Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2014
- 105 participants
- 190 discussions
Hi,
I want to ask something about simtriplets.dat file
IMSI, RAND, SRES, KC
in users file format's like
user check,
reply,
reply,
reply
so what's in the simtriplets.dat is just about the code number or have any
format too?
thank you
hasan
2
3
Hello,
I'm working to setup a proxy load balance to 3 production RADIUS servers
from a CentOS server running freeradius 2.1.12. I believe I have the
proxy.conf file setup correctly but there seems to be no load balancing.
All the requests are going to one of the three servers. I have attached
the proxy.conf file and also the radius debug. I don't see any errors, it
just appears the client-balance is not working. Clients are using MAB and
are matching the NULL realm. I have looked through all the past posts and
can't seem to find an answer. Am I missing something in my configuration?
Thanks.
# -*- text -*-
##
## proxy.conf -- proxy radius and realm configuration directives
##
## $Id$
#######################################################################
#
# Proxy server configuration
#
proxy server {
default_fallback = no
}
home_server server0007 {
type = auth+acct
ipaddr = xxx.xxx.xxx.150
port = 1812
secret = secret
}
home_server server0011 {
type = auth+acct
ipaddr = xxx.xxx.xxx.152
port = 1812
secret = secret
}
home_server server0012 {
type = auth+acct
ipaddr = xxx.xxx.xxx.153
port = 1812
secret = secret
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = secret
require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool auth_loadbalance {
type = client-balance
home_server = server0007
home_server = server0011
home_server = server0012
}
realm example.com {
pool = auth_loadbalance
}
realm LOCAL {
}
realm NULL {
type = radius
pool = auth_loadbalance
secret = secret
}
realm DEFAULT {
type = radius
pool = auth_loadbalance
secret = secret
}
______________________________________________________________
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct
3 2012 at 01:22:51
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/SAConnector
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server server0007 {
ipaddr = xxx.xxx.xxx.150
port = 1812
type = "auth+acct"
secret = "secret"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server server0011 {
ipaddr = xxx.xxx.xxx.152
port = 1812
type = "auth+acct"
secret = "secret"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server server0012 {
ipaddr = xxx.xxx.xxx.153
port = 1812
type = "auth+acct"
secret = "secret"
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server_pool auth_loadbalance {
type = client-balance
home_server = server0007
home_server = server0011
home_server = server0012
}
realm example.com {
pool = auth_loadbalance
}
realm LOCAL {
}
realm NULL {
pool = auth_loadbalance
WARNING: Ignoring old-style configuration entry "secret" in realm "NULL"
}
realm DEFAULT {
pool = auth_loadbalance
WARNING: Ignoring old-style configuration entry "secret" in realm "DEFAULT"
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "secret"
nastype = "other"
}
client xxx.xxx.xxx.116 {
require_message_authenticator = no
secret = "secret"
shortname = "shortname"
}
client xxx.xxx.xxx.137 {
require_message_authenticator = no
secret = "secret"
shortname = "othershortname"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
... adding new socket proxy address * port 54463
... adding new socket proxy address * port 56731
... adding new socket proxy address * port 42048
... adding new socket proxy address * port 37161
... adding new socket proxy address * port 38652
... adding new socket proxy address * port 46065
Listening on authentication address * port 1812
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
3
5
Hi,
I'm trying to configure freeradius to authenticate on ldap used by
samba (i.e. with sambaLmPassword/sambaNmPassword fields as well as
userPassword.
I read many docs but could not end up with a solution.
Freeradius runs on Debian Wheeze and is rel 2.1.12.
I arrived to the pont that radtest authenticate my account but winXP
won't (but will authenticate a user with Cleartext password in 'users' file).
The main doubt I have are on Auth-Type.
reading [1] and many other I see suggested:
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Thought [1] and [2] warn that that only works when supplicant provides
a User-Password attribute.
I also tried to comment out the DEFAULT Auth-Type w/o success.
I tried on the wiki the bounces here [3] but it refers explicitly to
version 3.
I woudl really appreciate a hint, maybe the "final" howto or just an
explanation on which settings should I use.
TIA
sandro
*:-)
[1] http://vuksan.com/linux/dot1x/802-1x-LDAP.html
[2] http://networkradius.com/doc/FreeRADIUS-Implementation-Ch5.pdf
[3] http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication…
1
0
Hi,
I inherited freeradius 1.1.3 on RHEL 5.5 working with our kerberos and first tried to understand how it was setup but looking at the freeradius site and docs I decided that I should really upgrade.
Removed freeradius, installed via yum: freeradius2-2.1.12-5.el5, freeradius2-utils-2.1.12-5.el5, freeradius2-krb5-2.1.12-5.el5
Followed http://lists.freeradius.org/pipermail/freeradius-users/2012-December/064375… and was able to do a localhost radtest successfully using my actual username and password, which confirmed to me that radius was authenticating correctly via our kerberos server. However when I try with an actual wireless network, it doesn't work. I've also looked at https://www.eduroam.us/node/45 and tried to follow that except for the proxy stuff, I'm not sure if that is needed.
Here are my configs:
/etc/raddb/modules/krb5:
krb5 {
keytab = /etc/krb5.keytab
service_principal = myserver/myserver.domain
}
Added kerberos after pap in /etc/raddb/sites-available/default:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Kerberos stuff
Auth-Type Kerberos {
krb5
}
Similarly added kerberos in /etc/raddb/sites-available/inner-tunnel:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
# Kerberos stuff
Auth-Type Kerberos {
krb5
}
Modified eap.conf to:
default_eap_type = ttls
copy_request_to_tunnel = yes
use_tunneled_reply = yes
Added as first entry to users file:
DEFAULT Auth-Type = Kerberos
Fall-Through = 1
Added our Aruba controller to clients.conf:
client ARUBA {
ipaddr = x.x.x.x
secret = mysecret
shortname = myssid
}
Ran radiusd -xxx, here's the log:
Wed Sep 17 04:29:25 2014 : Debug: Re-wait 4
Wed Sep 17 04:29:25 2014 : Debug: Re-wait 3
Wed Sep 17 04:29:25 2014 : Debug: Listening on authentication address * port 1812
Wed Sep 17 04:29:25 2014 : Debug: Listening on accounting address * port 1813
Wed Sep 17 04:29:25 2014 : Debug: Listening on command file /var/run/radiusd/radiusd.sock
Wed Sep 17 04:29:25 2014 : Debug: Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Wed Sep 17 04:29:25 2014 : Debug: Listening on proxy address * port 1814
Wed Sep 17 04:29:25 2014 : Info: Ready to process requests.
Wed Sep 17 04:29:25 2014 : Debug: Re-wait 2
Wed Sep 17 04:30:19 2014 : Debug: Threads: total/active/spare threads = 5/0/5
Wed Sep 17 04:30:19 2014 : Debug: Waking up in 0.9 seconds.
Wed Sep 17 04:30:19 2014 : Debug: Thread 1 got semaphore
Wed Sep 17 04:30:19 2014 : Debug: Thread 1 handling request 0, (1 handled so far)
Wed Sep 17 04:30:19 2014 : Info: [<thread>] # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: [<thread>] +- entering group authorize {...}
Wed Sep 17 04:30:19 2014 : Info: ++[preprocess] returns ok
Wed Sep 17 04:30:19 2014 : Info: ++[chap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[mschap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[digest] returns noop
Wed Sep 17 04:30:19 2014 : Info: [suffix] No '@' in User-Name = "xxxxx", looking up realm NULL
Wed Sep 17 04:30:19 2014 : Info: [suffix] No such realm "NULL"
Wed Sep 17 04:30:19 2014 : Info: ++[suffix] returns noop
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP packet type response id 1 length 11
Wed Sep 17 04:30:19 2014 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns updated
Wed Sep 17 04:30:19 2014 : Info: [files] users: Matched entry DEFAULT at line 143
Wed Sep 17 04:30:19 2014 : Info: ++[files] returns ok
Wed Sep 17 04:30:19 2014 : Info: ++[expiration] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[logintime] returns noop
Wed Sep 17 04:30:19 2014 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Sep 17 04:30:19 2014 : Info: ++[pap] returns noop
Wed Sep 17 04:30:19 2014 : Info: Found Auth-Type = EAP
Wed Sep 17 04:30:19 2014 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: +- entering group authenticate {...}
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP Identity
Wed Sep 17 04:30:19 2014 : Info: [eap] processing type tls
Wed Sep 17 04:30:19 2014 : Info: [tls] Initiate
Wed Sep 17 04:30:19 2014 : Info: [tls] Start returned 1
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns handled
Wed Sep 17 04:30:19 2014 : Info: Finished request 0.
