Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2015
- 78 participants
- 98 discussions
Hi there,
we are doing an Ldap-Group-Check for every login. The Group contains people who are not allowed to use radius-services.
So 98% of the Users are NOT in the Group.
FR3 first searches in the Group for the Login-User, if he finds nothing he then checks all the groups a user is member of in reverse,
which can be a lot at our site.
I know, there are directories who do not impelement backreferences for user-groups, but e.g. with eDirectory it's just not necessary.
So I wonder if there is a way to prevent this behavior with a config param I missed until know in FR3 ldap module config,
so FR just stops after not finding the user in the group?
Thu Aug 27 17:08:20 2015 : Debug: (7) policy rzur.radiusrejectcheckinner {
Thu Aug 27 17:08:20 2015 : Debug: (7) if (Stripped-User-Name =~ /^[a-zA-Z]{3}[0-9]{5}$/ ) {
Thu Aug 27 17:08:20 2015 : Debug: No matches
Thu Aug 27 17:08:20 2015 : Debug: Adding 1 matches
Thu Aug 27 17:08:20 2015 : Debug: (7) if (Stripped-User-Name =~ /^[a-zA-Z]{3}[0-9]{5}$/ ) -> TRUE
Thu Aug 27 17:08:20 2015 : Debug: (7) if (Stripped-User-Name =~ /^[a-zA-Z]{3}[0-9]{5}$/ ) {
Thu Aug 27 17:08:20 2015 : Debug: (7) if (Ldap-Group == "cn=radiusreject,ou=myou,o=myo,c=de") {
Thu Aug 27 17:08:20 2015 : Debug: (7) Searching for user in group "cn=radiusreject,ou=myou,o=myo,c=de"
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Connecting to ldap://ldap.example.com.de:389
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): New libldap handle 0x7f0e35c87c50
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Waiting for bind result...
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Bind successful
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Reserved connection (0)
Thu Aug 27 17:08:20 2015 : Debug: (7) EXPAND TMPL XLAT
Thu Aug 27 17:08:20 2015 : Debug: (&(objectClass=inetOrgPerson)(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
Thu Aug 27 17:08:20 2015 : Debug: Parsed xlat tree:
Thu Aug 27 17:08:20 2015 : Debug: literal --> (&(objectClass=inetOrgPerson)(uid=
Thu Aug 27 17:08:20 2015 : Debug: if {
Thu Aug 27 17:08:20 2015 : Debug: attribute --> Stripped-User-Name
Thu Aug 27 17:08:20 2015 : Debug: }
Thu Aug 27 17:08:20 2015 : Debug: else {
Thu Aug 27 17:08:20 2015 : Debug: attribute --> User-Name
Thu Aug 27 17:08:20 2015 : Debug: }
Thu Aug 27 17:08:20 2015 : Debug: literal --> ))
Thu Aug 27 17:08:20 2015 : Debug: (7) EXPAND (&(objectClass=inetOrgPerson)(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
Thu Aug 27 17:08:20 2015 : Debug: (7) --> (&(objectClass=inetOrgPerson)(uid=xxx12345))
Thu Aug 27 17:08:20 2015 : Debug: (7) EXPAND TMPL LITERAL
Thu Aug 27 17:08:20 2015 : Debug: (7) Performing search in "c=de" with filter "(&(objectClass=inetOrgPerson)(uid=xxx12345))", scope "sub"
Thu Aug 27 17:08:20 2015 : Debug: (7) Waiting for search result...
