Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2015
- 102 participants
- 146 discussions
Hello,
we currently have the following setting in inner-tunnel, to perform a check
on the radius server sending us the authentication request:
authorize {
preprocess
rewrite.calling_station_id
if ("%{clients:shortname}" == "internal_radius_1") {
ok
update control {
Auth-Type := Accept
}
}
elsif (......
We'd like to extend the check to internal_radius_1 AND internal_radius_2.
Does inner-data support regexp to do that, maybe using something like the
following expression?
if ("%{clients:shortname}" ~ "internal_radius_(.*)") {
Thank you,
Stefano
3
2
Hi Freeradius users , Im planning to move my Radius service to a
virtualized enviroment so I can create a server cluster.
Is there any official / unofficial documentation about freeradius
clustering for HA to start reading ?
Maybe some feature for primary and secondary radius support or F5 load
balancer integration, etc.
Regards,
Leandro.
>
5
7
Hello everybody,
I'm new to FreeRadius and linux and I've gotten to the point that I have succesfull authentication and vlan assignment for my wireless users using 802.1x via NTLM authentication with FreeRadius 3.0.8 in my test setup.I am trying to get the pass change option to work using the mschapv2 module and I do get a passchange window on my windows 8 test laptop.
I see that the passchange packet is received but after that I get "No valid NT-Password attribute found, can't change password"
I hope someone can give me some pointers in the right direction..
Below is my pass change attempt================================================
(0) Received Access-Request Id 146 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234(0) User-Name = 'vdiuser001'(0) Calling-Station-Id = '00-c0-a8-c6-d7-79'(0) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(0) NAS-Port = 13(0) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(0) NAS-IP-Address = 10.70.1.1(0) NAS-Identifier = 'Cisco-WLC-5508'(0) Airespace-Wlan-Id = 9(0) Service-Type = Framed-User(0) Framed-MTU = 1300(0) NAS-Port-Type = Wireless-802.11(0) Tunnel-Type:0 = VLAN(0) Tunnel-Medium-Type:0 = IEEE-802(0) Tunnel-Private-Group-Id:0 = '212'(0) EAP-Message = 0x0202000f0176646975736572303031(0) Message-Authenticator = 0xaf7ffeb4c2d2854413f57effba1d7a06(0) # Executing section authorize from file /etc/raddb/sites-enabled/default(0) authorize {(0) policy filter_username {(0) if (!&User-Name) {(0) if (!&User-Name) -> FALSE(0) if (&User-Name =~ / /) {(0) if (&User-Name =~ / /) -> FALSE(0) if (&User-Name =~ /@.*@/ ) {(0) if (&User-Name =~ /@.*@/ ) -> FALSE(0) if (&User-Name =~ /\.\./ ) {(0) if (&User-Name =~ /\.\./ ) -> FALSE(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(0) if (&User-Name =~ /\.$/) {(0) if (&User-Name =~ /\.$/) -> FALSE(0) if (&User-Name =~ /(a)\./) {(0) if (&User-Name =~ /(a)\./) -> FALSE(0) } # policy filter_username = notfound(0) [preprocess] = ok(0) [chap] = noop(0) [mschap] = noop(0) [digest] = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) eap: Peer sent code Response (2) ID 2 length 15(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(0) [eap] = ok(0) } # authorize = ok(0) Found Auth-Type = EAP(0) # Executing group from file /etc/raddb/sites-enabled/default(0) authenticate {(0) eap: Peer sent method Identity (1)(0) eap: Calling eap_peap to process EAP data(0) eap_peap: Flushing SSL sessions (of #0)(0) eap_peap: Initiate(0) eap_peap: Start returned 1(0) eap: EAP session adding &reply:State = 0x1e1591df1e16880e(0) [eap] = handled(0) } # authenticate = handled(0) Using Post-Auth-Type Challenge(0) Post-Auth-Type sub-section not found. Ignoring.(0) # Executing group from file /etc/raddb/sites-enabled/default(0) Sent Access-Challenge Id 146 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(0) EAP-Message = 0x010300061920(0) Message-Authenticator = 0x00000000000000000000000000000000(0) State = 0x1e1591df1e16880e6da8d17effec1644(0) Finished requestWaking up in 4.9 seconds.(1) Received Access-Request Id 147 from 10.70.1.1:32770 to 10.10.10.3:1812 length 346(1) User-Name = 'vdiuser001'(1) Calling-Station-Id = '00-c0-a8-c6-d7-79'(1) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(1) NAS-Port = 13(1) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(1) NAS-IP-Address = 10.70.1.1(1) NAS-Identifier = 'Cisco-WLC-5508'(1) Airespace-Wlan-Id = 9(1) Service-Type = Framed-User(1) Framed-MTU = 1300(1) NAS-Port-Type = Wireless-802.11(1) Tunnel-Type:0 = VLAN(1) Tunnel-Medium-Type:0 = IEEE-802(1) Tunnel-Private-Group-Id:0 = '212'(1) EAP-Message = 0x0203006d198000000063160301005e0100005a0301556ea07cb3e1da5438e4a0fda201cbfcdfff42b72294b1d171d0c2e5bfb7324f000018c014c0130035002fc00ac00900380032000a00130005000401000019ff01000100000a0006000400170018000b0002010000230000(1) State = 0x1e1591df1e16880e6da8d17effec1644(1) Message-Authenticator = 0xff709617cbc210bed08b77be13d02f78(1) session-state: No cached attributes(1) # Executing section authorize from file /etc/raddb/sites-enabled/default(1) authorize {(1) policy filter_username {(1) if (!&User-Name) {(1) if (!&User-Name) -> FALSE(1) if (&User-Name =~ / /) {(1) if (&User-Name =~ / /) -> FALSE(1) if (&User-Name =~ /@.*@/ ) {(1) if (&User-Name =~ /@.*@/ ) -> FALSE(1) if (&User-Name =~ /\.\./ ) {(1) if (&User-Name =~ /\.\./ ) -> FALSE(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(1) if (&User-Name =~ /\.$/) {(1) if (&User-Name =~ /\.$/) -> FALSE(1) if (&User-Name =~ /(a)\./) {(1) if (&User-Name =~ /(a)\./) -> FALSE(1) } # policy filter_username = notfound(1) [preprocess] = ok(1) [chap] = noop(1) [mschap] = noop(1) [digest] = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) eap: Peer sent code Response (2) ID 3 length 109(1) eap: Continuing tunnel setup(1) [eap] = ok(1) } # authorize = ok(1) Found Auth-Type = EAP(1) # Executing group from file /etc/raddb/sites-enabled/default(1) authenticate {(1) eap: Expiring EAP session with state 0x1e1591df1e16880e(1) eap: Finished EAP session with state 0x1e1591df1e16880e(1) eap: Previous EAP request found for state 0x1e1591df1e16880e, released from the list(1) eap: Peer sent method PEAP (25)(1) eap: EAP PEAP (25)(1) eap: Calling eap_peap to process EAP data(1) eap_peap: processing EAP-TLS(1) eap_peap: TLS Length 99(1) eap_peap: Length Included(1) eap_peap: eaptls_verify returned 11(1) eap_peap: (other): before/accept initialization(1) eap_peap: TLS_accept: before/accept initialization(1) eap_peap: <<< TLS 1.0 Handshake [length 005e], ClientHello(1) eap_peap: TLS_accept: SSLv3 read client hello A(1) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello(1) eap_peap: TLS_accept: SSLv3 write server hello A(1) eap_peap: >>> TLS 1.0 Handshake [length 08d0], Certificate(1) eap_peap: TLS_accept: SSLv3 write certificate A(1) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange(1) eap_peap: TLS_accept: SSLv3 write key exchange A(1) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone(1) eap_peap: TLS_accept: SSLv3 write server done A(1) eap_peap: TLS_accept: SSLv3 flush data(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate AIn SSL Handshake PhaseIn SSL Accept mode(1) eap_peap: eaptls_process returned 13(1) eap_peap: FR_TLS_HANDLED(1) eap: EAP session adding &reply:State = 0x1e1591df1f11880e(1) [eap] = handled(1) } # authenticate = handled(1) Using Post-Auth-Type Challenge(1) Post-Auth-Type sub-section not found. Ignoring.