Wed Sep 17 04:30:19 2014 : Debug: Going to the next request
Wed Sep 17 04:30:19 2014 : Debug: Thread 1 waiting to be assigned a request
Wed Sep 17 04:30:19 2014 : Debug: Waking up in 0.9 seconds.
Wed Sep 17 04:30:19 2014 : Debug: Thread 5 got semaphore
Wed Sep 17 04:30:19 2014 : Debug: Thread 5 handling request 1, (1 handled so far)
Wed Sep 17 04:30:19 2014 : Info: [<thread>] # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: [<thread>] +- entering group authorize {...}
Wed Sep 17 04:30:19 2014 : Info: ++[preprocess] returns ok
Wed Sep 17 04:30:19 2014 : Info: ++[chap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[mschap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[digest] returns noop
Wed Sep 17 04:30:19 2014 : Info: [suffix] No '@' in User-Name = "xxxx", looking up realm NULL
Wed Sep 17 04:30:19 2014 : Info: [suffix] No such realm "NULL"
Wed Sep 17 04:30:19 2014 : Info: ++[suffix] returns noop
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP packet type response id 2 length 166
Wed Sep 17 04:30:19 2014 : Info: [eap] Continuing tunnel setup.
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns ok
Wed Sep 17 04:30:19 2014 : Info: Found Auth-Type = EAP
Wed Sep 17 04:30:19 2014 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: +- entering group authenticate {...}
Wed Sep 17 04:30:19 2014 : Info: [eap] Request found, released from the list
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP/ttls
Wed Sep 17 04:30:19 2014 : Info: [eap] processing type ttls
Wed Sep 17 04:30:19 2014 : Info: [ttls] Authenticate
Wed Sep 17 04:30:19 2014 : Info: [ttls] processing EAP-TLS
Wed Sep 17 04:30:19 2014 : Debug: TLS Length 156
Wed Sep 17 04:30:19 2014 : Info: [ttls] Length Included
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_verify returned 11
Wed Sep 17 04:30:19 2014 : Info: [ttls] (other): before/accept initialization
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: before/accept initialization
Wed Sep 17 04:30:19 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0097], ClientHello
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 read client hello A
Wed Sep 17 04:30:19 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 write server hello A
Wed Sep 17 04:30:19 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 write certificate A
Wed Sep 17 04:30:19 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 write server done A
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 flush data
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Sep 17 04:30:19 2014 : Debug: In SSL Handshake Phase
Wed Sep 17 04:30:19 2014 : Debug: In SSL Accept mode
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_process returned 13
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns handled
Wed Sep 17 04:30:19 2014 : Info: Finished request 1.
Wed Sep 17 04:30:19 2014 : Debug: Going to the next request
Wed Sep 17 04:30:19 2014 : Debug: Thread 5 waiting to be assigned a request
Wed Sep 17 04:30:19 2014 : Debug: Waking up in 0.9 seconds.
Wed Sep 17 04:30:19 2014 : Debug: Thread 4 got semaphore
Wed Sep 17 04:30:19 2014 : Debug: Thread 4 handling request 2, (1 handled so far)
Wed Sep 17 04:30:19 2014 : Info: [<thread>] # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: [<thread>] +- entering group authorize {...}
Wed Sep 17 04:30:19 2014 : Info: ++[preprocess] returns ok
Wed Sep 17 04:30:19 2014 : Info: ++[chap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[mschap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[digest] returns noop
Wed Sep 17 04:30:19 2014 : Info: [suffix] No '@' in User-Name = "xxxx", looking up realm NULL
Wed Sep 17 04:30:19 2014 : Info: [suffix] No such realm "NULL"
Wed Sep 17 04:30:19 2014 : Info: ++[suffix] returns noop
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP packet type response id 3 length 6
Wed Sep 17 04:30:19 2014 : Info: [eap] Continuing tunnel setup.
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns ok
Wed Sep 17 04:30:19 2014 : Info: Found Auth-Type = EAP
Wed Sep 17 04:30:19 2014 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: +- entering group authenticate {...}
Wed Sep 17 04:30:19 2014 : Info: [eap] Request found, released from the list
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP/ttls
Wed Sep 17 04:30:19 2014 : Info: [eap] processing type ttls
Wed Sep 17 04:30:19 2014 : Info: [ttls] Authenticate
Wed Sep 17 04:30:19 2014 : Info: [ttls] processing EAP-TLS
Wed Sep 17 04:30:19 2014 : Info: [ttls] Received TLS ACK
Wed Sep 17 04:30:19 2014 : Info: [ttls] ACK handshake fragment handler
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_verify returned 1
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_process returned 13
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns handled
Wed Sep 17 04:30:19 2014 : Info: Finished request 2.
Wed Sep 17 04:30:19 2014 : Debug: Going to the next request
Wed Sep 17 04:30:19 2014 : Debug: Thread 4 waiting to be assigned a request
Wed Sep 17 04:30:19 2014 : Debug: Waking up in 0.9 seconds.
Wed Sep 17 04:30:19 2014 : Debug: Thread 3 got semaphore
Wed Sep 17 04:30:19 2014 : Debug: Thread 3 handling request 3, (1 handled so far)
Wed Sep 17 04:30:19 2014 : Info: [<thread>] # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: [<thread>] +- entering group authorize {...}
Wed Sep 17 04:30:19 2014 : Info: ++[preprocess] returns ok
Wed Sep 17 04:30:19 2014 : Info: ++[chap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[mschap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[digest] returns noop
Wed Sep 17 04:30:19 2014 : Info: [suffix] No '@' in User-Name = "xxxx", looking up realm NULL
Wed Sep 17 04:30:19 2014 : Info: [suffix] No such realm "NULL"
Wed Sep 17 04:30:19 2014 : Info: ++[suffix] returns noop
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP packet type response id 4 length 6
Wed Sep 17 04:30:19 2014 : Info: [eap] Continuing tunnel setup.
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns ok
Wed Sep 17 04:30:19 2014 : Info: Found Auth-Type = EAP
Wed Sep 17 04:30:19 2014 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: +- entering group authenticate {...}
Wed Sep 17 04:30:19 2014 : Info: [eap] Request found, released from the list
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP/ttls
Wed Sep 17 04:30:19 2014 : Info: [eap] processing type ttls
Wed Sep 17 04:30:19 2014 : Info: [ttls] Authenticate
Wed Sep 17 04:30:19 2014 : Info: [ttls] processing EAP-TLS
Wed Sep 17 04:30:19 2014 : Info: [ttls] Received TLS ACK
Wed Sep 17 04:30:19 2014 : Info: [ttls] ACK handshake fragment handler
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_verify returned 1
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_process returned 13
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns handled
Wed Sep 17 04:30:19 2014 : Info: Finished request 3.
Wed Sep 17 04:30:19 2014 : Debug: Going to the next request
Wed Sep 17 04:30:19 2014 : Debug: Thread 3 waiting to be assigned a request
Wed Sep 17 04:30:19 2014 : Debug: Waking up in 0.9 seconds.
