Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2015
- 102 participants
- 146 discussions
Now its time to configure to log into SQL :) Until now we uses cisco
wireless controller and only allow two connection for all users.
I wanted to implement Simultaneous-user based in student and staff. and
want to use sql for it.
My users are authenticate against AD (samb +ntml_auth).
So here is what I did :
1. Created database radius.
2. Populated admin.sql into the mysql
3. Populated schema.sql into the radius database
4. Enabled sql.conf in /etc/raddb/radius.conf
5. Disabled radutmp and enabled sql in accounting section in
/etc/raddb/site-enabled/default
6. So, added DEFAULT Simultaneous-Use := 2 in /etc/raddb/users file for
testing
7. restarted radius - try logging few users
But I do not see any tables in radius database been updated.
I just wanted to use session for the simultaneous user for restrict user.
if this works then I can write regex to query LDAP if x is staff or student.
Point me if i am doing wrong or some docs where I can see more reading
reading reading.
K
2
10
Hello everyone,
I need to restrict simultaneous logins but the freeradius server which
receives the authentication does not implement this restriction. This
server receives the authentication different departments and this
restriction should only be applied in my department.
It is possible to create a proxy that forwards authentication for global
freeradius server and controls the simultaneous logins? How to return the
parameter Simultaneous-Use via proxy?
Any help will appriciate.
Best Regards,
Renato L. Sousa
2
22
Hi,
I am using v3.0.8 for EAP-PEAP-MSCHAPv2 authentication.
Login with correct username/password is fine. But for login with incorrect username or password, the failure message "mschap: ERROR: MS-CHAP2-Response is incorrect" does not appear in the final radius.log. I only get this:
Login incorrect: [mytest]
while I was expecting this:
Login incorrect (mschap: MS-CHAP2-Response is incorrect): [mytest]
Module-Failure-Message is empty too when I try to do linelog in Post-Auth-Reject. What have I missed in the configration?
Debug log follows. I can upload inner-tunnel config. if required.
Thanks in advance.
Fu
(0) Received Access-Request Id 36 from 10.210.123.29:3629 to 10.210.235.64:1812 length 208
(0) User-Name = 'mytest'
(0) Framed-MTU = 1450
(0) EAP-Message = 0x0201000b016d7974657374
(0) Message-Authenticator = 0x5ef5fbebae79922073ab55353f8aaa59
(0) Chargeable-User-Identity = 0x00
(0) NAS-IP-Address = 10.210.123.29
(0) NAS-Identifier = 'ITS-TEST'
(0) NAS-Port = 33779942
(0) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=2250'
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) Calling-Station-Id = '10-1C-0C-79-26-49'
(0) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(0) Acct-Session-Id = '11505301634460'
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ ) {
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/) {
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\\./) {
(0) if (&User-Name =~ /(a)\\./) -> FALSE
(0) } # policy filter_username = notfound
(0) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(0) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(0) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(0) auth_log: EXPAND %t
(0) auth_log: --> Tue Jun 30 16:38:41 2015
(0) [auth_log] = ok
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(0) suffix: Found realm "NULL"
(0) suffix: Adding Stripped-User-Name = "mytest"
(0) suffix: Adding Realm = "NULL"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(0) EXPAND %{Aruba-Essid-Name}
(0) -->
(0) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(0) eap: Peer sent code Response (2) ID 1 length 11
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent method Identity (1)
(0) eap: Calling eap_peap to process EAP data
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: Initiate
(0) eap_peap: Start returned 1
(0) eap: EAP session adding &reply:State = 0xb8002a16b8023321
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 36 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(0) EAP-Message = 0x010200061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xb8002a16b802332133d295a612409a37
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 37 from 10.210.123.29:3629 to 10.210.235.64:1812 length 367
(1) User-Name = 'mytest'
(1) Framed-MTU = 1450
(1) EAP-Message = 0x0202009819800000008e1603010089010000850301559255b2a9f020b42bfb6e9e57951f914de87bceaf3b356c31516db4eadf4c6200004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac0
(1) Message-Authenticator = 0x42a035744890fef59847539df9854c9f
(1) Chargeable-User-Identity = 0x00
(1) NAS-IP-Address = 10.210.123.29
(1) NAS-Identifier = 'ITS-TEST'
(1) NAS-Port = 33779942
(1) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=2250'
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) Calling-Station-Id = '10-1C-0C-79-26-49'
(1) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(1) Acct-Session-Id = '11505301634460'
(1) State = 0xb8002a16b802332133d295a612409a37
(1) session-state: No cached attributes
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ ) {
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/) {
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\\./) {
(1) if (&User-Name =~ /(a)\\./) -> FALSE
(1) } # policy filter_username = notfound
(1) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(1) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(1) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(1) auth_log: EXPAND %t
(1) auth_log: --> Tue Jun 30 16:38:41 2015
(1) [auth_log] = ok
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(1) suffix: Found realm "NULL"
(1) suffix: Adding Stripped-User-Name = "mytest"
(1) suffix: Adding Realm = "NULL"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(1) EXPAND %{Aruba-Essid-Name}
(1) -->
(1) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(1) eap: Peer sent code Response (2) ID 2 length 152
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xb8002a16b8023321
(1) eap: Finished EAP session with state 0xb8002a16b8023321
(1) eap: Previous EAP request found for state 0xb8002a16b8023321, released from the list
(1) eap: Peer sent method PEAP (25)
(1) eap: EAP PEAP (25)
(1) eap: Calling eap_peap to process EAP data
(1) eap_peap: processing EAP-TLS
(1) eap_peap: TLS Length 142
(1) eap_peap: Length Included
(1) eap_peap: eaptls_verify returned 11
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< TLS 1.0 Handshake [length 0089], ClientHello
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> TLS 1.0 Handshake [length 0cb2], Certificate
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap: eaptls_process returned 13
(1) eap_peap: FR_TLS_HANDLED
(1) eap: EAP session adding &reply:State = 0xb8002a16b9033321
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 37 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(1) EAP-Message = 0x010303ec19c000000e6e160301005902000055030155925591c68e2c1bcc1799abb16c902a30a09565eff0e27d68ab22a7e10b0fde20ebdaba7f9ed922848678bdc00894241de12ab724eb6c292dc8076e90cbe463e7c01400000dff01000100000b0004030001021603010cb20b000cae000cab00054c
