "true") -> FALSE
(8) eap : EAP packet type response id 111 length 80
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/wifi
(8) authenticate {
(8) eap : Expiring EAP session with state 0x7fd644537eb95e09
(8) eap : Finished EAP session with state 0xa8ad7918afc26083
(8) eap : Previous EAP request found for state 0xa8ad7918afc26083,
released from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x026f00061a03
server wifi {
(8) eap_peap : Setting User-Name to steve
Sending tunneled request
EAP-Message = 0x026f00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'steve'
State = 0x7fd644537eb95e0993bf77b0297ba359
server inner-tunnel {
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : EAP packet type response id 111 length 6
(8) eap : EAP-MSCHAPV2 success, returning short-circuit ok
(8) [eap] = ok
(8) } # authorize = ok
[1m[33m(8) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does
not exist! Cancelling invalid proxy request.[0m
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0x7fd644537eb95e09
(8) eap : Finished EAP session with state 0x7fd644537eb95e09
(8) eap : Previous EAP request found for state 0x7fd644537eb95e09,
released from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap : Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
[1m(8) Login OK: [steve] (from client localhost port 0 via TLS tunnel)[0m
(8) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) reply_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/reply-detail-20140423'
(8) reply_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/reply-detail-20140423
(8) reply_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(8) [reply_log] = ok
(8) } # post-auth = ok
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 2
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x2a51646e02232b7a173294c32b02f17d
MS-MPPE-Recv-Key = 0xfdfe6721674eb1149424aff2f50fc6d7
EAP-Message = 0x036f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'steve'
(8) eap_peap : Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x2a51646e02232b7a173294c32b02f17d
MS-MPPE-Recv-Key = 0xfdfe6721674eb1149424aff2f50fc6d7
EAP-Message = 0x036f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'steve'
(8) eap_peap : Tunneled authentication was successful.
(8) eap_peap : SUCCESS
(8) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918a0dd6083
(8) [eap] = handled
(8) } # authenticate = handled
Sending Access-Challenge of id 8 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x0170002b19001703010020661348a387664b2e5c94ba8323f1a67114ac711a1c4e04edfb13c9f820005322
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918a0dd60834e7c8f387fecd2a4
(8) Finished request 8.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=9, length=268
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x0270005019001703010020ae37a2e2decf022da362f42e0e65a167adb06bb829e50734034c82ed7f591f7c1703010020e9139a89dbb6bf66f2f6ec32d49e2be2a4359a5e31e09662e644e09cc5312b33
State = 0xa8ad7918a0dd60834e7c8f387fecd2a4
Message-Authenticator = 0xbc2e93f9e92baad2d86a265f15c2537a
(9) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(9) authorize {
(9) filter_username filter_username {
(9) ? if (User-Name != "%{tolower:%{User-Name}}")
(9) expand: "%{tolower:%{User-Name}}" -> 'steve'
(9) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(9) ? if (User-Name =~ / /)
(9) ? if (User-Name =~ / /) -> FALSE
(9) ? if (User-Name =~ /@.*@/ )
(9) ? if (User-Name =~ /@.*@/ ) -> FALSE
(9) ? if (User-Name =~ /\\.\\./ )
(9) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(9) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(9) ? if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(9) ? if (User-Name =~ /\\.$/)
(9) ? if (User-Name =~ /\\.$/) -> FALSE
(9) ? if (User-Name =~ /(a)\\./)
(9) ? if (User-Name =~ /(a)\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(9) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(9) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(9) [auth_log] = ok
(9) files : users: Matched entry steve at line 73
(9) [files] = ok
(9) ? if (control:wifi_key != "true")
(9) expand: "true" -> 'true'
(9) ? if (control:wifi_key != "true") -> FALSE
(9) eap : EAP packet type response id 112 length 80
(9) eap : Continuing tunnel setup.
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/wifi
(9) authenticate {
(9) eap : Expiring EAP session with state 0xa8ad7918a0dd6083
(9) eap : Finished EAP session with state 0xa8ad7918a0dd6083
(9) eap : Previous EAP request found for state 0xa8ad7918a0dd6083,
released from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes.