Wed Sep 17 04:30:19 2014 : Debug: Thread 2 got semaphore
Wed Sep 17 04:30:19 2014 : Debug: Thread 2 handling request 4, (1 handled so far)
Wed Sep 17 04:30:19 2014 : Info: [<thread>] # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: [<thread>] +- entering group authorize {...}
Wed Sep 17 04:30:19 2014 : Info: ++[preprocess] returns ok
Wed Sep 17 04:30:19 2014 : Info: ++[chap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[mschap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[digest] returns noop
Wed Sep 17 04:30:19 2014 : Info: [suffix] No '@' in User-Name = "xxxx", looking up realm NULL
Wed Sep 17 04:30:19 2014 : Info: [suffix] No such realm "NULL"
Wed Sep 17 04:30:19 2014 : Info: ++[suffix] returns noop
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP packet type response id 5 length 253
Wed Sep 17 04:30:19 2014 : Info: [eap] Continuing tunnel setup.
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns ok
Wed Sep 17 04:30:19 2014 : Info: Found Auth-Type = EAP
Wed Sep 17 04:30:19 2014 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: +- entering group authenticate {...}
Wed Sep 17 04:30:19 2014 : Info: [eap] Request found, released from the list
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP/ttls
Wed Sep 17 04:30:19 2014 : Info: [eap] processing type ttls
Wed Sep 17 04:30:19 2014 : Info: [ttls] Authenticate
Wed Sep 17 04:30:19 2014 : Info: [ttls] processing EAP-TLS
Wed Sep 17 04:30:19 2014 : Debug: TLS Length 326
Wed Sep 17 04:30:19 2014 : Info: [ttls] Length Included
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_verify returned 11
Wed Sep 17 04:30:19 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 read client key exchange A
Wed Sep 17 04:30:19 2014 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
Wed Sep 17 04:30:19 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010], Finished
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 read finished A
Wed Sep 17 04:30:19 2014 : Info: [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 write change cipher spec A
Wed Sep 17 04:30:19 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0010], Finished
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 write finished A
Wed Sep 17 04:30:19 2014 : Info: [ttls] TLS_accept: SSLv3 flush data
Wed Sep 17 04:30:19 2014 : Info: [ttls] (other): SSL negotiation finished successfully
Wed Sep 17 04:30:19 2014 : Debug: SSL Connection Established
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_process returned 13
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns handled
Wed Sep 17 04:30:19 2014 : Info: Finished request 4.
Wed Sep 17 04:30:19 2014 : Debug: Going to the next request
Wed Sep 17 04:30:19 2014 : Debug: Thread 2 waiting to be assigned a request
Wed Sep 17 04:30:19 2014 : Debug: Waking up in 0.8 seconds.
Wed Sep 17 04:30:19 2014 : Debug: Thread 1 got semaphore
Wed Sep 17 04:30:19 2014 : Debug: Thread 1 handling request 5, (2 handled so far)
Wed Sep 17 04:30:19 2014 : Info: [<thread>] # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: [<thread>] +- entering group authorize {...}
Wed Sep 17 04:30:19 2014 : Info: ++[preprocess] returns ok
Wed Sep 17 04:30:19 2014 : Info: ++[chap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[mschap] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[digest] returns noop
Wed Sep 17 04:30:19 2014 : Info: [suffix] No '@' in User-Name = "xxxx", looking up realm NULL
Wed Sep 17 04:30:19 2014 : Info: [suffix] No such realm "NULL"
Wed Sep 17 04:30:19 2014 : Info: ++[suffix] returns noop
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP packet type response id 6 length 159
Wed Sep 17 04:30:19 2014 : Info: [eap] Continuing tunnel setup.
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns ok
Wed Sep 17 04:30:19 2014 : Info: Found Auth-Type = EAP
Wed Sep 17 04:30:19 2014 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: +- entering group authenticate {...}
Wed Sep 17 04:30:19 2014 : Info: [eap] Request found, released from the list
Wed Sep 17 04:30:19 2014 : Info: [eap] EAP/ttls
Wed Sep 17 04:30:19 2014 : Info: [eap] processing type ttls
Wed Sep 17 04:30:19 2014 : Info: [ttls] Authenticate
Wed Sep 17 04:30:19 2014 : Info: [ttls] processing EAP-TLS
Wed Sep 17 04:30:19 2014 : Debug: TLS Length 149
Wed Sep 17 04:30:19 2014 : Info: [ttls] Length Included
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_verify returned 11
Wed Sep 17 04:30:19 2014 : Info: [ttls] eaptls_process returned 7
Wed Sep 17 04:30:19 2014 : Info: [ttls] Session established. Proceeding to decode tunneled attributes.
Wed Sep 17 04:30:19 2014 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
Wed Sep 17 04:30:19 2014 : Info: +- entering group authorize {...}
Wed Sep 17 04:30:19 2014 : Info: ++[chap] returns noop
Wed Sep 17 04:30:19 2014 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
Wed Sep 17 04:30:19 2014 : Info: ++[mschap] returns ok
Wed Sep 17 04:30:19 2014 : Info: [suffix] No '@' in User-Name = "xxxx", looking up realm NULL
Wed Sep 17 04:30:19 2014 : Info: [suffix] No such realm "NULL"
Wed Sep 17 04:30:19 2014 : Info: ++[suffix] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[control] returns noop
Wed Sep 17 04:30:19 2014 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns noop
Wed Sep 17 04:30:19 2014 : Info: [files] users: Matched entry DEFAULT at line 143
Wed Sep 17 04:30:19 2014 : Info: ++[files] returns ok
Wed Sep 17 04:30:19 2014 : Info: ++[expiration] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[logintime] returns noop
Wed Sep 17 04:30:19 2014 : Info: ++[pap] returns noop
Wed Sep 17 04:30:19 2014 : Info: Found Auth-Type = MSCHAP
Wed Sep 17 04:30:19 2014 : Info: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
Wed Sep 17 04:30:19 2014 : Info: +- entering group MS-CHAP {...}
Wed Sep 17 04:30:19 2014 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password.
Wed Sep 17 04:30:19 2014 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password.
Wed Sep 17 04:30:19 2014 : Info: [mschap] Creating challenge hash with username: xxxx
Wed Sep 17 04:30:19 2014 : Info: [mschap] Told to do MS-CHAPv2 for xxxx with NT-Password
Wed Sep 17 04:30:19 2014 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
Wed Sep 17 04:30:19 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Wed Sep 17 04:30:19 2014 : Info: ++[mschap] returns reject
Wed Sep 17 04:30:19 2014 : Info: Failed to authenticate the user.
Wed Sep 17 04:30:19 2014 : Info: [ttls] Got tunneled Access-Reject
Wed Sep 17 04:30:19 2014 : Info: [eap] Handler failed in EAP/ttls
Wed Sep 17 04:30:19 2014 : Info: [eap] Failed in EAP select
Wed Sep 17 04:30:19 2014 : Info: ++[eap] returns invalid
Wed Sep 17 04:30:19 2014 : Info: Failed to authenticate the user.
Wed Sep 17 04:30:19 2014 : Info: Using Post-Auth-Type Reject
Wed Sep 17 04:30:19 2014 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 17 04:30:19 2014 : Info: +- entering group REJECT {...}
Wed Sep 17 04:30:19 2014 : Info: [attr_filter.access_reject] expand: %{User-Name} -> xxxx
Wed Sep 17 04:30:19 2014 : Debug: attr_filter: Matched entry DEFAULT at line 11
Wed Sep 17 04:30:19 2014 : Info: ++[attr_filter.access_reject] returns updated
Wed Sep 17 04:30:19 2014 : Info: Delaying reject of request 5 for 1 seconds
Wed Sep 17 04:30:19 2014 : Debug: Going to the next request
Wed Sep 17 04:30:19 2014 : Debug: Thread 1 waiting to be assigned a request
Wed Sep 17 04:30:20 2014 : Info: Sending delayed reject for request 5
Wed Sep 17 04:30:20 2014 : Debug: Waking up in 3.8 seconds.