Thu Aug 27 17:08:20 2015 : Debug: (7) User object found at DN "cn=xxx12345,ou=myou,o=myo,c=de"
Thu Aug 27 17:08:20 2015 : Debug: (7) Checking for user in group objects
Thu Aug 27 17:08:20 2015 : Debug: (&(objectClass=Group)(member=%{control:LDAP-UserDn}))
Thu Aug 27 17:08:20 2015 : Debug: Parsed xlat tree:
Thu Aug 27 17:08:20 2015 : Debug: literal --> (&(objectClass=Group)(member=
Thu Aug 27 17:08:20 2015 : Debug: attribute --> LDAP-UserDN
Thu Aug 27 17:08:20 2015 : Debug: literal --> ))
Thu Aug 27 17:08:20 2015 : Debug: (7) EXPAND (&(objectClass=Group)(member=%{control:LDAP-UserDn}))
Thu Aug 27 17:08:20 2015 : Debug: (7) --> (&(objectClass=Group)(member=cn\3dxxx12345\2cou\3dmyou\2co\3dmyo\2cc\3dde))
Thu Aug 27 17:08:20 2015 : Debug: (7) Performing search in "cn=radiusreject,ou=myou,o=myo,c=de" with filter "(&(objectClass=Group)(member=cn\3dxxx12345\2cou\3dmyou\2co\3dmyo\2cc\3dde))", scope "sub"
Thu Aug 27 17:08:20 2015 : Debug: (7) Waiting for search result...
Thu Aug 27 17:08:20 2015 : Debug: (7) Search returned no results
Thu Aug 27 17:08:20 2015 : Debug: (7) Checking user object's groupMembership attributes
Thu Aug 27 17:08:20 2015 : Debug: (7) Performing unfiltered search in "cn=xxx12345,ou=myou,o=myo,c=de", scope "base"
Thu Aug 27 17:08:20 2015 : Debug: (7) Waiting for search result...
Thu Aug 27 17:08:20 2015 : Debug: (7) Processing groupMembership value "cn=mygroup1,ou=myou,o=myo,c=de" as a DN
Thu Aug 27 17:08:20 2015 : Debug: (7) Processing groupMembership value "cn=mygroup2,ou=myou,o=myo,c=de" as a DN
...
about 50 Groups
....
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Released connection (0)
Thu Aug 27 17:08:20 2015 : Info: rlm_ldap (ldap): 0 of 1 connections in use. Need more spares
Thu Aug 27 17:08:20 2015 : Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 127 pending slots used
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): New libldap handle 0x7f0e35caa700
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Waiting for bind result...
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Bind successful
Thu Aug 27 17:08:20 2015 : Debug: (7) User is not a member of "cn=radiusreject,ou=myou,o=myo,c=de"
Thu Aug 27 17:08:20 2015 : Debug: (7) if (Ldap-Group == "cn=radiusreject,ou=myou,o=myo,c=de") -> FALSE
Thu Aug 27 17:08:20 2015 : Debug: (7) } # if (Stripped-User-Name =~ /^[a-zA-Z]{3}[0-9]{5}$/ ) = updated
Thu Aug 27 17:08:20 2015 : Debug: (7) } # policy rzur.radiusrejectcheckinner = updated
Thank you for your time,
Anja
2
2
I am setting up a couple of servers FreeRADIUS 3.0.4 (CentOS 7). They
are pretty basic, handling RADIUS for dialup users. The users are
stored in SQL (each servers has a local MariaDB instance, provisioned by
an external management system).
I have accounting data going to SQL as well, but then each server just
has its own records (and of course NASes tend to flip back and forth on
their own), so I would like to have FreeRADIUS duplicate the accounting
records to both servers (so server A sends what it gets to server B and
vice versa).
I see radrelay references in buffered-sql and the like, but what I don't
see is how do I keep accounting records from looping? If both servers
are configured to copy to the other, what keeps records from bouncing
back and forth? Or will they only forward records they receive directly
from NASes? I couldn't find anything that explicitly documents that
behavior.
--
Chris Adams <cma(a)cmadams.net>
2
4
Hi there,
we used code like this in unlang policies with freeradius 2.x
if (Ldap-Group == "%{control:My-Group-Name}" )
{
do something
}
With freeradius 3.0.9 it is expanded correctly but the comparison returns false and the ldap group check is not involved.
EXPAND %{control:My-Group-Name}
--> cn=mygroup,ou=myou,o=myo,c=de
if (Ldap-Group == "%{control:My-Group-Name}" ) -> FALSE
if (Ldap-Group == "cn=mygroup,ou=myou,o=myo,c=de" ) starts the check and evaluates to true.