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xb8002a16b903332133d295a612409a37
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 38 from 10.210.123.29:3629 to 10.210.235.64:1812 length 221
(2) User-Name = 'mytest'
(2) Framed-MTU = 1450
(2) EAP-Message = 0x020300061900
(2) Message-Authenticator = 0x8ae28f5ddd086665c5f0f0cf4328e5b3
(2) Chargeable-User-Identity = 0x00
(2) NAS-IP-Address = 10.210.123.29
(2) NAS-Identifier = 'ITS-TEST'
(2) NAS-Port = 33779942
(2) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=230'
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Framed-Protocol = PPP
(2) Calling-Station-Id = '10-1C-0C-79-26-49'
(2) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(2) Acct-Session-Id = '11505301634460'
(2) State = 0xb8002a16b903332133d295a612409a37
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ ) {
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\\.$/) {
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\\./) {
(2) if (&User-Name =~ /(a)\\./) -> FALSE
(2) } # policy filter_username = notfound
(2) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(2) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(2) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(2) auth_log: EXPAND %t
(2) auth_log: --> Tue Jun 30 16:38:41 2015
(2) [auth_log] = ok
(2) [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(2) suffix: Found realm "NULL"
(2) suffix: Adding Stripped-User-Name = "mytest"
(2) suffix: Adding Realm = "NULL"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(2) EXPAND %{Aruba-Essid-Name}
(2) -->
(2) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(2) eap: Peer sent code Response (2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xb8002a16b9033321
(2) eap: Finished EAP session with state 0xb8002a16b9033321
(2) eap: Previous EAP request found for state 0xb8002a16b9033321, released from the list
(2) eap: Peer sent method PEAP (25)
(2) eap: EAP PEAP (25)
(2) eap: Calling eap_peap to process EAP data
(2) eap_peap: processing EAP-TLS
(2) eap_peap: Received TLS ACK
(2) eap_peap: Received TLS ACK
(2) eap_peap: ACK handshake fragment handler
(2) eap_peap: eaptls_verify returned 1
(2) eap_peap: eaptls_process returned 13
(2) eap_peap: FR_TLS_HANDLED
(2) eap: EAP session adding &reply:State = 0xb8002a16ba043321
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 38 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(2) EAP-Message = 0x010403e8194006082b0601050507010104693067302c06082b060105050730018620687474703a2f2f677473736c64762d6f6373702e67656f74727573742e636f6d303706082b06010505073002862b687474703a2f2f677473736c64762d6169612e67656f74727573742e636f6d2f677473736c6476
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xb8002a16ba04332133d295a612409a37
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 39 from 10.210.123.29:3629 to 10.210.235.64:1812 length 221
(3) User-Name = 'mytest'
(3) Framed-MTU = 1450
(3) EAP-Message = 0x020400061900
(3) Message-Authenticator = 0x08de5c8d37eff88ee339c2447c43e240
(3) Chargeable-User-Identity = 0x00
(3) NAS-IP-Address = 10.210.123.29
(3) NAS-Identifier = 'ITS-TEST'
(3) NAS-Port = 33779942
(3) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=2250'
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Framed-Protocol = PPP
(3) Calling-Station-Id = '10-1C-0C-79-26-49'
(3) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(3) Acct-Session-Id = '11505301634460'
(3) State = 0xb8002a16ba04332133d295a612409a37
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ ) {
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\\.$/) {
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\\./) {
(3) if (&User-Name =~ /(a)\\./) -> FALSE
(3) } # policy filter_username = notfound
(3) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(3) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(3) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(3) auth_log: EXPAND %t
(3) auth_log: --> Tue Jun 30 16:38:41 2015
(3) [auth_log] = ok
(3) [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(3) suffix: Found realm "NULL"
(3) suffix: Adding Stripped-User-Name = "mytest"
(3) suffix: Adding Realm = "NULL"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(3) EXPAND %{Aruba-Essid-Name}
(3) -->
(3) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(3) eap: Peer sent code Response (2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xb8002a16ba043321
(3) eap: Finished EAP session with state 0xb8002a16ba043321
(3) eap: Previous EAP request found for state 0xb8002a16ba043321, released from the list
(3) eap: Peer sent method PEAP (25)
(3) eap: EAP PEAP (25)
(3) eap: Calling eap_peap to process EAP data
(3) eap_peap: processing EAP-TLS
(3) eap_peap: Received TLS ACK
(3) eap_peap: Received TLS ACK
(3) eap_peap: ACK handshake fragment handler
(3) eap_peap: eaptls_verify returned 1
(3) eap_peap: eaptls_process returned 13
(3) eap_peap: FR_TLS_HANDLED
(3) eap: EAP session adding &reply:State = 0xb8002a16bb053321
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 39 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(3) EAP-Message = 0x010503e81940150203010001a381d93081d6300e0603551d0f0101ff040403020106301d0603551d0e041604148cf4d9930a47bc00a04ace4b756ea0b6b0b27efc301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e30120603551d130101ff040830060101ff02010030
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xb8002a16bb05332133d295a612409a37
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 40 from 10.210.123.29:3629 to 10.210.235.64:1812 length 221
(4) User-Name = 'mytest'
(4) Framed-MTU = 1450
(4) EAP-Message = 0x020500061900
(4) Message-Authenticator = 0xda837ef88f7b38871aaead005e3a54b0
(4) Chargeable-User-Identity = 0x00
(4) NAS-IP-Address = 10.210.123.29
(4) NAS-Identifier = 'ITS-TEST'
(4) NAS-Port = 33779942
(4) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=230'
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Framed-Protocol = PPP
(4) Calling-Station-Id = '10-1C-0C-79-26-49'
(4) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(4) Acct-Session-Id = '11505301634460'
(4) State = 0xb8002a16bb05332133d295a612409a37
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ ) {
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\\.$/) {
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\\./) {
(4) if (&User-Name =~ /(a)\\./) -> FALSE
(4) } # policy filter_username = notfound
(4) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(4) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(4) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(4) auth_log: EXPAND %t
(4) auth_log: --> Tue Jun 30 16:38:41 2015
(4) [auth_log] = ok
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(4) suffix: Found realm "NULL"
(4) suffix: Adding Stripped-User-Name = "mytest"
(4) suffix: Adding Realm = "NULL"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(4) EXPAND %{Aruba-Essid-Name}
(4) -->
(4) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(4) eap: Peer sent code Response (2) ID 5 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xb8002a16bb053321
(4) eap: Finished EAP session with state 0xb8002a16bb053321
(4) eap: Previous EAP request found for state 0xb8002a16bb053321, released from the list
(4) eap: Peer sent method PEAP (25)
(4) eap: EAP PEAP (25)