Wed Sep 17 04:30:24 2014 : Info: Cleaning up request 0 ID 57 with timestamp +54
Wed Sep 17 04:30:24 2014 : Info: Cleaning up request 1 ID 58 with timestamp +54
Wed Sep 17 04:30:24 2014 : Info: Cleaning up request 2 ID 59 with timestamp +54
Wed Sep 17 04:30:24 2014 : Info: Cleaning up request 3 ID 60 with timestamp +54
Wed Sep 17 04:30:24 2014 : Info: Cleaning up request 4 ID 61 with timestamp +54
Wed Sep 17 04:30:24 2014 : Debug: Waking up in 1.0 seconds.
Wed Sep 17 04:30:25 2014 : Info: Cleaning up request 5 ID 62 with timestamp +54
Wed Sep 17 04:30:25 2014 : Info: Ready to process requests.
The wireless network is served from an Aruba controller which works fine with a windows radius server using AD authentication (for a diff SSID)
I can't say that I have looked through the list messages entirely but have spent reasonable time looking at different threads and reading radius docs, if I have still missed something obvious I apologize in advance.
Any help/suggestion/advice would be greatly appreciated.
Thanks
-uzee
1
0
Hi everyone,
I have installed freeradius(mysql module) vpn(pptp) servers.
The vpn users are authenticated by username and password in radcheck table,
but not specified a IP address.
In my servers, there are multiple IP address.
When use vpn, my computer shows a constant IP with all vpn accounts.
How can i specify IP for vpn accounts?
What i want is that different vpn users use different IP address.
Could anyone help me?
--
Best regards,
2
9
Hi all,
It was previously mentioned on the list (by Arran) that:
> Just to note that adding IP ranges dynamically does work in v3.0.x.
> The check is then relaxed to ensure the src IP address is in the range
which was just added.
I'd really like to get his working.
So I've converted my config to v3, installed the release v3.0.4 and with
read_clients = no, I've setup my dynamic-clients server thus:
server vs3001 {
listen {
ipaddr = *
port = 3001
type = auth
}
client dynamic_all_3001 {
ipaddr = 0.0.0.0/0
dynamic_clients = dynamic_client_server
lifetime = 3600
}
...
}
server dynamic_client_server {
authorize {
if ("%{sql:SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} LIMIT 1}") {
update control {
FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
FreeRADIUS-Client-Shortname = "%{sql: SELECT nasname FROM
nas WHERE udp_port = %{Packet-Dst-Port} LIMIT 1}"
FreeRADIUS-Client-Secret = "%{sql: SELECT secret FROM nas
WHERE udp_port = %{Packet-Dst-Port} LIMIT 1}"
FreeRADIUS-Client-Virtual-Server = "%{sql: SELECT server
FROM nas WHERE udp_port = %{Packet-Dst-Port} LIMIT 1}"
FreeRADIUS-Client-NAS-Type = "other"
}
}
ok
}
}
With a nas table that looks like:
nasname secret server udp_port
==========================================
0.0.0.0/1, testing1 vs3001 3001
128.0.0.0/1 testing1 vs3001 3001
When I test from another host, I get:
Received Access-Request Id 8 from 10.0.0.2:48920 to 10.0.0.3:3001 length 86
server dynamic_client_server {
...
(0) EXPAND %{sql:SELECT nasname FROM nas WHERE udp_port = %{Packet-Dst-Port}
LIMIT 1}
(0) --> 128.0.0.0/1
...
(0) EXPAND %{Packet-Src-IP-Address}
(0) --> 10.0.0.2
(0) FreeRADIUS-Client-IP-Address = 10.0.0.2
...
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} LIMIT 1}
(0) --> 128.0.0.0/1
(0) FreeRADIUS-Client-Shortname = "128.0.0.0/1"
...
(0) EXPAND %{sql: SELECT secret FROM nas WHERE udp_port = %{Packet-Dst-Port}
LIMIT 1}
(0) --> testing1
(0) FreeRADIUS-Client-Secret = "testing1"
...
(0) EXPAND %{sql: SELECT server FROM nas WHERE udp_port = %{Packet-Dst-Port}
LIMIT 1}
(0) --> vs3001
(0) FreeRADIUS-Client-Virtual-Server = "vs3001"
(0) FreeRADIUS-Client-NAS-Type = 'other'
...
} # server dynamic_client_server
- Added client 10.0.0.2 with shared secret testing1
So it's adding the client by just its single source IP address, not the CIDR
network it gets from SQL.
This is backed up by radmin with:
radmin> show client list
0.0.0.0/0
10.0.0.2
So how do you setup the dynamic-clients server fields to load the CIDR
network entry?
They load perfectly with read_clients = yes, but not with dynamic-clients.
If I set FreeRADIUS-Client-IP-Address to anything other than the source IP
address of the packet (here it's set to nasname), I get an unknown client
error:
(0) EXPAND %{sql: SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} LIMIT 1}
(0) --> 128.0.0.0/1
(0) } # update control = fail
(0) } # if ("%{sql:SELECT nasname FROM nas WHERE udp_port =
%{Packet-Dst-Port} LIMIT 1}") = fail
(0) } # authorize = fail
} # server dynamic_client_server
Ignoring request to auth address * port 3001 as server vs3001 from unknown
client 10.0.0.2 port 58887 proto udp
But of course I was expecting that! :-)
Also, can or would it be would it be possible, for radmin to show the
virtual server that a client is associated with?
Cheers very much all, I'm so close to the final config I'm after!!!
Kev/.
3
8
I was fighting a problems with a specific user authentication to our radius server, and I discovered that any username that contains a underscore will fail. The user "ipad_user" will fail with the error message "NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)". This error can be seen in the radius output, and also when you use the command "ntlm_auth --username="ipad_user"". If you use the user "ipadcart" then it will work without any problems. This is true for freeradius and using the ntlm_auth command.
So, I get the following when the user has an underscore in the name
ntlm_auth --username="ipad_user"
Password:
NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
And I get this when the user does not have an underscore.
ntlm_auth --username="ipadcart"
Password:
NT_STATUS_OK: Success (0x0)
I have been unable to find anything useful online. Any help is appreciated.
Here is the full debug output
freeradius -X
freeradius: FreeRADIUS Version 3.0.3, for host x86_64-pc-linux-gnu, built on Jun 3 2014 at 09:56:35
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/dhcp
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/ldap
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/utf8
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/cui
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 60
cleanup_delay = 15
max_requests = 90240
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
WARNING: Ignoring "cleanup_delay = 15", forcing to "cleanup_delay = 10"
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client SERVER {
ipaddr = IP
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client SERVER {
ipaddr = IP
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client internal_networks {
ipaddr = 10.0.0.0
netmask = 8
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 90240
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/SERVER-key.pem"
certificate_file = "/etc/freeradius/certs/SERVER-cert.pem"
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Loaded module rlm_expiration
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_radutmp
# Instantiating module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_detail
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/freeradius/mods-enabled/dhcp
# Loaded module rlm_exec
# Instantiating module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=OUR.DOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Loaded module rlm_files
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
usersfile = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/freeradius/mods-config/files/authorize
[/etc/freeradius/mods-config/files/authorize]:1 Cistron compatibility checks for entry rad-test ...
[/etc/freeradius/mods-config/files/authorize]:177 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/mods-config/files/authorize
[/etc/freeradius/mods-config/files/authorize]:1 Cistron compatibility checks for entry rad-test ...