(1) # Executing group from file /etc/raddb/sites-enabled/default(1) Sent Access-Challenge Id 147 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(1) EAP-Message = 0x010403ec19c000000a8c160301005902000055030186abd118bcdaa77ddb5869e5ddfbfe95dceb5754d78269df4bcdb7299564fe2d200820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de(1) Message-Authenticator = 0x00000000000000000000000000000000(1) State = 0x1e1591df1f11880e6da8d17effec1644(1) Finished requestWaking up in 4.9 seconds.(2) Received Access-Request Id 148 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243(2) User-Name = 'vdiuser001'(2) Calling-Station-Id = '00-c0-a8-c6-d7-79'(2) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(2) NAS-Port = 13(2) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(2) NAS-IP-Address = 10.70.1.1(2) NAS-Identifier = 'Cisco-WLC-5508'(2) Airespace-Wlan-Id = 9(2) Service-Type = Framed-User(2) Framed-MTU = 1300(2) NAS-Port-Type = Wireless-802.11(2) Tunnel-Type:0 = VLAN(2) Tunnel-Medium-Type:0 = IEEE-802(2) Tunnel-Private-Group-Id:0 = '212'(2) EAP-Message = 0x020400061900(2) State = 0x1e1591df1f11880e6da8d17effec1644(2) Message-Authenticator = 0x776a06fa5dc2b42c73bb121fcca33bea(2) session-state: No cached attributes(2) # Executing section authorize from file /etc/raddb/sites-enabled/default(2) authorize {(2) policy filter_username {(2) if (!&User-Name) {(2) if (!&User-Name) -> FALSE(2) if (&User-Name =~ / /) {(2) if (&User-Name =~ / /) -> FALSE(2) if (&User-Name =~ /@.*@/ ) {(2) if (&User-Name =~ /@.*@/ ) -> FALSE(2) if (&User-Name =~ /\.\./ ) {(2) if (&User-Name =~ /\.\./ ) -> FALSE(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(2) if (&User-Name =~ /\.$/) {(2) if (&User-Name =~ /\.$/) -> FALSE(2) if (&User-Name =~ /(a)\./) {(2) if (&User-Name =~ /(a)\./) -> FALSE(2) } # policy filter_username = notfound(2) [preprocess] = ok(2) [chap] = noop(2) [mschap] = noop(2) [digest] = noop(2) suffix: Checking for suffix after "@"(2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(2) suffix: No such realm "NULL"(2) [suffix] = noop(2) eap: Peer sent code Response (2) ID 4 length 6(2) eap: Continuing tunnel setup(2) [eap] = ok(2) } # authorize = ok(2) Found Auth-Type = EAP(2) # Executing group from file /etc/raddb/sites-enabled/default(2) authenticate {(2) eap: Expiring EAP session with state 0x1e1591df1f11880e(2) eap: Finished EAP session with state 0x1e1591df1f11880e(2) eap: Previous EAP request found for state 0x1e1591df1f11880e, released from the list(2) eap: Peer sent method PEAP (25)(2) eap: EAP PEAP (25)(2) eap: Calling eap_peap to process EAP data(2) eap_peap: processing EAP-TLS(2) eap_peap: Received TLS ACK(2) eap_peap: Received TLS ACK(2) eap_peap: ACK handshake fragment handler(2) eap_peap: eaptls_verify returned 1(2) eap_peap: eaptls_process returned 13(2) eap_peap: FR_TLS_HANDLED(2) eap: EAP session adding &reply:State = 0x1e1591df1c10880e(2) [eap] = handled(2) } # authenticate = handled(2) Using Post-Auth-Type Challenge(2) Post-Auth-Type sub-section not found. Ignoring.(2) # Executing group from file /etc/raddb/sites-enabled/default(2) Sent Access-Challenge Id 148 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(2) EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130(2) Message-Authenticator = 0x00000000000000000000000000000000(2) State = 0x1e1591df1c10880e6da8d17effec1644(2) Finished requestWaking up in 4.9 seconds.(3) Received Access-Request Id 149 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243(3) User-Name = 'vdiuser001'(3) Calling-Station-Id = '00-c0-a8-c6-d7-79'(3) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(3) NAS-Port = 13(3) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(3) NAS-IP-Address = 10.70.1.1(3) NAS-Identifier = 'Cisco-WLC-5508'(3) Airespace-Wlan-Id = 9(3) Service-Type = Framed-User(3) Framed-MTU = 1300(3) NAS-Port-Type = Wireless-802.11(3) Tunnel-Type:0 = VLAN(3) Tunnel-Medium-Type:0 = IEEE-802(3) Tunnel-Private-Group-Id:0 = '212'(3) EAP-Message = 0x020500061900(3) State = 0x1e1591df1c10880e6da8d17effec1644(3) Message-Authenticator = 0x1feb9b7bb1e9f4d588005f8e4c1f441b(3) session-state: No cached attributes(3) # Executing section authorize from file /etc/raddb/sites-enabled/default(3) authorize {(3) policy filter_username {(3) if (!&User-Name) {(3) if (!&User-Name) -> FALSE(3) if (&User-Name =~ / /) {(3) if (&User-Name =~ / /) -> FALSE(3) if (&User-Name =~ /@.*@/ ) {(3) if (&User-Name =~ /@.*@/ ) -> FALSE(3) if (&User-Name =~ /\.\./ ) {(3) if (&User-Name =~ /\.\./ ) -> FALSE(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(3) if (&User-Name =~ /\.$/) {(3) if (&User-Name =~ /\.$/) -> FALSE(3) if (&User-Name =~ /(a)\./) {(3) if (&User-Name =~ /(a)\./) -> FALSE(3) } # policy filter_username = notfound(3) [preprocess] = ok(3) [chap] = noop(3) [mschap] = noop(3) [digest] = noop(3) suffix: Checking for suffix after "@"(3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(3) suffix: No such realm "NULL"(3) [suffix] = noop(3) eap: Peer sent code Response (2) ID 5 length 6(3) eap: Continuing tunnel setup(3) [eap] = ok(3) } # authorize = ok(3) Found Auth-Type = EAP(3) # Executing group from file /etc/raddb/sites-enabled/default(3) authenticate {(3) eap: Expiring EAP session with state 0x1e1591df1c10880e(3) eap: Finished EAP session with state 0x1e1591df1c10880e(3) eap: Previous EAP request found for state 0x1e1591df1c10880e, released from the list(3) eap: Peer sent method PEAP (25)(3) eap: EAP PEAP (25)(3) eap: Calling eap_peap to process EAP data(3) eap_peap: processing EAP-TLS(3) eap_peap: Received TLS ACK(3) eap_peap: Received TLS ACK(3) eap_peap: ACK handshake fragment handler(3) eap_peap: eaptls_verify returned 1(3) eap_peap: eaptls_process returned 13(3) eap_peap: FR_TLS_HANDLED(3) eap: EAP session adding &reply:State = 0x1e1591df1d13880e(3) [eap] = handled(3) } # authenticate = handled(3) Using Post-Auth-Type Challenge(3) Post-Auth-Type sub-section not found. Ignoring.(3) # Executing group from file /etc/raddb/sites-enabled/default(3) Sent Access-Challenge Id 149 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(3) EAP-Message = 0x010602ce190020417574686f72697479820900eb4cce581239f262300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100c1a0(3) Message-Authenticator = 0x00000000000000000000000000000000(3) State = 0x1e1591df1d13880e6da8d17effec1644(3) Finished requestWaking up in 4.9 seconds.