(4) eap: Calling eap_peap to process EAP data
(4) eap_peap: processing EAP-TLS
(4) eap_peap: Received TLS ACK
(4) eap_peap: Received TLS ACK
(4) eap_peap: ACK handshake fragment handler
(4) eap_peap: eaptls_verify returned 1
(4) eap_peap: eaptls_process returned 13
(4) eap_peap: FR_TLS_HANDLED
(4) eap: EAP session adding &reply:State = 0xb8002a16bc063321
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 40 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(4) EAP-Message = 0x010602ce1900f90203010001a3533051300f0603551d130101ff040530030101ff301d0603551d0e04160414c07a98688d89fbab05640c117daa7d65b8cacc4e301f0603551d23041830168014c07a98688d89fbab05640c117daa7d65b8cacc4e300d06092a864886f70d0101050500038201010035e3
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xb8002a16bc06332133d295a612409a37
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 41 from 10.210.123.29:3629 to 10.210.235.64:1812 length 359
(5) User-Name = 'mytest'
(5) Framed-MTU = 1450
(5) EAP-Message = 0x020600901980000000861603010046100000424104daab08aafa18f5c2c9eb22fc1604897509e5a299ef0ebe092b4a69330d014b443560a4ceea8642f5be01212032dc50db73a8f82362675d08f5ea12ac7ac7b60b14030100010116030100307ffbf690c0dac1e79a7f7d24c5477d4a12aa6d0e99221a
(5) Message-Authenticator = 0x1d2150a6f034a5dc3b195884d34e474d
(5) Chargeable-User-Identity = 0x00
(5) NAS-IP-Address = 10.210.123.29
(5) NAS-Identifier = 'ITS-TEST'
(5) NAS-Port = 33779942
(5) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=230'
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Framed-Protocol = PPP
(5) Calling-Station-Id = '10-1C-0C-79-26-49'
(5) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(5) Acct-Session-Id = '11505301634460'
(5) State = 0xb8002a16bc06332133d295a612409a37
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ ) {
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\\.$/) {
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\\./) {
(5) if (&User-Name =~ /(a)\\./) -> FALSE
(5) } # policy filter_username = notfound
(5) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(5) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(5) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(5) auth_log: EXPAND %t
(5) auth_log: --> Tue Jun 30 16:38:41 2015
(5) [auth_log] = ok
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(5) suffix: Found realm "NULL"
(5) suffix: Adding Stripped-User-Name = "mytest"
(5) suffix: Adding Realm = "NULL"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(5) EXPAND %{Aruba-Essid-Name}
(5) -->
(5) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(5) eap: Peer sent code Response (2) ID 6 length 144
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xb8002a16bc063321
(5) eap: Finished EAP session with state 0xb8002a16bc063321
(5) eap: Previous EAP request found for state 0xb8002a16bc063321, released from the list
(5) eap: Peer sent method PEAP (25)
(5) eap: EAP PEAP (25)
(5) eap: Calling eap_peap to process EAP data
(5) eap_peap: processing EAP-TLS
(5) eap_peap: TLS Length 134
(5) eap_peap: Length Included
(5) eap_peap: eaptls_verify returned 11
(5) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
TLS: adding session ebdaba7f9ed922848678bdc00894241de12ab724eb6c292dc8076e90cbe463e7 to cache
(5) eap_peap: (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap: eaptls_process returned 13
(5) eap_peap: FR_TLS_HANDLED
(5) eap: EAP session adding &reply:State = 0xb8002a16bd073321
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 41 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(5) EAP-Message = 0x0107004119001403010001011603010030cf354b5e12d99508901f44db8ea05526d42a5f671f1ceb081722b1fec033c99b05ebe23bde2c546223aebc064a1e4eea
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xb8002a16bd07332133d295a612409a37
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 42 from 10.210.123.29:3629 to 10.210.235.64:1812 length 221
(6) User-Name = 'mytest'
(6) Framed-MTU = 1450
(6) EAP-Message = 0x020700061900
(6) Message-Authenticator = 0x03b7e4a2a231036e9283d475a4caa3ec
(6) Chargeable-User-Identity = 0x00
(6) NAS-IP-Address = 10.210.123.29
(6) NAS-Identifier = 'ITS-TEST'
(6) NAS-Port = 33779942
(6) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=230'
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Framed-Protocol = PPP
(6) Calling-Station-Id = '10-1C-0C-79-26-49'
(6) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(6) Acct-Session-Id = '11505301634460'
(6) State = 0xb8002a16bd07332133d295a612409a37
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ ) {
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ ) {
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\\.$/) {
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\\./) {
(6) if (&User-Name =~ /(a)\\./) -> FALSE
(6) } # policy filter_username = notfound
(6) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(6) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(6) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(6) auth_log: EXPAND %t
(6) auth_log: --> Tue Jun 30 16:38:41 2015
(6) [auth_log] = ok
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(6) suffix: Found realm "NULL"
(6) suffix: Adding Stripped-User-Name = "mytest"
(6) suffix: Adding Realm = "NULL"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(6) EXPAND %{Aruba-Essid-Name}
(6) -->
(6) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(6) eap: Peer sent code Response (2) ID 7 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xb8002a16bd073321
(6) eap: Finished EAP session with state 0xb8002a16bd073321
(6) eap: Previous EAP request found for state 0xb8002a16bd073321, released from the list
(6) eap: Peer sent method PEAP (25)
(6) eap: EAP PEAP (25)
(6) eap: Calling eap_peap to process EAP data
(6) eap_peap: processing EAP-TLS
(6) eap_peap: Received TLS ACK
(6) eap_peap: Received TLS ACK
(6) eap_peap: ACK handshake is finished
(6) eap_peap: eaptls_verify returned 3
(6) eap_peap: eaptls_process returned 3
(6) eap_peap: FR_TLS_SUCCESS
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: EAP session adding &reply:State = 0xb8002a16be083321
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 42 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(6) EAP-Message = 0x0108002b19001703010020d965153eadcdfd834b3415bebe178548d5f749ba6d9a4c4b316b4d771f57223b
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xb8002a16be08332133d295a612409a37
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 43 from 10.210.123.29:3629 to 10.210.235.64:1812 length 258
(7) User-Name = 'mytest'
(7) Framed-MTU = 1450
(7) EAP-Message = 0x0208002b190017030100205ee29c7181f7daeab27186b96e313d25f613fbf75c9187c43dadb0eef059ef4c
(7) Message-Authenticator = 0xcce60a3b273c10f259bd83bb13cb4939
(7) Chargeable-User-Identity = 0x00
(7) NAS-IP-Address = 10.210.123.29
(7) NAS-Identifier = 'ITS-TEST'
(7) NAS-Port = 33779942
(7) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=230'
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Framed-Protocol = PPP
(7) Calling-Station-Id = '10-1C-0C-79-26-49'
(7) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(7) Acct-Session-Id = '11505301634460'
(7) State = 0xb8002a16be08332133d295a612409a37
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ ) {