[/etc/freeradius/mods-config/files/authorize]:177 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Instantiating module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-OUR.DOMAIN} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
}
allow_retry = yes
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_ldap
# Instantiating module "ldap" from file /etc/freeradius/mods-enabled/ldap
ldap {
server = "SERVER"
port = 389
password = <<< secret >>>
identity = "SERVER_USER"
user {
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}})"
scope = "sub"
base_dn = "dc=OUR,dc=DOMAIN"
access_positive = yes
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
base_dn = "dc=OUR,dc=DOMAIN"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "dc=Our,dc=DOMAIN"
attribute {
identifier = "radiusClientIdentifier"
shortname = "cn"
secret = "radiusClientSecret"
}
}
profile {
filter = "(&)"
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = yes
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 2
min = 1
max = 32
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0)
rlm_ldap (ldap): Connecting to ad-ttc.OUR.DOMAIN:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1)
rlm_ldap (ldap): Connecting to ad-ttc.OUR.DOMAIN:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = yes
}
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Instantiating module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/freeradius/mods-enabled/utf8
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Creating Auth-Type = ntlm_auth
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = 10.59.5.21
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = 10.59.5.21
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address 10.59.5.21 port 1812 as server default
Listening on acct address 10.59.5.21 port 1813 as server default
Ready to process requests.
Received Access-Request Id 32 from 10.254.3.37:1028 to 10.59.5.21:1812 length 157
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
Attr-26 = 0x000026ef030302
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026a000e01697061645f75736572
Message-Authenticator = 0x36e0a70138e28e2b0df65482f314b04d
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /(a)\\./)
(0) if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [files] = noop
(0) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(0) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(0) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(0) auth_log : EXPAND %t
(0) auth_log : --> Tue Sep 16 19:39:07 2014
(0) [auth_log] = ok
(0) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(0) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(0) eap : EAP packet type response id 106 length 14
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995e65b4d0
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge Id 32 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016b00160410ba0c46d38201a0b1ae3f9a1beb34eecf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995e65b4d079be2e2bed2a9ad7
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 33 from 10.254.3.37:1028 to 10.59.5.21:1812 length 158
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026b00060319
State = 0x5e0eb0995e65b4d079be2e2bed2a9ad7
Message-Authenticator = 0x24a3b47dacac1729ecf96b6e3b058b5a
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (User-Name =~ / /)
(1) if (User-Name =~ / /) -> FALSE
(1) if (User-Name =~ /@.*@/ )
(1) if (User-Name =~ /@.*@/ ) -> FALSE
(1) if (User-Name =~ /\\.\\./ )
(1) if (User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(1) if (User-Name =~ /\\.$/)
(1) if (User-Name =~ /\\.$/) -> FALSE
(1) if (User-Name =~ /(a)\\./)
(1) if (User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [files] = noop
(1) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(1) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(1) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(1) auth_log : EXPAND %t
(1) auth_log : --> Tue Sep 16 19:39:07 2014
(1) [auth_log] = ok
(1) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(1) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(1) eap : EAP packet type response id 107 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) if (!control:Auth-Type)
(1) if (!control:Auth-Type) -> FALSE
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x5e0eb0995e65b4d0
(1) eap : Finished EAP session with state 0x5e0eb0995e65b4d0
(1) eap : Previous EAP request found for state 0x5e0eb0995e65b4d0, released from the list
(1) eap : Peer sent NAK (3)
(1) eap : Found mutually acceptable type PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : Flushing SSL sessions (of #0)
(1) eap_peap : Initiate
(1) eap_peap : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995f62a9d0
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge Id 33 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995f62a9d079be2e2bed2a9ad7
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 34 from 10.254.3.37:1028 to 10.59.5.21:1812 length 304
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026c009819800000008e16030100890100008503015418cb224c770a89f15523465c78b28bfcc51dced6f18ca0e8d41b350081bb7200004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0x5e0eb0995f62a9d079be2e2bed2a9ad7
Message-Authenticator = 0x9d042cf64a65bf6aa380c7ff22288054
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /(a)\\./)
(2) if (User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [files] = noop
(2) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(2) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(2) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(2) auth_log : EXPAND %t
(2) auth_log : --> Tue Sep 16 19:39:07 2014
(2) [auth_log] = ok
(2) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(2) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(2) eap : EAP packet type response id 108 length 152
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x5e0eb0995f62a9d0
(2) eap : Finished EAP session with state 0x5e0eb0995f62a9d0
(2) eap : Previous EAP request found for state 0x5e0eb0995f62a9d0, released from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
TLS Length 142
(2) eap_peap : Length Included
(2) eap_peap : eaptls_verify returned 11
(2) eap_peap : (other): before/accept initialization
(2) eap_peap : TLS_accept: before/accept initialization
(2) eap_peap : <<< TLS 1.0 Handshake [length 0089], ClientHello
(2) eap_peap : TLS_accept: SSLv3 read client hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_peap : TLS_accept: SSLv3 write server hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 07ca], Certificate
(2) eap_peap : TLS_accept: SSLv3 write certificate A
(2) eap_peap : >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange
(2) eap_peap : TLS_accept: SSLv3 write key exchange A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap : TLS_accept: SSLv3 write server done A
(2) eap_peap : TLS_accept: SSLv3 flush data
(2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995c63a9d0
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge Id 34 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016d03ec19c000000a8616030100590200005503010d71f8bdca932f06e56b1725944868283f4d1f8f7b434a12b3dc0ed127a246a62023feab224052f9fe4eab7f184821ed75bef8bf597694768eb27f73579bc82fffc01400000dff01000100000b00040300010216030107ca0b0007c60007c30007c0308207bc308205a4a003020102020200b1300d06092a864886f70d01010505003081ba310b30090603550406130275733111300f060355040813086d6963686967616e3110300e060355040713076f736874656d6f312b3029060355040a13226b616c616d617a6f6f2076616c6c657920636f6d6d756e69747920636f6c6c65676531133011060355040b130a706b692073797374656d312830260603550403131f6b76636320726f6f7420636572746966696361746520617574686f72697479311a301806092a864886f70d010901160b6361406b7663632e656475301e170d3134303730393135353633345a170d3138303730393135353633345a3081b4310b30090603550406130275733111300f06035504080c086d6963686967616e3112301006035504070c096b616c616d617a6f6f312b3029060355040a0c226b616c616d617a6f6f2076616c6c657920636f6d6d756e69747920636f6c6c65676531143012060355040b0c0b776562207365727665727331183016060355040
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995c63a9d079be2e2bed2a9ad7
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 35 from 10.254.3.37:1028 to 10.59.5.21:1812 length 158
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026d00061900
State = 0x5e0eb0995c63a9d079be2e2bed2a9ad7
Message-Authenticator = 0x9dcfcc025d316261e50b4889136d4894
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (User-Name =~ / /)
(3) if (User-Name =~ / /) -> FALSE
(3) if (User-Name =~ /@.*@/ )
(3) if (User-Name =~ /@.*@/ ) -> FALSE
(3) if (User-Name =~ /\\.\\./ )
(3) if (User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(3) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(3) if (User-Name =~ /\\.$/)
(3) if (User-Name =~ /\\.$/) -> FALSE
(3) if (User-Name =~ /(a)\\./)
(3) if (User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [files] = noop