(4) Received Access-Request Id 150 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381(4) User-Name = 'vdiuser001'(4) Calling-Station-Id = '00-c0-a8-c6-d7-79'(4) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(4) NAS-Port = 13(4) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(4) NAS-IP-Address = 10.70.1.1(4) NAS-Identifier = 'Cisco-WLC-5508'(4) Airespace-Wlan-Id = 9(4) Service-Type = Framed-User(4) Framed-MTU = 1300(4) NAS-Port-Type = Wireless-802.11(4) Tunnel-Type:0 = VLAN(4) Tunnel-Medium-Type:0 = IEEE-802(4) Tunnel-Private-Group-Id:0 = '212'(4) EAP-Message = 0x0206009019800000008616030100461000004241041c7db466f320cdd73375bd32ae121beb52414806d71da093e45be96f1368dbbf176affcce34fc191bd0a86203a369e1c98f1595c3ae6cedd722150c58f619c8314030100010116030100308e95f63a5f43e7d94cf3583b9fc1b9a041050278e6f62b(4) State = 0x1e1591df1d13880e6da8d17effec1644(4) Message-Authenticator = 0x454da7994b1a632987de592cee18ad93(4) session-state: No cached attributes(4) # Executing section authorize from file /etc/raddb/sites-enabled/default(4) authorize {(4) policy filter_username {(4) if (!&User-Name) {(4) if (!&User-Name) -> FALSE(4) if (&User-Name =~ / /) {(4) if (&User-Name =~ / /) -> FALSE(4) if (&User-Name =~ /@.*@/ ) {(4) if (&User-Name =~ /@.*@/ ) -> FALSE(4) if (&User-Name =~ /\.\./ ) {(4) if (&User-Name =~ /\.\./ ) -> FALSE(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(4) if (&User-Name =~ /\.$/) {(4) if (&User-Name =~ /\.$/) -> FALSE(4) if (&User-Name =~ /(a)\./) {(4) if (&User-Name =~ /(a)\./) -> FALSE(4) } # policy filter_username = notfound(4) [preprocess] = ok(4) [chap] = noop(4) [mschap] = noop(4) [digest] = noop(4) suffix: Checking for suffix after "@"(4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(4) suffix: No such realm "NULL"(4) [suffix] = noop(4) eap: Peer sent code Response (2) ID 6 length 144(4) eap: Continuing tunnel setup(4) [eap] = ok(4) } # authorize = ok(4) Found Auth-Type = EAP(4) # Executing group from file /etc/raddb/sites-enabled/default(4) authenticate {(4) eap: Expiring EAP session with state 0x1e1591df1d13880e(4) eap: Finished EAP session with state 0x1e1591df1d13880e(4) eap: Previous EAP request found for state 0x1e1591df1d13880e, released from the list(4) eap: Peer sent method PEAP (25)(4) eap: EAP PEAP (25)(4) eap: Calling eap_peap to process EAP data(4) eap_peap: processing EAP-TLS(4) eap_peap: TLS Length 134(4) eap_peap: Length Included(4) eap_peap: eaptls_verify returned 11(4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange(4) eap_peap: TLS_accept: SSLv3 read client key exchange A(4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001](4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished(4) eap_peap: TLS_accept: SSLv3 read finished A(4) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001](4) eap_peap: TLS_accept: SSLv3 write change cipher spec A(4) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished(4) eap_peap: TLS_accept: SSLv3 write finished A(4) eap_peap: TLS_accept: SSLv3 flush data TLS: adding session 0820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1 to cache(4) eap_peap: (other): SSL negotiation finished successfullySSL Connection Established(4) eap_peap: eaptls_process returned 13(4) eap_peap: FR_TLS_HANDLED(4) eap: EAP session adding &reply:State = 0x1e1591df1a12880e(4) [eap] = handled(4) } # authenticate = handled(4) Using Post-Auth-Type Challenge(4) Post-Auth-Type sub-section not found. Ignoring.(4) # Executing group from file /etc/raddb/sites-enabled/default(4) Sent Access-Challenge Id 150 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(4) EAP-Message = 0x0107004119001403010001011603010030844ddc99d83876b1afa809097ddc158138ae61e5027df9156161e80fd4e6b5dc6dc0286f2d7f440f29064c5d5da6135f(4) Message-Authenticator = 0x00000000000000000000000000000000(4) State = 0x1e1591df1a12880e6da8d17effec1644(4) Finished requestWaking up in 4.9 seconds.(5) Received Access-Request Id 151 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243(5) User-Name = 'vdiuser001'(5) Calling-Station-Id = '00-c0-a8-c6-d7-79'(5) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(5) NAS-Port = 13(5) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(5) NAS-IP-Address = 10.70.1.1(5) NAS-Identifier = 'Cisco-WLC-5508'(5) Airespace-Wlan-Id = 9(5) Service-Type = Framed-User(5) Framed-MTU = 1300(5) NAS-Port-Type = Wireless-802.11(5) Tunnel-Type:0 = VLAN(5) Tunnel-Medium-Type:0 = IEEE-802(5) Tunnel-Private-Group-Id:0 = '212'(5) EAP-Message = 0x020700061900(5) State = 0x1e1591df1a12880e6da8d17effec1644(5) Message-Authenticator = 0x6a9f9babb7fb5a0603e50e2292064d52(5) session-state: No cached attributes(5) # Executing section authorize from file /etc/raddb/sites-enabled/default(5) authorize {(5) policy filter_username {(5) if (!&User-Name) {(5) if (!&User-Name) -> FALSE(5) if (&User-Name =~ / /) {(5) if (&User-Name =~ / /) -> FALSE(5) if (&User-Name =~ /@.*@/ ) {(5) if (&User-Name =~ /@.*@/ ) -> FALSE(5) if (&User-Name =~ /\.\./ ) {(5) if (&User-Name =~ /\.\./ ) -> FALSE(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(5) if (&User-Name =~ /\.$/) {(5) if (&User-Name =~ /\.$/) -> FALSE(5) if (&User-Name =~ /(a)\./) {(5) if (&User-Name =~ /(a)\./) -> FALSE(5) } # policy filter_username = notfound(5) [preprocess] = ok(5) [chap] = noop(5) [mschap] = noop(5) [digest] = noop(5) suffix: Checking for suffix after "@"(5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(5) suffix: No such realm "NULL"(5) [suffix] = noop(5) eap: Peer sent code Response (2) ID 7 length 6(5) eap: Continuing tunnel setup(5) [eap] = ok(5) } # authorize = ok(5) Found Auth-Type = EAP(5) # Executing group from file /etc/raddb/sites-enabled/default(5) authenticate {(5) eap: Expiring EAP session with state 0x1e1591df1a12880e(5) eap: Finished EAP session with state 0x1e1591df1a12880e(5) eap: Previous EAP request found for state 0x1e1591df1a12880e, released from the list(5) eap: Peer sent method PEAP (25)(5) eap: EAP PEAP (25)(5) eap: Calling eap_peap to process EAP data(5) eap_peap: processing EAP-TLS(5) eap_peap: Received TLS ACK(5) eap_peap: Received TLS ACK(5) eap_peap: ACK handshake is finished(5) eap_peap: eaptls_verify returned 3(5) eap_peap: eaptls_process returned 3(5) eap_peap: FR_TLS_SUCCESS(5) eap_peap: Session established. Decoding tunneled attributes(5) eap_peap: PEAP state TUNNEL ESTABLISHED(5) eap: EAP session adding &reply:State = 0x1e1591df1b1d880e(5) [eap] = handled(5) } # authenticate = handled(5) Using Post-Auth-Type Challenge(5) Post-Auth-Type sub-section not found. Ignoring.(5) # Executing group from file /etc/raddb/sites-enabled/default(5) Sent Access-Challenge Id 151 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(5) EAP-Message = 0x0108002b190017030100206db2be686f268ad99a2f0f2723b6e3d5710916296d814c355a0cd194caed8a7b(5) Message-Authenticator = 0x00000000000000000000000000000000(5) State = 0x1e1591df1b1d880e6da8d17effec1644(5) Finished requestWaking up in 4.9 seconds.