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/) {
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\\./) {
(7) if (&User-Name =~ /(a)\\./) -> FALSE
(7) } # policy filter_username = notfound
(7) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(7) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(7) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(7) auth_log: EXPAND %t
(7) auth_log: --> Tue Jun 30 16:38:41 2015
(7) [auth_log] = ok
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "mytest"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(7) EXPAND %{Aruba-Essid-Name}
(7) -->
(7) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(7) eap: Peer sent code Response (2) ID 8 length 43
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xb8002a16be083321
(7) eap: Finished EAP session with state 0xb8002a16be083321
(7) eap: Previous EAP request found for state 0xb8002a16be083321, released from the list
(7) eap: Peer sent method PEAP (25)
(7) eap: EAP PEAP (25)
(7) eap: Calling eap_peap to process EAP data
(7) eap_peap: processing EAP-TLS
(7) eap_peap: eaptls_verify returned 7
(7) eap_peap: Done initial handshake
(7) eap_peap: eaptls_process returned 7
(7) eap_peap: FR_TLS_OK
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - mytest
(7) eap_peap: Got inner identity 'mytest'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0208000b016d7974657374
(7) eap_peap: Setting User-Name to mytest
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x0208000b016d7974657374
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = 'mytest'
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x0208000b016d7974657374
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = 'mytest'
(7) server inner-tunnel {
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ ) {
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/) {
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\\./) {
(7) if (&User-Name =~ /(a)\\./) -> FALSE
(7) } # policy filter_username = notfound
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "mytest"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) if ("%{Realm}" != NULL && "%{Realm}" != 'test.hk') {
(7) EXPAND %{Realm}
(7) --> NULL
(7) if ("%{Realm}" != NULL && "%{Realm}" != 'test.hk') -> FALSE
(7) else {
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) } # else = noop
(7) eap: Peer sent code Response (2) ID 8 length 11
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent method Identity (1)
(7) eap: Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2: Issuing Challenge
(7) eap: EAP session adding &reply:State = 0xb62146a8b6285c8a
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0109002a1a0109002510d806e435541f76a81bf76d4ba07cfb3a667265657261646975732d332e302e38
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xb62146a8b6285c8a3fe68614a37a338a
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x0109002a1a0109002510d806e435541f76a81bf76d4ba07cfb3a667265657261646975732d332e302e38
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xb62146a8b6285c8a3fe68614a37a338a
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x0109002a1a0109002510d806e435541f76a81bf76d4ba07cfb3a667265657261646975732d332e302e38
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xb62146a8b6285c8a3fe68614a37a338a
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: EAP session adding &reply:State = 0xb8002a16bf093321
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 43 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(7) EAP-Message = 0x0109004b190017030100405c844afbd67aa1e344ecf9725c6d6e727a8cc5b3c340fc155069a4150c4b9739e7f54fd75c4ad8c7542786eedd338c3740cbc6b9da5b1e8278c5eb21f54e6c35
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xb8002a16bf09332133d295a612409a37
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 44 from 10.210.123.29:3629 to 10.210.235.64:1812 length 322
(8) User-Name = 'mytest'
(8) Framed-MTU = 1450
(8) EAP-Message = 0x0209006b19001703010060d0240973b1e837e4960a6ccac86a002917ab9cd054c3b22a82da98cad9e8e84c56c7cec93bb1499708cb05c6c914b86ea9522b58a4e5b33401505daa42c4b40e7350d563f2458393666b4c2cc9e17931d9a301545c74a28405ca6e5bafcd4653
(8) Message-Authenticator = 0x696f809746b8ab1507126d8351be5024
(8) Chargeable-User-Identity = 0x00
(8) NAS-IP-Address = 10.210.123.29
(8) NAS-Identifier = 'ITS-TEST'
(8) NAS-Port = 33779942
(8) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=2250'
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Framed-Protocol = PPP
(8) Calling-Station-Id = '10-1C-0C-79-26-49'
(8) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(8) Acct-Session-Id = '11505301634460'
(8) State = 0xb8002a16bf09332133d295a612409a37
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ ) {
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ ) {
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\\.$/) {
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\\./) {
(8) if (&User-Name =~ /(a)\\./) -> FALSE
(8) } # policy filter_username = notfound
(8) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(8) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(8) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(8) auth_log: EXPAND %t
(8) auth_log: --> Tue Jun 30 16:38:41 2015
(8) [auth_log] = ok
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(8) suffix: Found realm "NULL"
(8) suffix: Adding Stripped-User-Name = "mytest"
(8) suffix: Adding Realm = "NULL"
(8) suffix: Authentication realm is LOCAL
(8) [suffix] = ok
(8) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(8) EXPAND %{Aruba-Essid-Name}
(8) -->
(8) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(8) eap: Peer sent code Response (2) ID 9 length 107
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb62146a8b6285c8a
(8) eap: Finished EAP session with state 0xb8002a16bf093321
(8) eap: Previous EAP request found for state 0xb8002a16bf093321, released from the list
(8) eap: Peer sent method PEAP (25)
(8) eap: EAP PEAP (25)
(8) eap: Calling eap_peap to process EAP data
(8) eap_peap: processing EAP-TLS
(8) eap_peap: eaptls_verify returned 7
(8) eap_peap: Done initial handshake
(8) eap_peap: eaptls_process returned 7
(8) eap_peap: FR_TLS_OK
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP type MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020900411a0209003c316a2051c2ef6b4f01437a8e0768e8ed840000000000000000c9939c062c9c25dc878baf49c1c1b486042217fc6242c109006d7974657374
(8) eap_peap: Setting User-Name to mytest
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020900411a0209003c316a2051c2ef6b4f01437a8e0768e8ed840000000000000000c9939c062c9c25dc878baf49c1c1b486042217fc6242c109006d7974657374
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = 'mytest'
(8) eap_peap: State = 0xb62146a8b6285c8a3fe68614a37a338a
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020900411a0209003c316a2051c2ef6b4f01437a8e0768e8ed840000000000000000c9939c062c9c25dc878baf49c1c1b486042217fc6242c109006d7974657374
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = 'mytest'
(8) State = 0xb62146a8b6285c8a3fe68614a37a338a
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ ) {
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ ) {
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\\.$/) {