(3) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(3) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(3) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(3) auth_log : EXPAND %t
(3) auth_log : --> Tue Sep 16 19:39:07 2014
(3) [auth_log] = ok
(3) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(3) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(3) eap : EAP packet type response id 109 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x5e0eb0995c63a9d0
(3) eap : Finished EAP session with state 0x5e0eb0995c63a9d0
(3) eap : Previous EAP request found for state 0x5e0eb0995c63a9d0, released from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995d60a9d0
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge Id 35 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016e03e819407c57996f61039db7efa3827b7a0ccbb970cadd083c98481c0aa8c28037234efa4a2237300273d20e76d575f877336d794f16b8c4214262ef59636c2a8dd4ff1144e51e0e7af42fef2d42c23cd515055424cf2c2770e1942d69a4c84a8d3f95b50203010001a38201ce308201ca30090603551d1304023000303f06096086480186f842010d04321630636572746966696361746520697373756564206279206b76636320636572746966696361746520617574686f72697479301d0603551d0e04160414343b598a120809addecb071861ff227a52294d03301f0603551d230418301680142267e3ac3f7a8c1e4300c3e06a315c885c2fb99d302406096086480186f84201020417161568747470733a2f2f706b692e6b7663632e6564752f303806096086480186f8420104042b162968747470733a2f2f706b692e6b7663632e6564752f6b7663635f726f6f745f63612d63726c2e70656d303a0603551d1f04333031302fa02da02b862968747470733a2f2f706b692e6b7663632e6564752f6b7663635f726f6f745f63612d63726c2e70656d303206096086480186f84201030425162368747470733a2f2f706b692e6b7663632e6564752f7265766f636174696f6e2e706870302f06096086480186f84201070422162068747470733a2f2f706b692e6b7663632e6564752f726
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995d60a9d079be2e2bed2a9ad7
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 36 from 10.254.3.37:1028 to 10.59.5.21:1812 length 158
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026e00061900
State = 0x5e0eb0995d60a9d079be2e2bed2a9ad7
Message-Authenticator = 0x236cfa89983c8d082b52881ecf9a4d95
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (User-Name =~ / /)
(4) if (User-Name =~ / /) -> FALSE
(4) if (User-Name =~ /@.*@/ )
(4) if (User-Name =~ /@.*@/ ) -> FALSE
(4) if (User-Name =~ /\\.\\./ )
(4) if (User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(4) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(4) if (User-Name =~ /\\.$/)
(4) if (User-Name =~ /\\.$/) -> FALSE
(4) if (User-Name =~ /(a)\\./)
(4) if (User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [files] = noop
(4) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(4) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(4) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(4) auth_log : EXPAND %t
(4) auth_log : --> Tue Sep 16 19:39:07 2014
(4) [auth_log] = ok
(4) if (User-Name =~ /^(.*)(a)(DOMAIN.DOMAIN)/)
(4) if (User-Name =~ /^(.*)(a)(DOMAIN.DOMAIN)/) -> FALSE
(4) eap : EAP packet type response id 110 length 6
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x5e0eb0995d60a9d0
(4) eap : Finished EAP session with state 0x5e0eb0995d60a9d0
(4) eap : Previous EAP request found for state 0x5e0eb0995d60a9d0, released from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995a61a9d0
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge Id 36 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x016f02c81900f44933e43bf5256b7a31a3b96e3cd846fd51fd4843b8526824e994c026e1628cd09fae8dabf0bddbc8165e03331cf72dfdc02569b061fd009250cbd4544331c1183d69ba9c3ee6b3b8dec6f464254303d63094249eedd1147fa75acd892f51a11d26dcc3a28df8c2c0160301024b0c00024703001741040443b202c0e0e99b151a2484b29723daaaa174da9c145faba1e9b0fafd0cec619d7ac130ff08a11989c6caef13b6220b215b560c8a51a972b5505fa0f369754c0200a4ef4f6d70fba654e8bada9fe4a2c4ca54db40542f0eae17e9b8ee902fe54fed881b669ca23bab384c136fec2942dc9e3b31fb80a8d6cd95ff32af19b797c254a2c788fc4764202e23b42dcff21c0f8144a6c26e70aa2255ba0e5983a209b5c60a80c06d12dd97147d046e8d74654e7bf40929dbbe2819557c0dce7a023652efa8455a07d10657bab0f4f0fea1ae4791ac31bb77531b64c4704f8a7cdf1ef84dbfbb8b660ae88db56fc76b95ab91201b96ec228ec4bf190e0d3ba68cbbc97ee7921d43a020f568dd6992d237ac4ae8ab6dbb22a5a61de2b8eae79ca3642138b2eb48e523504d2ae97d49d8bb325c0c3afe62af8576dcae5daf0522ba1d28b783e62bbb5468f4d122d10f6cab5efeb7aa8cff2701b3f6f6cab62f89e383d6a5a1f64c080aeb43939163013b6441dd0a56f3532e7effd5d5c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995a61a9d079be2e2bed2a9ad7
(4) Finished request
Waking up in 0.2 seconds.
Waking up in 9.6 seconds.
Received Access-Request Id 37 from 10.254.3.37:1028 to 10.59.5.21:1812 length 296
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x026f009019800000008616030100461000004241047d21ce852263a052e926d170585854248283a234a2a5a328943a7786ce4ec3ae7231f99a24f179fce01aecaa77e63efd61998f0e8ad375d9a0e200f6ca638e891403010001011603010030b1cff6d1032d1bb21ada7f35be9dacc42aea54b26268369c4f7e17e72ac6fd34a734f68cf6a952a2aa7b3ba01b1b2ef1
State = 0x5e0eb0995a61a9d079be2e2bed2a9ad7
Message-Authenticator = 0xbf6bfc5efb934328f711def3fafdb0f1
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (User-Name =~ / /)
(5) if (User-Name =~ / /) -> FALSE
(5) if (User-Name =~ /@.*@/ )
(5) if (User-Name =~ /@.*@/ ) -> FALSE
(5) if (User-Name =~ /\\.\\./ )
(5) if (User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(5) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(5) if (User-Name =~ /\\.$/)
(5) if (User-Name =~ /\\.$/) -> FALSE
(5) if (User-Name =~ /(a)\\./)
(5) if (User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [files] = noop
(5) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(5) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(5) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(5) auth_log : EXPAND %t
(5) auth_log : --> Tue Sep 16 19:39:09 2014
(5) [auth_log] = ok
(5) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(5) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(5) eap : EAP packet type response id 111 length 144
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x5e0eb0995a61a9d0
(5) eap : Finished EAP session with state 0x5e0eb0995a61a9d0
(5) eap : Previous EAP request found for state 0x5e0eb0995a61a9d0, released from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
TLS Length 134
(5) eap_peap : Length Included
(5) eap_peap : eaptls_verify returned 11
(5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap : TLS_accept: SSLv3 read client key exchange A
(5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 read finished A
(5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 write finished A
(5) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session 23feab224052f9fe4eab7f184821ed75bef8bf597694768eb27f73579bc82fff to cache
(5) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb0995b7ea9d0
(5) [eap] = handled
(5) } # authenticate = handled
Sending Access-Challenge Id 37 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x0170004119001403010001011603010030e6c295d7aae9143dc4297a8fee4d213501f4b699b6fcb997cfd2f7c5453cb023f6eae59338a9624478913ed5d26dda62
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb0995b7ea9d079be2e2bed2a9ad7
(5) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 38 from 10.254.3.37:1028 to 10.59.5.21:1812 length 158
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x027000061900
State = 0x5e0eb0995b7ea9d079be2e2bed2a9ad7
Message-Authenticator = 0x0cba722e0b4b6224268067057e91ef69
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (User-Name =~ / /)
(6) if (User-Name =~ / /) -> FALSE
(6) if (User-Name =~ /@.*@/ )
(6) if (User-Name =~ /@.*@/ ) -> FALSE
(6) if (User-Name =~ /\\.\\./ )
(6) if (User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(6) if (User-Name =~ /\\.$/)
(6) if (User-Name =~ /\\.$/) -> FALSE
(6) if (User-Name =~ /(a)\\./)
(6) if (User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [files] = noop
(6) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(6) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(6) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(6) auth_log : EXPAND %t
(6) auth_log : --> Tue Sep 16 19:39:09 2014
(6) [auth_log] = ok
(6) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(6) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(6) eap : EAP packet type response id 112 length 6
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0x5e0eb0995b7ea9d0
(6) eap : Finished EAP session with state 0x5e0eb0995b7ea9d0
(6) eap : Previous EAP request found for state 0x5e0eb0995b7ea9d0, released from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : Received TLS ACK
(6) eap_peap : Received TLS ACK
(6) eap_peap : ACK handshake is finished
(6) eap_peap : eaptls_verify returned 3
(6) eap_peap : eaptls_process returned 3
(6) eap_peap : FR_TLS_SUCCESS
(6) eap_peap : Session established. Decoding tunneled attributes.