(6) Received Access-Request Id 152 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280(6) User-Name = 'vdiuser001'(6) Calling-Station-Id = '00-c0-a8-c6-d7-79'(6) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(6) NAS-Port = 13(6) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(6) NAS-IP-Address = 10.70.1.1(6) NAS-Identifier = 'Cisco-WLC-5508'(6) Airespace-Wlan-Id = 9(6) Service-Type = Framed-User(6) Framed-MTU = 1300(6) NAS-Port-Type = Wireless-802.11(6) Tunnel-Type:0 = VLAN(6) Tunnel-Medium-Type:0 = IEEE-802(6) Tunnel-Private-Group-Id:0 = '212'(6) EAP-Message = 0x0208002b1900170301002041ab8b582edc5512fcc8ba26acc4c3cca929b11e6bb6dc324e964be4c8912361(6) State = 0x1e1591df1b1d880e6da8d17effec1644(6) Message-Authenticator = 0x32cd4ca4495354475cad0639e3657fcd(6) session-state: No cached attributes(6) # Executing section authorize from file /etc/raddb/sites-enabled/default(6) authorize {(6) policy filter_username {(6) if (!&User-Name) {(6) if (!&User-Name) -> FALSE(6) if (&User-Name =~ / /) {(6) if (&User-Name =~ / /) -> FALSE(6) if (&User-Name =~ /@.*@/ ) {(6) if (&User-Name =~ /@.*@/ ) -> FALSE(6) if (&User-Name =~ /\.\./ ) {(6) if (&User-Name =~ /\.\./ ) -> FALSE(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(6) if (&User-Name =~ /\.$/) {(6) if (&User-Name =~ /\.$/) -> FALSE(6) if (&User-Name =~ /(a)\./) {(6) if (&User-Name =~ /(a)\./) -> FALSE(6) } # policy filter_username = notfound(6) [preprocess] = ok(6) [chap] = noop(6) [mschap] = noop(6) [digest] = noop(6) suffix: Checking for suffix after "@"(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(6) suffix: No such realm "NULL"(6) [suffix] = noop(6) eap: Peer sent code Response (2) ID 8 length 43(6) eap: Continuing tunnel setup(6) [eap] = ok(6) } # authorize = ok(6) Found Auth-Type = EAP(6) # Executing group from file /etc/raddb/sites-enabled/default(6) authenticate {(6) eap: Expiring EAP session with state 0x1e1591df1b1d880e(6) eap: Finished EAP session with state 0x1e1591df1b1d880e(6) eap: Previous EAP request found for state 0x1e1591df1b1d880e, released from the list(6) eap: Peer sent method PEAP (25)(6) eap: EAP PEAP (25)(6) eap: Calling eap_peap to process EAP data(6) eap_peap: processing EAP-TLS(6) eap_peap: eaptls_verify returned 7(6) eap_peap: Done initial handshake(6) eap_peap: eaptls_process returned 7(6) eap_peap: FR_TLS_OK(6) eap_peap: Session established. Decoding tunneled attributes(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY(6) eap_peap: Identity - vdiuser001(6) eap_peap: Got inner identity 'vdiuser001'(6) eap_peap: Setting default EAP type for tunneled EAP session(6) eap_peap: Got tunneled request(6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031(6) eap_peap: Setting User-Name to vdiuser001(6) eap_peap: Sending tunneled request to inner-tunnel(6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(6) eap_peap: User-Name = 'vdiuser001'(6) Virtual server inner-tunnel received request(6) EAP-Message = 0x0208000f0176646975736572303031(6) FreeRADIUS-Proxied-To = 127.0.0.1(6) User-Name = 'vdiuser001'(6) server inner-tunnel {(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel(6) authorize {(6) [chap] = noop(6) [mschap] = noop(6) suffix: Checking for suffix after "@"(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(6) suffix: No such realm "NULL"(6) [suffix] = noop(6) update control {(6) &Proxy-To-Realm := LOCAL(6) } # update control = noop(6) eap: Peer sent code Response (2) ID 8 length 15(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(6) [eap] = ok(6) } # authorize = ok(6) Found Auth-Type = EAP(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(6) authenticate {(6) eap: Peer sent method Identity (1)(6) eap: Calling eap_mschapv2 to process EAP data(6) eap_mschapv2: Issuing Challenge(6) eap: EAP session adding &reply:State = 0x51a562e351ac7819(6) [eap] = handled(6) } # authenticate = handled(6) } # server inner-tunnel(6) Virtual server sending reply(6) EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38(6) Message-Authenticator = 0x00000000000000000000000000000000(6) State = 0x51a562e351ac78191732838bb1154cd3(6) eap_peap: Got tunneled reply code 11(6) eap_peap: EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(6) eap_peap: State = 0x51a562e351ac78191732838bb1154cd3(6) eap_peap: Got tunneled reply RADIUS code 11(6) eap_peap: EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(6) eap_peap: State = 0x51a562e351ac78191732838bb1154cd3(6) eap_peap: Got tunneled Access-Challenge(6) eap: EAP session adding &reply:State = 0x1e1591df181c880e(6) [eap] = handled(6) } # authenticate = handled(6) Using Post-Auth-Type Challenge(6) Post-Auth-Type sub-section not found. Ignoring.(6) # Executing group from file /etc/raddb/sites-enabled/default(6) Sent Access-Challenge Id 152 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(6) EAP-Message = 0x0109004b19001703010040d8c3a0f01020d409085cc9f8485a9541e838b86586f7b38d0420e95191d98a03ccada0bcd4542632b89be702586bf861065d500e247a43742d868664491075b0(6) Message-Authenticator = 0x00000000000000000000000000000000(6) State = 0x1e1591df181c880e6da8d17effec1644(6) Finished requestWaking up in 4.9 seconds.(7) Received Access-Request Id 153 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344(7) User-Name = 'vdiuser001'(7) Calling-Station-Id = '00-c0-a8-c6-d7-79'(7) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(7) NAS-Port = 13(7) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(7) NAS-IP-Address = 10.70.1.1(7) NAS-Identifier = 'Cisco-WLC-5508'(7) Airespace-Wlan-Id = 9(7) Service-Type = Framed-User(7) Framed-MTU = 1300(7) NAS-Port-Type = Wireless-802.11(7) Tunnel-Type:0 = VLAN(7) Tunnel-Medium-Type:0 = IEEE-802(7) Tunnel-Private-Group-Id:0 = '212'(7) EAP-Message = 0x0209006b190017030100609c5de592c2afd938ac3a0fce0efa7286bf5952d8522bc4d61d10ea044cbc77d5b722359da1b451d63d657087ab33ffe9af61f913b4a982210d2b12439685adb88228050d1c6c1f2ea1801b282badf8f1bba82ffbba04dec6096c1c7fd93f808a(7) State = 0x1e1591df181c880e6da8d17effec1644(7) Message-Authenticator = 0x6b59dbf369a713c307314fd6098370a7(7) session-state: No cached attributes(7) # Executing section authorize from file /etc/raddb/sites-enabled/default(7) authorize {(7) policy filter_username {(7) if (!&User-Name) {(7) if (!&User-Name) -> FALSE(7) if (&User-Name =~ / /) {(7) if (&User-Name =~ / /) -> FALSE(7) if (&User-Name =~ /@.*@/ ) {(7) if (&User-Name =~ /@.*@/ ) -> FALSE(7) if (&User-Name =~ /\.\./ ) {(7) if (&User-Name =~ /\.\./ ) -> FALSE(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(7) if (&User-Name =~ /\.$/) {(7) if (&User-Name =~ /\.