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\\./) {
(8) if (&User-Name =~ /(a)\\./) -> FALSE
(8) } # policy filter_username = notfound
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(8) suffix: Found realm "NULL"
(8) suffix: Adding Stripped-User-Name = "mytest"
(8) suffix: Adding Realm = "NULL"
(8) suffix: Authentication realm is LOCAL
(8) [suffix] = ok
(8) if ("%{Realm}" != NULL && "%{Realm}" != 'test.hk') {
(8) EXPAND %{Realm}
(8) --> NULL
(8) if ("%{Realm}" != NULL && "%{Realm}" != 'test.hk') -> FALSE
(8) else {
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) } # else = noop
(8) eap: Peer sent code Response (2) ID 9 length 65
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) if (&EAP-Message) {
(8) if (&EAP-Message) -> TRUE
(8) if (&EAP-Message) {
(8) redundant ldap_Portal_redundant {
rlm_ldap (ldap_DB_1): Reserved connection (4)
(8) ldap_DB_1: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
(8) ldap_DB_1: --> (&(uid=mytest))
(8) ldap_DB_1: Performing search in "ou=radius,o=test,c=hk" with filter "(&(uid=mytest))", scope "sub"
(8) ldap_DB_1: Waiting for search result...
(8) ldap_DB_1: Search returned no results
rlm_ldap (ldap_DB_1): Released connection (4)
rlm_ldap (ldap_DB_1): Closing connection (0), from 2 unused connections
(8) [ldap_DB_1] = notfound
(8) } # redundant ldap_Portal_redundant = notfound
(8) } # if (&EAP-Message) = notfound
(8) ... skipping else for request 8: Preceding "if" was taken
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb62146a8b6285c8a
(8) eap: Finished EAP session with state 0xb62146a8b6285c8a
(8) eap: Previous EAP request found for state 0xb62146a8b6285c8a, released from the list
(8) eap: Peer sent method MSCHAPv2 (26)
(8) eap: EAP MSCHAPv2 (26)
(8) eap: Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2: Auth-Type MS-CHAP {
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(8) mschap: Creating challenge hash with username: mytest
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8) [mschap] = reject
(8) } # Auth-Type MS-CHAP = reject
(8) MSCHAP-Error: E=691 R=1
(8) Could not parse new challenge from MS-CHAP-Error: 2
(8) ERROR: MSCHAP Failure
(8) eap: EAP session adding &reply:State = 0xb62146a8b72b5c8a
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x010a00121a0409000d453d36393120523d31
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xb62146a8b72b5c8a3fe68614a37a338a
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message = 0x010a00121a0409000d453d36393120523d31
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xb62146a8b72b5c8a3fe68614a37a338a
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message = 0x010a00121a0409000d453d36393120523d31
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xb62146a8b72b5c8a3fe68614a37a338a
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: EAP session adding &reply:State = 0xb8002a16b00a3321
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 44 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(8) EAP-Message = 0x010a003b19001703010030df92ce1aac52b4b30ccdffebe206a0cec12b7a3d6c5372f4f5694631578719f749d5aba9df6c3ee020a59e55b53a1390
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xb8002a16b00a332133d295a612409a37
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 45 from 10.210.123.29:3629 to 10.210.235.64:1812 length 258
(9) User-Name = 'mytest'
(9) Framed-MTU = 1450
(9) EAP-Message = 0x020a002b190017030100209af5ad585c8b395c928213c3ee8b1504f55db4183f261d436e584d6c501d9a9b
(9) Message-Authenticator = 0xcf11096137cdd8dbd7aec6683a15595f
(9) Chargeable-User-Identity = 0x00
(9) NAS-IP-Address = 10.210.123.29
(9) NAS-Identifier = 'ITS-TEST'
(9) NAS-Port = 33779942
(9) NAS-Port-Id = 'slot=2;subslot=0;port=55;vlanid=230'
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Framed-Protocol = PPP
(9) Calling-Station-Id = '10-1C-0C-79-26-49'
(9) Called-Station-Id = '58-6A-B1-2A-F5-E0:its-test'
(9) Acct-Session-Id = '11505301634460'
(9) State = 0xb8002a16b00a332133d295a612409a37
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ ) {
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ ) {
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\\.$/) {
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\\./) {
(9) if (&User-Name =~ /(a)\\./) -> FALSE
(9) } # policy filter_username = notfound
(9) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d
(9) auth_log: --> /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(9) auth_log: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.210.123.29/auth-20150630
(9) auth_log: EXPAND %t
(9) auth_log: --> Tue Jun 30 16:38:41 2015
(9) [auth_log] = ok
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "mytest"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) {
(9) EXPAND %{Aruba-Essid-Name}
(9) -->
(9) if (Called-Station-Id =~ /Test SSID/ || "%{Aruba-Essid-Name}" =~ /Test SSID/) -> FALSE
(9) eap: Peer sent code Response (2) ID 10 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xb62146a8b72b5c8a
(9) eap: Finished EAP session with state 0xb8002a16b00a3321
(9) eap: Previous EAP request found for state 0xb8002a16b00a3321, released from the list
(9) eap: Peer sent method PEAP (25)
(9) eap: EAP PEAP (25)
(9) eap: Calling eap_peap to process EAP data
(9) eap_peap: processing EAP-TLS
(9) eap_peap: eaptls_verify returned 7
(9) eap_peap: Done initial handshake
(9) eap_peap: eaptls_process returned 7
(9) eap_peap: FR_TLS_OK
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP type MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020a00091a04090004
(9) eap_peap: Setting User-Name to mytest
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x020a00091a04090004
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = 'mytest'
(9) eap_peap: State = 0xb62146a8b72b5c8a3fe68614a37a338a
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x020a00091a04090004
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = 'mytest'
(9) State = 0xb62146a8b72b5c8a3fe68614a37a338a
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ ) {
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ ) {
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\\.$/) {
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\\./) {
(9) if (&User-Name =~ /(a)\\./) -> FALSE
(9) } # policy filter_username = notfound
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "mytest", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "mytest"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) if ("%{Realm}" != NULL && "%{Realm}" != 'test.hk') {
(9) EXPAND %{Realm}
(9) --> NULL
(9) if ("%{Realm}" != NULL && "%{Realm}" != 'test.hk') -> FALSE
(9) else {
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) } # else = noop
(9) eap: Peer sent code Response (2) ID 10 length 9
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) if (&EAP-Message) {
(9) if (&EAP-Message) -> TRUE
(9) if (&EAP-Message) {
(9) redundant ldap_Portal_redundant {
rlm_ldap (ldap_DB_1): Reserved connection (4)
(9) ldap_DB_1: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
(9) ldap_DB_1: --> (&(uid=mytest))
(9) ldap_DB_1: Performing search in "ou=radius,o=test,c=hk" with filter "(&(uid=mytest))", scope "sub"
(9) ldap_DB_1: Waiting for search result...