(6) eap_peap : Peap state TUNNEL ESTABLISHED
(6) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb099587fa9d0
(6) [eap] = handled
(6) } # authenticate = handled
Sending Access-Challenge Id 38 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x0171002b190017030100203b52ad3e0f64411b224983c5f7047537861b2af70639dd1d85e0d5b595a02982
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb099587fa9d079be2e2bed2a9ad7
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 39 from 10.254.3.37:1028 to 10.59.5.21:1812 length 195
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x0271002b19001703010020353ecb90456b8267345a26cbb7d58f1717923f57c38f29608104e11dd510cc5a
State = 0x5e0eb099587fa9d079be2e2bed2a9ad7
Message-Authenticator = 0x2cac79b449304e16da7e9e1aa646ad57
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (User-Name =~ / /)
(7) if (User-Name =~ / /) -> FALSE
(7) if (User-Name =~ /@.*@/ )
(7) if (User-Name =~ /@.*@/ ) -> FALSE
(7) if (User-Name =~ /\\.\\./ )
(7) if (User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (User-Name =~ /\\.$/)
(7) if (User-Name =~ /\\.$/) -> FALSE
(7) if (User-Name =~ /(a)\\./)
(7) if (User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [files] = noop
(7) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(7) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(7) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(7) auth_log : EXPAND %t
(7) auth_log : --> Tue Sep 16 19:39:09 2014
(7) [auth_log] = ok
(7) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(7) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(7) eap : EAP packet type response id 113 length 43
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x5e0eb099587fa9d0
(7) eap : Finished EAP session with state 0x5e0eb099587fa9d0
(7) eap : Previous EAP request found for state 0x5e0eb099587fa9d0, released from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes.
(7) eap_peap : Peap state WAITING FOR INNER IDENTITY
(7) eap_peap : Identity - ipad_user
(7) eap_peap : Got inner identity 'ipad_user'
(7) eap_peap : Setting default EAP type for tunneled EAP session.
(7) eap_peap : Got tunneled request
EAP-Message = 0x0271000e01697061645f75736572
server default {
(7) eap_peap : Setting User-Name to ipad_user
Sending tunneled request
EAP-Message = 0x0271000e01697061645f75736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'ipad_user'
server inner-tunnel {
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authorize {
(7) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(7) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(7) [mschap] = noop
(7) eap : EAP packet type response id 113 length 14
(7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Peer sent Identity (1)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : Issuing Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0x67ddd59567afcfb0
(7) [eap] = handled
(7) } # authenticate = handled
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
EAP-Message = 0x017200231a0172001e102964090c7d234f63135d08194cc12b15697061645f75736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x67ddd59567afcfb0c214b1382438f3c2
(7) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message = 0x017200231a0172001e102964090c7d234f63135d08194cc12b15697061645f75736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x67ddd59567afcfb0c214b1382438f3c2
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb099597ca9d0
(7) [eap] = handled
(7) } # authenticate = handled
Sending Access-Challenge Id 39 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x0172004b19001703010040a1b7086a5f526d2cbb50fe6c7d2b6fdb3df1d70a0aabb6f4a191e5fbc9c341d74e80a274c96319d41157f2ce1a0dcb3f3ccbcae8d10749427a8be4fb2565336c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb099597ca9d079be2e2bed2a9ad7
(7) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 40 from 10.254.3.37:1028 to 10.59.5.21:1812 length 259
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x0272006b190017030100603ed4b1cf115ebce357ca550122c6c5acb3d6ebd7402bcba329dd9f00d0a2266a47db9100b198c35daca1a27a56a95c5feab8babf07ed42c3bb6e50e12eea7a80212dee9e2c984e9a6fed4987c00e9a43a8db47bd94579a27f105c44d2f28c4f5
State = 0x5e0eb099597ca9d079be2e2bed2a9ad7
Message-Authenticator = 0xce4d2dd6f41fb04deb6eae00af9678c9
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (User-Name =~ / /)
(8) if (User-Name =~ / /) -> FALSE
(8) if (User-Name =~ /@.*@/ )
(8) if (User-Name =~ /@.*@/ ) -> FALSE
(8) if (User-Name =~ /\\.\\./ )
(8) if (User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(8) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(8) if (User-Name =~ /\\.$/)
(8) if (User-Name =~ /\\.$/) -> FALSE
(8) if (User-Name =~ /(a)\\./)
(8) if (User-Name =~ /(a)\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [files] = noop
(8) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(8) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(8) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(8) auth_log : EXPAND %t
(8) auth_log : --> Tue Sep 16 19:39:09 2014
(8) [auth_log] = ok
(8) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(8) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(8) eap : EAP packet type response id 114 length 107
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0x67ddd59567afcfb0
(8) eap : Finished EAP session with state 0x5e0eb099597ca9d0
(8) eap : Previous EAP request found for state 0x5e0eb099597ca9d0, released from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x027200441a0272003f31e29bfcddf7f5d71806444be15a3d342c0000000000000000640d21afc605c90a830d479536bba660d9c839fcd5fe4bf800697061645f75736572
server default {
(8) eap_peap : Setting User-Name to ipad_user
Sending tunneled request
EAP-Message = 0x027200441a0272003f31e29bfcddf7f5d71806444be15a3d342c0000000000000000640d21afc605c90a830d479536bba660d9c839fcd5fe4bf800697061645f75736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'ipad_user'
State = 0x67ddd59567afcfb0c214b1382438f3c2
server inner-tunnel {
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authorize {
(8) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(8) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(8) [mschap] = noop
(8) eap : EAP packet type response id 114 length 68
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0x67ddd59567afcfb0
(8) eap : Finished EAP session with state 0x67ddd59567afcfb0
(8) eap : Previous EAP request found for state 0x67ddd59567afcfb0, released from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2 : Auth-Type MS-CHAP {
(8) mschap : Creating challenge hash with username: ipad_user
(8) mschap : Client is using MS-CHAPv2
(8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-OUR.DOMAIN} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}
(8) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}}
(8) mschap : --> --username=ipad_user
(8) ERROR: mschap : No NT-Domain was found in the User-Name
(8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-OUR.DOMAIN}
(8) mschap : --> --domain=OUR.DOMAIN
(8) mschap : Creating challenge hash with username: ipad_user
(8) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(8) mschap : --> --challenge=8653c43c6bec2402
(8) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(8) mschap : --> --nt-response=640d21afc605c90a830d479536bba660d9c839fcd5fe4bf8
(8) ERROR: mschap : Program returned code (1) and output 'Invalid workstation (0xc0000070)'
(8) mschap : External script failed.
(8) ERROR: mschap : External script says: Invalid workstation (0xc0000070)
(8) ERROR: mschap : MS-CHAP2-Response is incorrect
(8) [mschap] = reject
(8) } # Auth-Type MS-CHAP = reject
(8) eap : Freeing handler
(8) [eap] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user.