$/) -> FALSE(7) if (&User-Name =~ /(a)\./) {(7) if (&User-Name =~ /(a)\./) -> FALSE(7) } # policy filter_username = notfound(7) [preprocess] = ok(7) [chap] = noop(7) [mschap] = noop(7) [digest] = noop(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) eap: Peer sent code Response (2) ID 9 length 107(7) eap: Continuing tunnel setup(7) [eap] = ok(7) } # authorize = ok(7) Found Auth-Type = EAP(7) # Executing group from file /etc/raddb/sites-enabled/default(7) authenticate {(7) eap: Expiring EAP session with state 0x51a562e351ac7819(7) eap: Finished EAP session with state 0x1e1591df181c880e(7) eap: Previous EAP request found for state 0x1e1591df181c880e, released from the list(7) eap: Peer sent method PEAP (25)(7) eap: EAP PEAP (25)(7) eap: Calling eap_peap to process EAP data(7) eap_peap: processing EAP-TLS(7) eap_peap: eaptls_verify returned 7(7) eap_peap: Done initial handshake(7) eap_peap: eaptls_process returned 7(7) eap_peap: FR_TLS_OK(7) eap_peap: Session established. Decoding tunneled attributes(7) eap_peap: PEAP state phase2(7) eap_peap: EAP type MSCHAPv2 (26)(7) eap_peap: Got tunneled request(7) eap_peap: EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031(7) eap_peap: Setting User-Name to vdiuser001(7) eap_peap: Sending tunneled request to inner-tunnel(7) eap_peap: EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(7) eap_peap: User-Name = 'vdiuser001'(7) eap_peap: State = 0x51a562e351ac78191732838bb1154cd3(7) Virtual server inner-tunnel received request(7) EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031(7) FreeRADIUS-Proxied-To = 127.0.0.1(7) User-Name = 'vdiuser001'(7) State = 0x51a562e351ac78191732838bb1154cd3(7) server inner-tunnel {(7) session-state: No cached attributes(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel(7) authorize {(7) [chap] = noop(7) [mschap] = noop(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) update control {(7) &Proxy-To-Realm := LOCAL(7) } # update control = noop(7) eap: Peer sent code Response (2) ID 9 length 69(7) eap: No EAP Start, assuming it's an on-going EAP conversation(7) [eap] = updated(7) [files] = noop(7) sql: EXPAND %{User-Name}(7) sql: --> vdiuser001(7) sql: SQL-User-Name set to 'vdiuser001'rlm_sql (sql): Reserved connection (4)(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id(7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority(7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority(7) sql: User not found in any groupsrlm_sql (sql): Released connection (4)(7) [sql] = notfoundrlm_ldap (ldap): Reserved connection (4)(7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(7) ldap: --> (sAMAccountName=vdiuser001)(7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"(7) ldap: Waiting for search result...(7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"(7) ldap: Processing user attributes(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read thepassword attribute(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)rlm_ldap (ldap): Released connection (4)(7) [ldap] = ok(7) if (control:Ldap-UserDn =~ /OU=EDU/) {(7) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {(7) update control {(7) Simultaneous-Use := 3(7) } # update control = noop(7) update outer.session-state {(7) Tunnel-type = VLAN(7) Tunnel-medium-type = IEEE-802(7) Tunnel-Private-Group-Id = PRS-WIFI-Client(7) } # update outer.session-state = noop(7) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop(7) ... skipping elsif for request 7: Preceding "if" was taken(7) ... skipping else for request 7: Preceding "if" was taken(7) [expiration] = noop(7) [logintime] = noop(7) [pap] = noop(7) } # authorize = updated(7) Found Auth-Type = EAP(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(7) authenticate {(7) eap: Expiring EAP session with state 0x51a562e351ac7819(7) eap: Finished EAP session with state 0x51a562e351ac7819(7) eap: Previous EAP request found for state 0x51a562e351ac7819, released from the list(7) eap: Peer sent method MSCHAPv2 (26)(7) eap: EAP MSCHAPv2 (26)(7) eap: Calling eap_mschapv2 to process EAP data(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(7) eap_mschapv2: Auth-Type MS-CHAP {(7) mschap: Creating challenge hash with username: vdiuser001(7) mschap: Client is using MS-CHAPv2(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}(7) mschap: --> --username=vdiuser001(7) mschap: Creating challenge hash with username: vdiuser001(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}(7) mschap: --> --challenge=2f1b60fe24af9f0b(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}(7) mschap: --> --nt-response=aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d(7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)'(7) mschap: ERROR: Must change password (0xc0000224)(7) [mschap] = reject(7) } # Auth-Type MS-CHAP = reject(7) MSCHAP-Error: E=648 R=0 C=d713bb20e9d8bd4fc9a1715afa66110e V=3 M=Password Expired(7) Found new challenge from MS-CHAP-Error: err=648 retry=0 challenge=d713bb20e9d8bd4fc9a1715afa66110e(7) ERROR: MSCHAP Failure(7) eap: EAP session adding &reply:State = 0x51a562e350af7819(7) [eap] = handled(7) } # authenticate = handled(7) } # server inner-tunnel(7) Virtual server sending reply(7) EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564(7) Message-Authenticator = 0x00000000000000000000000000000000(7) State = 0x51a562e350af78191732838bb1154cd3(7) eap_peap: Got tunneled reply code 11(7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(7) eap_peap: State = 0x51a562e350af78191732838bb1154cd3(7) eap_peap: Got tunneled reply RADIUS code 11(7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(7) eap_peap: State = 0x51a562e350af78191732838bb1154cd3(7) eap_peap: Got tunneled Access-Challenge(7) eap: EAP session adding &reply:State = 0x1e1591df191f880e(7) [eap] = handled(7) } # authenticate = handled(7) Using Post-Auth-Type Challenge(7) Post-Auth-Type sub-section not found. Ignoring.(7) # Executing group from file /etc/raddb/sites-enabled/default(7) session-state: Saving cached attributes(7) Tunnel-Type = VLAN(7) Tunnel-Medium-Type = IEEE-802(7) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'(7) Sent Access-Challenge Id 153 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(7) EAP-Message = 0x010a006b19001703010060cd702593105348aaa8c69e0e32f0bd973b1260f86941a98af0cabdeafe78417cbb6bb1ee2db3e90312b1b94031c5d2e93bcf353008dbb28e6bb0804faaa24f57eea2f4d5d5f25b20e1d9fa4975ad0224c1ac4d8369d6bf5b80d75dafbb14bd47(7) Message-Authenticator = 0x00000000000000000000000000000000(7) State = 0x1e1591df191f880e6da8d17effec1644(7) Finished requestWaking up in 4.8 seconds.(0) <done>: Cleaning up request packet ID 146 with timestamp +10(1) <done>: Cleaning up request packet ID 147 with timestamp +10(2) <done>: Cleaning up request packet ID 148 with timestamp +10(3) <done>: Cleaning up request packet ID 149 with timestamp +10(4) <done>: Cleaning up request packet ID 150 with timestamp +10(5) <done>: Cleaning up request packet ID 151 with timestamp +10(6) <done>: Cleaning up request packet ID 152 with timestamp +10(7) <done>: Cleaning up request packet ID 153 with timestamp +10Ready to process requests(8) Received Access-Request Id 154 from 10.70.1.1:32770 to 10.10.10.3:1812 length 860(8) User-Name = 'vdiuser001'(8) Calling-Station-Id = '00-c0-a8-c6-d7-79'(8) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(8) NAS-Port = 13(8) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(8) NAS-IP-Address = 10.70.1.1(8) NAS-Identifier = 'Cisco-WLC-5508'(8) Airespace-Wlan-Id = 9(8) Service-Type = Framed-User(8) Framed-MTU = 1300(8) NAS-Port-Type = Wireless-802.11(8) Tunnel-Type:0 = VLAN(8) Tunnel-Medium-Type:0 = IEEE-802(8) Tunnel-Private-Group-Id:0 = '212'(8) EAP-Message = 0x020a026b190017030102606d169c2fc8c7c02aff0aac1560032a55d594b95aac167509361487589d3cf9fd05e9659eb6c3460f00fde2f2f9eedc29c667fb993d6dd89f0d8611a4f8a8c5e10d264ebbdf6a762d112ed85d966e32389d8247d7a9054b5cdfbfc3ddad2020dbe2c4ad50c2d660b760fc702f(8) State = 0x1e1591df191f880e6da8d17effec1644(8) Message-Authenticator = 0xb7579687e39291cd7a3befbfdbb6b1d2(8) session-state: Found cached attributes(8) Tunnel-Type = VLAN(8) Tunnel-Medium-Type = IEEE-802(8) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'(8) # Executing section authorize from file /etc/raddb/sites-enabled/default(8) authorize {(8) policy filter_username {(8) if (!