(9) ldap_DB_1: Search returned no results
rlm_ldap (ldap_DB_1): Released connection (4)
(9) [ldap_DB_1] = notfound
(9) } # redundant ldap_Portal_redundant = notfound
(9) } # if (&EAP-Message) = notfound
(9) ... skipping else for request 9: Preceding "if" was taken
(9) [expiration] = noop
(9) [logintime] = noop
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0xb62146a8b72b5c8a
(9) eap: Finished EAP session with state 0xb62146a8b72b5c8a
(9) eap: Previous EAP request found for state 0xb62146a8b72b5c8a, released from the list
(9) eap: Peer sent method MSCHAPv2 (26)
(9) eap: EAP MSCHAPv2 (26)
(9) eap: Calling eap_mschapv2 to process EAP data
(9) eap: Freeing handler
(9) [eap] = reject
(9) } # authenticate = reject
(9) Failed to authenticate the user
(9) Login incorrect: [mytest] (from client radius-test-123.29 port 0 via TLS tunnel)
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> mytest
(9) attr_filter.access_reject: Matched entry DEFAULT at line 16
(9) [attr_filter.access_reject] = updated
(9) update {
(9) EXPAND Login incorrect: %{Module-Failure-Message}
(9) --> Login incorrect:
(9) &Module-Failure-Message := Login incorrect:
(9) } # update = noop
(9) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(9) linelog: --> messages.Access-Reject
(9) linelog: EXPAND /usr/local/var/log/radius/log/linelog-%Y%m%d
(9) linelog: --> /usr/local/var/log/radius/log/linelog-20150630
(9) linelog: EXPAND %S,%{reply:Packet-Type},%{Packet-Src-IP-Address},%{NAS-IP-Address},%{User-Name},%{Calling-Station-Id},%{%{Aruba-Essid-Name}:-%{Called-Station-Id}},%{reply:Reply-Message},%{%{reply:Module-Failure-Message}:-%{Module-Failure-Message}}
(9) linelog: --> 2015-06-30 16:38:41,Access-Reject,10.210.123.29,,mytest,,,,Login incorrect:
(9) [linelog] = ok
(9) } # Post-Auth-Type REJECT = updated
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) EAP-Message = 0x040a0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Got tunneled reply code 3
(9) eap_peap: EAP-Message = 0x040a0004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Got tunneled reply RADIUS code 3
(9) eap_peap: EAP-Message = 0x040a0004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Tunneled authentication was rejected
(9) eap_peap: FAILURE
(9) eap: EAP session adding &reply:State = 0xb8002a16b10b3321
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) Sent Access-Challenge Id 45 from 10.210.235.64:1812 to 10.210.123.29:3629 length 0
(9) EAP-Message = 0x010b002b190017030100206881fd9bcb736b457f738468f3088581bb4afa523344876e3aa398a833a2cfb4
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xb8002a16b10b332133d295a612409a37
(9) Finished request
Waking up in 4.7 seconds.
(0) <done>: Cleaning up request packet ID 36 with timestamp +108
(1) <done>: Cleaning up request packet ID 37 with timestamp +108
(2) <done>: Cleaning up request packet ID 38 with timestamp +108
(3) <done>: Cleaning up request packet ID 39 with timestamp +108
(4) <done>: Cleaning up request packet ID 40 with timestamp +108
(5) <done>: Cleaning up request packet ID 41 with timestamp +108
(6) <done>: Cleaning up request packet ID 42 with timestamp +108
(7) <done>: Cleaning up request packet ID 43 with timestamp +108
(8) <done>: Cleaning up request packet ID 44 with timestamp +108
(9) <done>: Cleaning up request packet ID 45 with timestamp +108
Ready to process requests
3
4
radiusd debug understanding help needed (EAP session for state 0x... did not finish)
by Zeus Panchenko 06 Jul '15
by Zeus Panchenko 06 Jul '15
06 Jul '15
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi,
please, help me to be sure I understand `radiusd -X' output right way ...
some period of time, FR with EAP-TLS + LDAP was working in "test mode" ... now it is not
and I'm trying to understand why
FR: server is v.2.2.6 on FreeBSD 10.1R
WS: wpa_supplicant client on FreeBSD 10.1R
network (LAN) topology: FR <-> 100Mb Switch <-> WS
FR configured with EAP + LDAP and EAP/md5 for MAC auth works fine.
but EAP/tls spawns:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x8c1a57f7885a5afa did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
on this wiki page for this case it is told:
- - - Follow the instructions given above.
it is what I have folowed
- - - Consider to decreasing the tunnel MTU
there is no tunnel, but decreasing MTU on NIC didn't help
last time I faced this very problem on my VPN and MTU decreasing to 1250
helped well, but now it is not ...
in `radiusd -X' I see this:
- - ---[ quotation start ]-------------------------------------------
...