(8) Login incorrect (mschap: No NT-Domain was found in the User-Name): [ipad_user] (from client internal_networks port 0 via TLS tunnel)
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) Post-Auth-Type REJECT {
(8) reply_log : EXPAND /var/log/freeradius/radacct/reply-detail-%Y%m%d
(8) reply_log : --> /var/log/freeradius/radacct/reply-detail-20140916
(8) reply_log : /var/log/freeradius/radacct/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/reply-detail-20140916
(8) reply_log : EXPAND %t
(8) reply_log : --> Tue Sep 16 19:39:09 2014
(8) [reply_log] = ok
(8) } # Post-Auth-Type REJECT = ok
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 3
MS-CHAP-Error = 'rE=691 R=1'
EAP-Message = 0x04720004
Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap : Got tunneled reply RADIUS code 3
MS-CHAP-Error = 'rE=691 R=1'
EAP-Message = 0x04720004
Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap : Tunneled authentication was rejected.
(8) eap_peap : FAILURE
(8) eap : New EAP session, adding 'State' attribute to reply 0x5e0eb099567da9d0
(8) [eap] = handled
(8) } # authenticate = handled
Sending Access-Challenge Id 40 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x0173002b190017030100202cc42e6a6e3fa0ec523ef9408e28c3ef0babecd65cdfd4f765fd884bcee820c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5e0eb099567da9d079be2e2bed2a9ad7
(8) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 41 from 10.254.3.37:1028 to 10.59.5.21:1812 length 195
User-Name = 'ipad_user'
NAS-Port = 0
Called-Station-Id = '00-19-92-04-53-6A:test'
Calling-Station-Id = '64-E6-82-B6-2E-ED'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11'
EAP-Message = 0x0273002b190017030100203e8fe9b011ca991f91750e50d130dc85937fbeada19e58755f3ccee809a0f33a
State = 0x5e0eb099567da9d079be2e2bed2a9ad7
Message-Authenticator = 0xa061cf2c4d87c481a05b961f24a0dcee
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (User-Name =~ / /)
(9) if (User-Name =~ / /) -> FALSE
(9) if (User-Name =~ /@.*@/ )
(9) if (User-Name =~ /@.*@/ ) -> FALSE
(9) if (User-Name =~ /\\.\\./ )
(9) if (User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(9) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(9) if (User-Name =~ /\\.$/)
(9) if (User-Name =~ /\\.$/) -> FALSE
(9) if (User-Name =~ /(a)\\./)
(9) if (User-Name =~ /(a)\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [files] = noop
(9) auth_log : EXPAND /var/log/freeradius/radacct/auth-detail-%Y%m%d
(9) auth_log : --> /var/log/freeradius/radacct/auth-detail-20140916
(9) auth_log : /var/log/freeradius/radacct/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/auth-detail-20140916
(9) auth_log : EXPAND %t
(9) auth_log : --> Tue Sep 16 19:39:09 2014
(9) [auth_log] = ok
(9) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/)
(9) if (User-Name =~ /^(.*)(a)(OUR.DOMAIN)/) -> FALSE
(9) eap : EAP packet type response id 115 length 43
(9) eap : Continuing tunnel setup.
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0x5e0eb099567da9d0
(9) eap : Finished EAP session with state 0x5e0eb099567da9d0
(9) eap : Previous EAP request found for state 0x5e0eb099567da9d0, released from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes.
(9) eap_peap : Peap state send tlv failure
(9) eap_peap : Received EAP-TLV response.
(9) eap_peap : The users session was previously rejected: returning reject (again.)
(9) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output
(9) eap_peap : *** to find out the reason why the user was rejected.
(9) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you.
(9) eap_peap : *** what went wrong, and how to fix the problem.
SSL: Removing session 23feab224052f9fe4eab7f184821ed75bef8bf597694768eb27f73579bc82fff from the cache
(9) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
(9) eap : Failed in EAP select
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user.
(9) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [ipad_user] (from client internal_networks port 0 cli 64-E6-82-B6-2E-ED)
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) detail : EXPAND /var/log/freeradius/radacct/detail-%Y%m%d
(9) detail : --> /var/log/freeradius/radacct/detail-20140916
(9) detail : /var/log/freeradius/radacct/detail-%Y%m%d expands to /var/log/freeradius/radacct/detail-20140916
(9) detail : EXPAND %t
(9) detail : --> Tue Sep 16 19:39:09 2014
(9) [detail] = ok
(9) reply_log : EXPAND /var/log/freeradius/radacct/reply-detail-%Y%m%d
(9) reply_log : --> /var/log/freeradius/radacct/reply-detail-20140916
(9) reply_log : /var/log/freeradius/radacct/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/reply-detail-20140916
(9) reply_log : EXPAND %t
(9) reply_log : --> Tue Sep 16 19:39:09 2014
(9) [reply_log] = ok
(9) attr_filter.access_reject : EXPAND %{User-Name}
(9) attr_filter.access_reject : --> ipad_user
(9) attr_filter.access_reject : Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(9) [eap] = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1 seconds
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
Sending Access-Reject Id 41 from 10.59.5.21:1812 to 10.254.3.37:1028
EAP-Message = 0x04730004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 7.4 seconds.
2
1
I have a PDC using SaMBa and openLDAP, I'm trying to make my openwrt
router authenticate with openLDAP, I read that the way to do this is by
configuring a RADIUS server.
I configured freeradius and It works fine, but my problem is that I need
to authenticate users using the userPassword attribute instead of
sambaNTPassword, I can't get this work, I've read a lot, but I haven't
found the answer (didn't read enough I guess).
I installed and configured freeradius in openSuSE 13.1
# rpm -qa | grep freeradius
freeradius-server-libs-2.2.0-7.4.1.x86_64
freeradius-server-doc-2.2.0-7.4.1.x86_64
freeradius-server-2.2.0-7.4.1.x86_64
I added in /etc/raddb/clients.conf
client owrt.router {
secret = secretPasswd
ipaddr = 10.202.10.83
}
I uncomment "ldap" and the "Auth-Type LDAP{....}" in the followin files:
/etc/raddb/sites-enabled/default
/etc/raddb/sites-enabled/inner-tunnel
I set server and basedn info in the /etc/raddb/modules/ldap file
I repeat, it works fine but with the openLDAP's sambaNTPassword entry
instead of using the userPassword.
any help will be wellcome,
sorry my english, (I tried my best).
saludos,
Nicolás.
**
1
0
15 Sep '14
Hi,
I'm trying to install RPMs from
<https://packages.networkradius.com/centos/6.5/> on a CentOS 6.5 system. I
have successfully installed the following:
freeradius-3.0.4-1.el6.x86_64
freeradius-ldap-3.0.4-1.el6.x86_64
freeradius-debuginfo-3.0.4-1.el6.x86_64
freeradius-mysql-3.0.4-1.el6.x86_64
But the freeradius-krb5 RPM fails:
# yum install freeradius-krb5-3.0.4-1.el6.x86_64.rpm
...
Setting up Install Process
Examining freeradius-krb5-3.0.4-1.el6.x86_64.rpm:
freeradius-krb5-3.0.4-1.el6.x86_64
Marking freeradius-krb5-3.0.4-1.el6.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package freeradius-krb5.x86_64 0:3.0.4-1.el6 will be installed
--> Processing Dependency: krb5 for package:
freeradius-krb5-3.0.4-1.el6.x86_64
--> Finished Dependency Resolution
Error: Package: freeradius-krb5-3.0.4-1.el6.x86_64
(/freeradius-krb5-3.0.4-1.el6.x86_64)
Requires: krb5
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
There is no package named "krb5" in the standard repos. Where does that
dependency come from?
Thanks
Sebastian
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
4
4
Hi,
I want to ask what should i do if i want store datas in simtriplets.dat
(imsi,rand,sres,kc) into phpmyadmin?
actually the freeradius was installed with mysql and phpmyadmin and in
phpmyadmin have database asterisk too.
Thanks,
Rafa
1
0