&User-Name) {(8) if (!&User-Name) -> FALSE(8) if (&User-Name =~ / /) {(8) if (&User-Name =~ / /) -> FALSE(8) if (&User-Name =~ /@.*@/ ) {(8) if (&User-Name =~ /@.*@/ ) -> FALSE(8) if (&User-Name =~ /\.\./ ) {(8) if (&User-Name =~ /\.\./ ) -> FALSE(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(8) if (&User-Name =~ /\.$/) {(8) if (&User-Name =~ /\.$/) -> FALSE(8) if (&User-Name =~ /(a)\./) {(8) if (&User-Name =~ /(a)\./) -> FALSE(8) } # policy filter_username = notfound(8) [preprocess] = ok(8) [chap] = noop(8) [mschap] = noop(8) [digest] = noop(8) suffix: Checking for suffix after "@"(8) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(8) suffix: No such realm "NULL"(8) [suffix] = noop(8) eap: Peer sent code Response (2) ID 10 length 619(8) eap: Continuing tunnel setup(8) [eap] = ok(8) } # authorize = ok(8) Found Auth-Type = EAP(8) # Executing group from file /etc/raddb/sites-enabled/default(8) authenticate {(8) eap: Expiring EAP session with state 0x51a562e350af7819(8) eap: Finished EAP session with state 0x1e1591df191f880e(8) eap: Previous EAP request found for state 0x1e1591df191f880e, released from the list(8) eap: Peer sent method PEAP (25)(8) eap: EAP PEAP (25)(8) eap: Calling eap_peap to process EAP data(8) eap_peap: processing EAP-TLS(8) eap_peap: eaptls_verify returned 7(8) eap_peap: Done initial handshake(8) eap_peap: eaptls_process returned 7(8) eap_peap: FR_TLS_OK(8) eap_peap: Session established. Decoding tunneled attributes(8) eap_peap: PEAP state phase2(8) eap_peap: EAP type MSCHAPv2 (26)(8) eap_peap: Got tunneled request(8) eap_peap: EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4(8) eap_peap: EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239(8) eap_peap: Setting User-Name to vdiuser001(8) eap_peap: Sending tunneled request to inner-tunnel(8) eap_peap: EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4(8) eap_peap: EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(8) eap_peap: User-Name = 'vdiuser001'(8) eap_peap: State = 0x51a562e350af78191732838bb1154cd3(8) Virtual server inner-tunnel received request(8) EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4(8) EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239(8) FreeRADIUS-Proxied-To = 127.0.0.1(8) User-Name = 'vdiuser001'(8) State = 0x51a562e350af78191732838bb1154cd3(8) server inner-tunnel {(8) session-state: No cached attributes(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel(8) authorize {(8) [chap] = noop(8) [mschap] = noop(8) suffix: Checking for suffix after "@"(8) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(8) suffix: No such realm "NULL"(8) [suffix] = noop(8) update control {(8) &Proxy-To-Realm := LOCAL(8) } # update control = noop(8) eap: Peer sent code Response (2) ID 10 length 253(8) eap: No EAP Start, assuming it's an on-going EAP conversation(8) [eap] = updated(8) [files] = noop(8) sql: EXPAND %{User-Name}(8) sql: --> vdiuser001(8) sql: SQL-User-Name set to 'vdiuser001'rlm_sql (sql): Reserved connection (4)(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id(8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority(8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority(8) sql: User not found in any groupsrlm_sql (sql): Released connection (4)(8) [sql] = notfoundrlm_ldap (ldap): Reserved connection (4)(8) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(8) ldap: --> (sAMAccountName=vdiuser001)(8) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"(8) ldap: Waiting for search result...(8) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"(8) ldap: Processing user attributes(8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read thepassword attribute(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)rlm_ldap (ldap): Released connection (4)(8) [ldap] = ok(8) if (control:Ldap-UserDn =~ /OU=EDU/) {(8) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE(8) elsif (control:Ldap-UserDn =~ /OU=PRS/) {(8) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE(8) elsif (control:Ldap-UserDn =~ /OU=PRS/) {(8) update control {(8) Simultaneous-Use := 3(8) } # update control = noop(8) update outer.session-state {(8) Tunnel-type = VLAN(8) Tunnel-medium-type = IEEE-802(8) Tunnel-Private-Group-Id = PRS-WIFI-Client(8) } # update outer.session-state = noop(8) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop(8) ... skipping elsif for request 8: Preceding "if" was taken(8) ... skipping else for request 8: Preceding "if" was taken(8) [expiration] = noop(8) [logintime] = noop(8) [pap] = noop(8) } # authorize = updated(8) Found Auth-Type = EAP(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(8) authenticate {(8) eap: Expiring EAP session with state 0x51a562e350af7819(8) eap: Finished EAP session with state 0x51a562e350af7819(8) eap: Previous EAP request found for state 0x51a562e350af7819, released from the list(8) eap: Peer sent method MSCHAPv2 (26)(8) eap: EAP MSCHAPv2 (26)(8) eap: Calling eap_mschapv2 to process EAP data(8) eap_mschapv2: Password change packet received(8) eap_mschapv2: Built change password packet(8) eap_mschapv2: EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4(8) eap_mschapv2: EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239(8) eap_mschapv2: FreeRADIUS-Proxied-To = 127.0.0.1(8) eap_mschapv2: User-Name = 'vdiuser001'(8) eap_mschapv2: State = 0x51a562e350af78191732838bb1154cd3(8) eap_mschapv2: EAP-Type = MSCHAPv2(8) eap_mschapv2: MS-CHAP-Challenge = 0xd713bb20e9d8bd4fc9a1715afa66110e(8) eap_mschapv2: MS-CHAP2-CPW = 0x070a5b9d8e0e4988d32d379033db88d2c9e51799dfdaef22c8439644435c36caa0db00000000000000004e2c4c5c9d3931cb3e9642030b60810041b3efe75b7751f30000(8) eap_mschapv2: MS-CHAP-NT-Enc-PW += 0x060a00014f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4a7f0(8) eap_mschapv2: MS-CHAP-NT-Enc-PW += 0x060a00021c1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c(8) eap_mschapv2: MS-CHAP-NT-Enc-PW += 0x060a00033045950315e9330c49bb6f570898a9590b21fcd14263167211617a51a091(8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(8) eap_mschapv2: Auth-Type MS-CHAP {(8) mschap: MS-CHAPv2 password change request received(8) mschap: ERROR: No valid NT-Password attribute found, can't change password(8) [mschap] = invalid(8) } # Auth-Type MS-CHAP = invalid(8) ERROR: No MS-CHAP2-Success or MS-CHAP-Error was found(8) eap: ERROR: Failed continuing EAP MSCHAPv2 (26) session. EAP sub-module failed(8) eap: Failed in EAP select(8) [eap] = invalid(8) } # authenticate = invalid(8) Failed to authenticate the user(8) Using Post-Auth-Type Reject(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(8) Post-Auth-Type