(9) eap_peap : Peap state send tlv success
(9) eap_peap : Received EAP-TLV response.
(9) eap_peap : Success
[1m[33m(9) WARNING: eap_peap : No information to cache: session
caching will be disabled for session
63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a[0m
SSL: Removing session
63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a from
the cache
(9) eap : Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
[1m(9) Login OK: [steve] (from client localhost port 1 cli
30-D6-C9-6C-44-4B)[0m
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/wifi
(9) post-auth {
(9) remove_reply_message_if_eap remove_reply_message_if_eap {
(9) ? if (reply:EAP-Message && reply:Reply-Message)
(9) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(9) else else {
(9) [noop] = noop
(9) } # else else = noop
(9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(9) } # post-auth = noop
Sending Access-Accept of id 9 from ::1 port 1812 to ::1 port 48165
MS-MPPE-Recv-Key =
0xdad7c775b865f270124273715d138d7c0cc248810d14fb66c6874cf11108813c
MS-MPPE-Send-Key =
0xd6f9da11a8547d1cb1da34c491e18a5ff2eb7e06a90cef54b47b2156f727ba7e
EAP-Message = 0x03700004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'steve'
(9) Finished request 9.
Waking up in 0.2 seconds.
Waking up in 4.5 seconds.
5
6
Hello,
I tried test FR 3.0.3. During parsing configuration files FR goes down
with segmentation fault. I'm using radsec tunnels. Used configuration
files are from previous git version.
/usr/sbin/freeradius -C
Segmentation fault
(gdb) run
Starting program: /usr/sbin/freeradius
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff71f5133 in CRYPTO_set_ex_data () from
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(gdb) bt
#0 0x00007ffff71f5133 in CRYPTO_set_ex_data () from
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
#1 0x00000000004331ae in init_tls_ctx (conf=conf@entry=0x821700,
client=client@entry=1) at src/main/tls.c:2009
#2 0x0000000000436ef7 in tls_client_conf_parse (cs=cs@entry=0x846dd0) at
src/main/tls.c:2484
#3 0x000000000042ef68 in home_server_add (rc=rc@entry=0x81d4a0,
cs=cs@entry=0x845ec0) at src/main/realms.c:663
#4 0x0000000000430cbb in realms_init (config=config@entry=0x65eb00) at
src/main/realms.c:1885
#5 0x000000000041b841 in mainconfig_init () at src/main/mainconfig.c:919
#6 0x000000000040e6ec in main (argc=1, argv=0x7fffffffec88) at
src/main/radiusd.c:331
/usr/sbin/freeradius -X
freeradius: FreeRADIUS Version 3.0.3 (git #8a79342), for host
x86_64-pc-linux-gnu, built on Apr 22 2014 at 13:10:22
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/dhcp
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/ldap
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/eap
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/tls
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_badpass = "bad_pass: "
msg_goodpass = "good_pass: "
colourise = no
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server tls {
ipaddr = radius1.eduroam.cz IP address [195.113.187.22]
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/radius.key"
certificate_file = "/etc/freeradius/certs/radius.crt"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 8192
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
}
Segmentation fault
Previous version works almost well.
Thanks for tips Pavel Polacek
--
Pavel Polacek tel: +420 47 528 6253
Oddeleni spravy site email: pavel.polacek(a)ujep.cz
Centrum Informatiky
Pasteurova 1
400 01 Usti nad Labem
**********************************************************
* starnem a porad nic, rozum jako kdyby se nam vyhybal *
**********************************************************
2
5
*Hello Guys,I am using radclient to logout users with the command belowecho
"User-Name='{username}'" | radclient -x {localhost}:{port} disconnect
radiusSecret this works fine except that the port number changes from time
to time and i have to manually edit the port number for the logout
mechanism to work everytime.Could you please tell, if its possible to set a
static port number or if that is not possible, a better way to execute
logout command on FreeRADIUS to logout user. I will appreciate it. *
*RM --**Thanks*
5
5