[files] expand: %{User-Name}, you have came from %{NAS-IP-Address} copper port %{NAS-Port}. -> jdoe-eap, you have came from 192.168.0.1 copper port 14.
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
[ldap] performing user authorization for jdoe-eap
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> jdoe-eap
[ldap] expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz))) -> (&(cn=jdoe-eap)(|(autho
rizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz)))
[ldap] expand: ou=People,dc=xyz -> ou=People,dc=xyz
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=xyz, with filter (&(cn=jdoe-eap)(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz)))
[ldap] performing search in cn=ethernet,ou=rad-profiles,dc=xyz, with filter (objectclass=radiusprofile)
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusSessionTimeout -> Session-Timeout = 900
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "jdoe-eap"
[ldap] userPassword -> Password-With-Header == "jdoe-eap"
[ldap] looking for reply items in directory...
[ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "3495"
[ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] radiusServiceType -> Service-Type = Framed-User
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
- - ---[ quotation end ]-------------------------------------------
so, am I correct? here it is written that LDAP auth performed successfully
further:
- - ---[ quotation start ]-------------------------------------------
++? if (notfound)
? Evaluating (notfound) -> FALSE
++? if (notfound) -> FALSE
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
...
- - ---[ quotation end ]-------------------------------------------
what does these rows mean?
- - ---[ quotation start ]-------------------------------------------
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
- - ---[ quotation end ]-------------------------------------------
wpa_supplicant debug shows this:
- - ---[ quotation start ]-------------------------------------------
...
1434988426.933490: SSL: (where=0x1001 ret=0x1)
1434988426.933492: SSL: SSL_connect:SSLv3 read server hello A
1434988426.933731: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=changeme/emailAddress=security@xyz'
1434988426.933736: igb0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=xyz-ca/emailAddress=security@xyz'
1434988426.933738: EAP: Status notification: remote certificate verification (param=success)
1434988426.933814: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=office1.xyz/emailAddress=security@xyz'
1434988426.933818: igb0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=office1.xyz/emailAddress=security@xyz'
1434988426.934102: EAP: Status notification: remote certificate verification (param=success)
1434988426.934106: SSL: (where=0x1001 ret=0x1)
1434988457.029252: SSL: SSL_connect:SSLv3 write finished A
1434988457.029254: SSL: (where=0x1001 ret=0x1)
1434988457.029255: SSL: SSL_connect:SSLv3 flush data
1434988457.029257: SSL: (where=0x1002 ret=0xffffffff)
1434988457.029258: SSL: SSL_connect:error in SSLv3 read finished A
1434988457.029260: SSL: SSL_connect - want more data
1434988457.029262: SSL: 2750 bytes pending from ssl_out
1434988457.029264: SSL: 2750 bytes left to be sent out (of total 2750 bytes)
1434988457.029266: SSL: sending 1398 bytes, more fragments will follow
1434988457.029268: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
1434988457.029270: EAP: EAP entering state SEND_RESPONSE
1434988457.029272: EAP: EAP entering state IDLE
1434988457.029273: EAPOL: SUPP_BE entering state RESPONSE
1434988457.029274: EAPOL: txSuppRsp
1434988457.029276: TX EAPOL: dst=01:80:c2:00:00:03
1434988457.029278: TX EAPOL - hexdump(len=1412): 01 00 ...
...
1 09 01 16 0c 73 65 63 75 72 69 74 79 40 69 62 73 30 1e 17 0d 31 34 30 33 31 30 31
1434988457.030267: EAPOL: SUPP_BE entering state RECEIVE
...
1434989781.980570: igb0: RX EAPOL from 34:db:fd:81:43:2b
1434989781.980571: RX EAPOL - hexdump(len=46): 01 00 00 04 04 cf 00 04 00 00 ...
1434989781.980579: EAPOL: Received EAP-Packet frame
1434989781.980580: EAPOL: SUPP_BE entering state REQUEST
1434989781.980581: EAPOL: getSuppRsp
1434989781.980582: EAP: EAP entering state RECEIVED
1434989781.980584: EAP: Received EAP-Failure
1434989781.980585: EAP: Status notification: completion (param=failure)
1434989781.980587: EAP: EAP entering state FAILURE
1434989781.980589: igb0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
1434989781.980590: EAPOL: SUPP_PAE entering state HELD
1434989781.980591: EAPOL: Supplicant port status: Unauthorized
1434989781.980593: EAPOL: SUPP_BE entering state RECEIVE
1434989781.980594: EAPOL: SUPP_BE entering state FAIL
1434989781.980595: EAPOL: SUPP_BE entering state IDLE
1434989781.980596: EAPOL authentication completed unsuccessfully
...
- - ---[ quotation end ]-------------------------------------------
looks like OpenSSL related something, is it?
so, may somebody advise where to look at? how to know who is guilty?
- --
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlWIPtsACgkQr3jpPg/3oyoZIwCg5AcO12uDdmpWBPvLskHTp4ct
X3IAn0QOx/e0dLm+6erzEMKeTW6LB5Z2
=DtVP
-----END PGP SIGNATURE-----
6
24
Hi,
I am using freeradius 2.2.1
Whenever I use wrong credentials, NAS sends access reject.
Access reject packet is received when I do a packet capture.
But freeradius doesn't acknowledge access reject the same way it
does for access accept.
I changed reject_delay parameter to 0. But I still don't receive
the access reject from freeradius.
So every time wrong credentials is entered, I get time out instead
of access reject.
Is there some other configuration is need to change ?
Regards,
Sairam
2
3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I'm trying to use a postgresql database in a redundant block on v3.0.8
like so:
redundant {
pgsql
detail
ok
}
Unfortunately, whenever a request hits this part of the config, it hangs
for over 120 seconds waiting for the connection to set up before moving
down the redundant block.
PQconnectdb() does have a connect_timeout option to configure how long
the function will wait before returning an error, but I don't see a way
to configure this in FR. mod_instantiate() in rlm_sql_postgresql.c looks
like it only supports the dbname, host, port, user, password, and
application_name.
Would it be possible to get a patch that will add a connect_timeout
option to the rlm_sql_postgresql config? It would be greatly appreciated.