REJECT {(8) sql: EXPAND .query(8) sql: --> .query(8) sql: Using query template 'query'rlm_sql (sql): Reserved connection (4)(8) sql: EXPAND %{User-Name}(8) sql: --> vdiuser001(8) sql: SQL-User-Name set to 'vdiuser001'(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')(8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')(8) sql: SQL query returned: success(8) sql: 1 record(s) updatedrlm_sql (sql): Released connection (4)(8) [sql] = ok(8) attr_filter.access_reject: EXPAND %{User-Name}(8) attr_filter.access_reject: --> vdiuser001(8) attr_filter.access_reject: Matched entry DEFAULT at line 18(8) [attr_filter.access_reject] = updated(8) update outer.session-state {(8) &Module-Failure-Message := &Module-Failure-Message -> mschap: No valid NT-Password attribute found, can't change password(8) } # update outer.session-state = noop(8) } # Post-Auth-Type REJECT = updated(8) } # server inner-tunnel(8) Virtual server sending reply(8) EAP-Message = 0x040a0004(8) Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: Got tunneled reply code 3(8) eap_peap: EAP-Message = 0x040a0004(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: Got tunneled reply RADIUS code 3(8) eap_peap: EAP-Message = 0x040a0004(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: Tunneled authentication was rejected(8) eap_peap: FAILURE(8) eap: EAP session adding &reply:State = 0x1e1591df161e880e(8) [eap] = handled(8) } # authenticate = handled(8) Using Post-Auth-Type Challenge(8) Post-Auth-Type sub-section not found. Ignoring.(8) # Executing group from file /etc/raddb/sites-enabled/default(8) session-state: Saving cached attributes(8) Tunnel-Type = VLAN(8) Tunnel-Medium-Type = IEEE-802(8) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'(8) Module-Failure-Message := 'mschap: No valid NT-Password attribute found, can\'t change password'(8) Sent Access-Challenge Id 154 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(8) EAP-Message = 0x010b002b1900170301002086b7bbc516c5fe1abafad64e28b2b37a80cd2cbd98c57e21e3a301c17bf26117(8) Message-Authenticator = 0x00000000000000000000000000000000(8) State = 0x1e1591df161e880e6da8d17effec1644(8) Finished requestWaking up in 4.9 seconds.(9) Received Access-Request Id 155 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280(9) User-Name = 'vdiuser001'(9) Calling-Station-Id = '00-c0-a8-c6-d7-79'(9) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(9) NAS-Port = 13(9) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(9) NAS-IP-Address = 10.70.1.1(9) NAS-Identifier = 'Cisco-WLC-5508'(9) Airespace-Wlan-Id = 9(9) Service-Type = Framed-User(9) Framed-MTU = 1300(9) NAS-Port-Type = Wireless-802.11(9) Tunnel-Type:0 = VLAN(9) Tunnel-Medium-Type:0 = IEEE-802(9) Tunnel-Private-Group-Id:0 = '212'(9) EAP-Message = 0x020b002b19001703010020889a71d588eee79bc7bef5909fe945a2b6259669d2d02820ae8e09b9cca83ee4(9) State = 0x1e1591df161e880e6da8d17effec1644(9) Message-Authenticator = 0xe78aa54c51f9d4ebca980275b9fa8b8b(9) session-state: Found cached attributes(9) Tunnel-Type = VLAN(9) Tunnel-Medium-Type = IEEE-802(9) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'(9) Module-Failure-Message := 'mschap: No valid NT-Password attribute found, can\'t change password'(9) # Executing section authorize from file /etc/raddb/sites-enabled/default(9) authorize {(9) policy filter_username {(9) if (!&User-Name) {(9) if (!&User-Name) -> FALSE(9) if (&User-Name =~ / /) {(9) if (&User-Name =~ / /) -> FALSE(9) if (&User-Name =~ /@.*@/ ) {(9) if (&User-Name =~ /@.*@/ ) -> FALSE(9) if (&User-Name =~ /\.\./ ) {(9) if (&User-Name =~ /\.\./ ) -> FALSE(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(9) if (&User-Name =~ /\.$/) {(9) if (&User-Name =~ /\.$/) -> FALSE(9) if (&User-Name =~ /(a)\./) {(9) if (&User-Name =~ /(a)\./) -> FALSE(9) } # policy filter_username = notfound(9) [preprocess] = ok(9) [chap] = noop(9) [mschap] = noop(9) [digest] = noop(9) suffix: Checking for suffix after "@"(9) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(9) suffix: No such realm "NULL"(9) [suffix] = noop(9) eap: Peer sent code Response (2) ID 11 length 43(9) eap: Continuing tunnel setup(9) [eap] = ok(9) } # authorize = ok(9) Found Auth-Type = EAP(9) # Executing group from file /etc/raddb/sites-enabled/default(9) authenticate {(9) eap: Expiring EAP session with state 0x1e1591df161e880e(9) eap: Finished EAP session with state 0x1e1591df161e880e(9) eap: Previous EAP request found for state 0x1e1591df161e880e, released from the list(9) eap: Peer sent method PEAP (25)(9) eap: EAP PEAP (25)(9) eap: Calling eap_peap to process EAP data(9) eap_peap: processing EAP-TLS(9) eap_peap: eaptls_verify returned 7(9) eap_peap: Done initial handshake(9) eap_peap: eaptls_process returned 7(9) eap_peap: FR_TLS_OK(9) eap_peap: Session established. Decoding tunneled attributes(9) eap_peap: PEAP state send tlv failure(9) eap_peap: Received EAP-TLV response(9) eap_peap: The users session was previously rejected: returning reject (again.)(9) eap_peap: This means you need to read the PREVIOUS messages in the debug output(9) eap_peap: to find out the reason why the user was rejected(9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you(9) eap_peap: what went wrong, and how to fix the problem SSL: Removing session 0820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1 from the cache(9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed(9) eap: Failed in EAP select(9) [eap] = invalid(9) } # authenticate = invalid(9) Failed to authenticate the user(9) Using Post-Auth-Type Reject(9) # Executing group from file /etc/raddb/sites-enabled/default(9) Post-Auth-Type REJECT {(9) sql: EXPAND .query(9) sql: --> .query(9) sql: Using query template 'query'rlm_sql (sql): Reserved connection (4)(9) sql: EXPAND %{User-Name}(9) sql: --> vdiuser001(9) sql: SQL-User-Name set to 'vdiuser001'(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')(9) sql: SQL query returned: success(9) sql: 1 record(s) updatedrlm_sql (sql): Released connection (4)(9) [sql] = ok(9) attr_filter.access_reject: EXPAND %{User-Name}(9) attr_filter.access_reject: --> vdiuser001(9) attr_filter.access_reject: Matched entry DEFAULT at line 18(9) [attr_filter.access_reject] = updated(9) [eap] = noop(9) policy remove_reply_message_if_eap {(9) if (&reply:EAP-Message && &reply:Reply-Message) {(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(9) else {(9) [noop] = noop(9) } # else = noop(9) } # policy remove_reply_message_if_eap = noop(9) } # Post-Auth-Type REJECT = updated(9) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(9) <delay>: Sending delayed response(9) <delay>: Sent Access-Reject Id 155 from 10.10.10.3:1812 to 10.70.1.1:32770 length 44(9) <delay>: EAP-Message = 0x040b0004(9) <delay>: Message-Authenticator = 0x00000000000000000000000000000000Waking up in 3.9 seconds.(8) <done>: Cleaning up request packet ID 154 with timestamp +22(9) <delay>: Cleaning up request packet ID 155 with timestamp +22
2
2
Good Day All,
I'm fairly new to FreeRadius and would like some feedback.
I'm in the process of adding a realm to one of our existing Radius servers.
As a test I have created the following realm in the proxy.conf file:
# auth_pool = Added by Steve, June 1st, 2015 for testing.
realm "@test.somewhere.bc.ca" {
auth_pool = staff_domain
}
When I reload the radiusd daemon and try to log on I get the following message in
the log file:
Tue Jun 2 13:19:36 2015 : Auth: Login incorrect (Home Server says so): [username(a)test.somewhere.bc.ca] (from client Wireless-Lans-WLC4404-1 port 13 cli 38-aa-3c-cb-9e-88)
Like I said above, I'm fairly new to this so I may not have configured everything required to make it
work properly.
We are currently running FreeRADIUS Version 2.1.10 on LINUX.
Thanks,
Steve Campbell
4
4
I found an error in the file raddb/mods-config/sql/main/mysql/queries.conf (fr 3.0.7)
There is missing value for connectinfo_stop field in the SQL INSERT statement (after '%{Connect-Info}' in the line 380).
This cause an error:
rlm_sql_mysql: MySQL error 'Column count doesn't match value count at row 1'
accounting {
(...)
type {
(...)
stop {
(...)
#
# The update condition matched no existing sessions. Use
# the values provided in the update to create a new session.
#
query = "\
INSERT INTO ${....acct_table2} \
(${...column_list}) \
VALUES \
('%{Acct-Session-Id}', \
'%{Acct-Unique-Session-Id}', \
'%{SQL-User-Name}', \
'%{Realm}', \
'%{NAS-IP-Address}', \
'%{NAS-Port}', \
'%{NAS-Port-Type}', \
FROM_UNIXTIME(%{integer:Event-Timestamp} - \
%{%{Acct-Session-Time}:-0}), \
FROM_UNIXTIME(%{integer:Event-Timestamp}), \
FROM_UNIXTIME(%{integer:Event-Timestamp}), \
'%{Acct-Session-Time}', \
'%{Acct-Authentic}', '', \
'%{Connect-Info}', \ <-missing value after this
'%{%{Acct-Input-Gigawords}:-0}' << 32 | \
'%{%{Acct-Input-Octets}:-0}', \
'%{%{Acct-Output-Gigawords}:-0}' << 32 | \
'%{%{Acct-Output-Octets}:-0}', \
'%{Called-Station-Id}', \
'%{Calling-Station-Id}', \
'%{Acct-Terminate-Cause}', \
'%{Service-Type}', \
'%{Framed-Protocol}', \
'%{Framed-IP-Address}')"
}
}
}
Just add next line with
'', \
after '%{Connect-Info}', \
The similar error is duplicated in queries.conf template for the other database types (mssql, oracle, sqlite) except postgresql.
Cheers,
Pawel Bien
3
3
Hi,
we would like to use the Git config management as outlined here:
<http://wiki.freeradius.org/guide/Git-config-management>
For our new Freeradius environment we will have a separate development
server, one staging server and four production servers, but right now it's
not in production yet. It took me a while, but I got things working in
general. However, I'm pretty sure I found a bug in the post-receive hook:
<https://github.com/alandekok/freeradius-server/blob/master/scripts/git/post…>
At least on a RHEL 6 system with Bash as /bin/sh, the syntax in line 109
causes an error:
"if ! conf_check then"
I has to be either
"if ! conf_check; then"
or
"if ! conf_check
then"
But now I have found an issue that's potentially harder to work around.
When I create an intentional syntax error, the post-receive hook works
great:
# git push radius4
Counting objects: 11, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 687 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
remote: HEAD is now at 90caabb Syntaxfehler
remote: Checking new configuration... Copyright (C) 1999-2015 The
FreeRADIUS server project and contributors
remote: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
remote: PARTICULAR PURPOSE
remote: You may redistribute copies of FreeRADIUS under the terms of the
remote: GNU General Public License
remote: For more information about these matters, see the file named
COPYRIGHT
remote: Starting - reading configuration files ...
remote: /etc/raddb/sites-enabled/rrzk-webprojekte[107]: Syntax error:
Expected comma after '1818': {
remote: Errors reading or parsing /etc/raddb/radiusd.conf
remote: failed
remote: WARNING: FreeRADIUS found errors in the configuration,
remote: please fix the errors and push the corrected configuration.
remote: Attempting to roll config back to tag: "stable"... HEAD is now at
29e1232 Absichtlicher Fehler
remote: ok
To ssh://radiusd@radius4/etc/raddb
29e1232..90caabb master -> master
When I create an error that's only detected at runtime, however, it does
not seem to work. I changed the configuration so that two virtual servers
were listening on the same port. The "radmin -e hup" command did not throw
an error. Consequently the commit was tagged as "stable". When I tried to
manually restart Freeradius on the remote server, it didn't start anymore
(as expected). At that point I wasn't even able to push a fix, because
radmin doesn't work when the server isn't running, and so the post-receive
hook reverted back to the "stable" version! I had to fix the error manually
on the remote server to get things working again.
I'm not sure what can be done about that, if anything, but at the very
least I would like to have a better understanding of what class of error
gets past a "radmin -e hup". Normally we would always test configuration
changes locally on the staging server, so that errors like the one above
shouldn't ever get pushed to a production system. But as you know,
eventually everything that can go wrong will go wrong ...
Thanks
Sebastian
--
.:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
.:.Regionales Rechenzentrum (RRZK).:.
.:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.
3
16