Thanks,
Kyle
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVktkHAAoJEBZxgM7w3gB17ckIANbugIy+HW/jH4wo6lLkKigf
xRW0nUXZ05P3+E4N3B8GWnpVokK5tAIiX7LhYBTTlrLzpKbOAQRr1EMfEzvQW4Ij
kj5QFGtnZ/18dnz8MAYWYrOnkvzg6ym53ks4rNOEhUhpsp6B6P23lwCp24jT7MYV
MGmbuJieQV9Dz8MePEbRzeDrfCt8qE3DLKotOjSjgf62+H1jL1fQlpjF96QO/6nF
AV4BVLXba/AsQNbCh6fWlKljtTEPnjfI1RzBgzlvVoC3AX8BVu0dCuMYI7Rw8rSe
ZPne+iQ80/ycM6zU6ux86kKsTfmeQvgZM+TIS5aCZLsoxibZEvgJciswBhT3kkU=
=xp7I
-----END PGP SIGNATURE-----
3
3
HI!
Testing git v3.1.x 36e1b02e926df5cd75d4d548694401535c607ca9 I noticed that
something's wrong with LDAPI URLs containing a URL-encoded path.
This does not work:
server = 'ldapi://%2Ftmp%2Fopenldap-socket'
leads to:
rlm_ldap (ldap): Bind with uid=radiusd,ou=sys,dc=stroeder,dc=local to
ldapi:///tmp/openldap-socket failed: Can't contact LDAP server
I'm not sure whether radiusd URL-decodes the path and passes
"ldapi:///tmp/openldap-socket" to libldap or whether the decoding simply
happens when writing the log line.
It should *not* do URL-decoding because parsing the LDAP URL
"ldapi:///tmp/openldap-socket" in libldap won't work since the first "/" after
the "hostport" part is the next separator to the DN portion.
Ciao, Michael.
3
30
Hi all,
I would like to deactivate the users(not allowing them to login but not
deleting them) on failure to pay the subscription fee. What the best and
right way to do this? Also I would like to send some message why they are
not allowed to login.
--
Randeep
Mob: +919447831699[kerala]
Mob: +919880050349[B'lore]
http://twitter.com/Randeeppr
http://in.linkedin.com/in/randeeppr
[image: --]
Randeep Raman
[image: http://]about.me/Randeeppr
<http://about.me/Randeeppr>
1
0
Hi list,
I've checked out 3.0.x from git and configured it to my means. I get the following error when I try and start it:
/etc/raddb/mods-config/sql/main/postgresql/queries.conf[150]: Failed parsing expanded string:
/etc/raddb/mods-config/sql/main/postgresql/queries.conf[150]: ...M radgroupcheck WHERE GroupName = '%{SQL-Group}' ORDER BY id
/etc/raddb/mods-config/sql/main/postgresql/queries.conf[150]: ^ Unknown attribute
I've double check my sql module configuration and am using the stock queries.conf so I'm a little stumped.
help appreciated as always,
Adam
Full startup debug:
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/sql
including configuration file /etc/raddb/mods-config/sql/main/postgresql/queries.conf
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/always
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/filter
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/wicoms-test
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 2048
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm WICOMS {
virtual_server = testrad
}
realm NULL {
virtual_server = testrad
Please use pools instead of authhost and accthost
Please use pools instead of authhost and accthost
}
radiusd: #### Loading Clients ####
client 0.0.0.0/0 {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
radiusd: #### Instantiating modules ####
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_sql
# Loading module "wicoms_sql" from file /etc/raddb/mods-enabled/sql
sql wicoms_sql {
driver = "rlm_sql_postgresql"
server = "10.0.10.31"
port = 5432
login = "wicoms_radius"
password = <<< secret >>>
radius_db = "wicoms"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{Sql-Group}' ORDER BY id"
group_membership_query = "SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}"
type {
accounting-on {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
}
accounting-off {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
}
start {
query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)"
}
interim-update {
query = "UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, AcctInterval = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM (COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
stop {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = '%{Acct-Terminate-Cause}', FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
}
}
rlm_sql (wicoms_sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Creating attribute wicoms_sql-SQL-Group
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_realm
# Loading module "slash" from file /etc/raddb/mods-enabled/realm
realm slash {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
instantiate {
}
modules {
/etc/raddb/mods-config/sql/main/postgresql/queries.conf[150]: Failed parsing expanded string:
/etc/raddb/mods-config/sql/main/postgresql/queries.conf[150]: ...M radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id
/etc/raddb/mods-config/sql/main/postgresql/queries.conf[150]: ^ Unknown attribute
3
11
Hi,
I'm trying to setup Freeradius 3.0.4 under CentOS 7 with TTLS-EAP and
MSCHAPv2.
My first tests with using LDAP in the back and the defaultly installed
server certificate were successful.
There won't be any authentication via client certificate. It's all about
the server certificate for the TLS encryption.
There is a self signed certificate which I would like install in the
server. Now I'm somewhat struggling with the server side configuration.
Why do I want these cnf files in the certs directory? Honestly I
expected to just place the certificate/key files there, link them in the
config and be done.
I found some documents in the internet saying that this server
certificate need extended key usage attributes (1.3.6.1.5.5.7.3.1). Is
that right?
The certificate is actually issued from a subCA. What do I have to
consider when installing the cert, key and cacert in the FreeRadius
server? Does the ca certificate need to be concatenated from the rootCA
and also the subCA?
What do I need to consider when it comes to installing the cacert to the
clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be
a catted cert from the rootca cert and the subca cert?
I there anything else I need to consider? We're using TinyCA 0.7.5.
Thank you list
--
Peakwork Signature
*Jochen Demmer*
Network Administrator
T: +49-(0)241-4131146-29
jochen.demmer(a)peakwork.com
peakwork AG | Sonnenweg 15 a | D-52070 Aachen | T: +49-(0)241-4131146-29
| F: +49-(0)241-4131146-17
peakwork AG (Headquarter) | Flinger Str. 36 | D-40213 Düsseldorf | T:
+49-(0)211-91368-500 | F: +49-(0)211-91368-509
Executive board: Ralf Usbeck (chairman) | Markus Pfau | Michael Schmidt
| Dr. Thomas van Kaldenkerken
Chairman of the supervisory board: Markus Voelkel
Company register: Amtsgericht Düsseldorf HRB 71223 | VAT ID.: DE264960677
Peakwork Logo
www.peakwork.com | www.peakwork.de
5
4