Is there a new/another syntax for the expansion in a comparison?
Thanks, Anja
2
2
How do I install or upgrade to freeradius version 3.0.9 on Linux Ubuntu 14.04
by Gugulethu Khumalo 27 Aug '15
by Gugulethu Khumalo 27 Aug '15
27 Aug '15
Good day,
I am new to freeradius and I have failed to install any of the versions
after 2.1.12 which currently installs when you run sudo apt-get install
freeradius.It has been fine for introduction but now I have gotten to a
stage where I need help in troubleshooting and I realise from the site
http://freeradius.org that 1.1.x series is no longer maintained.I have
tried following some of the instructions on how to install version 3.0.9
and other versions after 2.1.12 but they all fail eventually.
I will like to get help on how to successfully install version 3.0.9 on my
Ubuntu 14.04.Thank you.
4
4
Hi Members,
I am trying to setup FR with Windows Active Directory. I guess my setup is
working as I am able to do mschap authentication using radtest command, but
getting below logs with unsuccessful login when trying to authenticate via
peapv0 via Windows 7 machine.
I am using AD CA signed certificate for TLS, but seems that some
certificate problem is appearing in TLS connection.
Please let me know if I am missing anything here,
+++++++++++++++++++++++++++++++++++++++++
rad_recv: Access-Request packet from host 192.168.32.99 port 20001, id=68,
length=170
NAS-Port-Id = "AP12/2"
Calling-Station-Id = "xxxxxxxxxxx"
Called-Station-Id = "xxxxxxxxxxxx"
Service-Type = Framed-User
User-Name = "test\\user1"
NAS-Port = 62279
State = 0xe13e110ce53808ac11ae5d07bbfe47cd
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-IP-Address = 192.168.32.99
NAS-Identifier = "Juniper"
Message-Authenticator = 0x118db9c6453dc9c952b65157e6d1a70b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test\user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 68 to 192.168.32.99 port 20001
EAP-Message = 0x010700061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe13e110ce43908ac11ae5d07bbfe47cd
Finished request 29.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 24 ID 63 with timestamp +153
Cleaning up request 25 ID 64 with timestamp +153
Cleaning up request 26 ID 65 with timestamp +153
Cleaning up request 27 ID 66 with timestamp +153
Cleaning up request 28 ID 67 with timestamp +153
Cleaning up request 29 ID 68 with timestamp +153
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xe13e110ce43908ac did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
++++++++++++++++++++++++++++++++++++++++++++++++++++
--
Regards,
Vishesh Kumar
2
1
Dear All,
I'm seeing following errors when I start radius server. Counter not
working!
------------------------------------------------------------------------------------------------------------------------
radiusd -X
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/sql
including configuration file
/etc/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/raddb/mods-enabled/sqlcounter
including configuration file
/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
including configuration file
/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
including configuration file
/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
including configuration file
/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
including configuration file
/etc/raddb/mods-config/sql/counter/mysql/volumecounter.conf
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "CVE-2014-0160"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 103.58.144.252 {
ipaddr = 103.58.144.252
require_message_authenticator = no
secret = <<< secret >>>
shortname = "Local"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loading module "ntlm_auth" from file
/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_sql
# Loading module "sql" from file /etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "radius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype, acctstarttime,
acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0',
'%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime =
(@acctupdatetime_old:=acctupdatetime), acctupdatetime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval =
%{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old),
framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId =
'%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
linked
Creating attribute SQL-Group
# Loaded module rlm_sqlcounter
# Loading module "dailycounter" from file
/etc/raddb/mods-enabled/sqlcounter
sqlcounter dailycounter {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT SUM(acctsessiontime - GREATEST((%%b -
UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username =
'%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime >
'%%b'"
reset = "daily"
counter_name = "Daily-Session-Time"
check_name = "Max-Daily-Session"
reply_name = "Session-Timeout"
}
# Loading module "monthlycounter" from file
/etc/raddb/mods-enabled/sqlcounter
sqlcounter monthlycounter {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT SUM(acctsessiontime - GREATEST((%%b -
UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE
username='%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) +
acctsessiontime > '%%b'"
reset = "monthly"
counter_name = "Monthly-Session-Time"
check_name = "Max-Monthly-Session"
reply_name = "Session-Timeout"
}
# Loading module "noresetcounter" from file
/etc/raddb/mods-enabled/sqlcounter
sqlcounter noresetcounter {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT IFNULL(SUM(AcctSessionTime),0) FROM radacct WHERE
UserName='%{User-Name}'"
reset = "never"
counter_name = "Max-All-Session-Time"
check_name = "Max-All-Session"
reply_name = "Session-Timeout"
}
# Loading module "expire_on_login" from file
/etc/raddb/mods-enabled/sqlcounter
sqlcounter expire_on_login {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT IFNULL( MAX(TIME_TO_SEC(TIMEDIFF(NOW(),
acctstarttime))),0) FROM radacct WHERE UserName='%{User-Name}' ORDER BY
acctstarttime LIMIT 1;"
reset = "never"
counter_name = "Expire-After-Initial-Login"
check_name = "Expire-After"
reply_name = "Session-Timeout"
}
# Loading module "volumecounter" from file
/etc/raddb/mods-enabled/sqlcounter
sqlcounter volumecounter {
sql_module_instance = "sql"
key = "User-Name"
query = "SELECT SUM(AcctInputOctets)/(1024*1024) +
SUM(AcctOutputOctets)/(1024*1024) FROM radacct WHERE
UserName='%{User-Name}'"
reset = "never"
counter_name = "Mikrotik-Total-Limit"
check_name = "Mikrotik-Total-Limit"
reply_name = "Session-Timeout"
}
/etc/raddb/mods-enabled/sqlcounter[97]: Failed registering counter
attribute Mikrotik-Total-Limit: Attribute 'Mikrotik-Total-Limit' already
exists.
/etc/raddb/mods-enabled/sqlcounter[97]: Instantiation failed for module
"volumecounter"
------------------------------------------------------------------------------------------------------------------------
Thanks,
Akash
2
2
We have had back to school this week and a lot of students are complaining about "unstable wifi". Not a lot of help… but after much digging, the general report is that they connect to the wireless network (Cisco 5508 controller advertising WPA2 Enterprise / PEAP / MSCHAPv2 network authenticating against FreeRadius 3.0.7 with Active Directory) but then they will lose their connection and may not be able to get connected again for 30 minutes to several hours later.
We didn’t have problems at all this summer with light traffic, but now with heavy traffic, it’s quite overwhelming.
I plan to upgrade to FR 3.0.9 tomorrow.
I will also open a case with Cisco in the morning.
My question here is related to the activity I’m seeing in the radius.log on the FR servers. I see login OK messages for the same user repeatedly at intervals from a few seconds to a few minutes apart. I thought it might have something to do with a user moving between access points, but even when they are in a fixed location, multiple entries show in the log.
I’m not familiar with the radius protocol, but this seems… excessive. My first thought is a misconfiguration of the WLAN on the Cisco controller, but, before opening a case with Cisco, are there thoughts from the FR community?
Here is a sample of log messages for me from a period today:
Tue Aug 25 14:15:08 2015 : Auth: (24739) Login OK: [twinders(a)southplainscollege.edu] (from client lev-wireless1 port 13 cli 04-f1-3e-bc-44-05 via TLS tunnel)
Tue Aug 25 14:15:14 2015 : Auth: (25069) Login OK: [twinders(a)southplainscollege.edu] (from client lev-wireless1 port 13 cli 04-f1-3e-bc-44-05 via TLS tunnel)
Tue Aug 25 14:15:44 2015 : Auth: (26647) Login OK: [twinders(a)southplainscollege.edu] (from client lev-wireless1 port 13 cli 04-f1-3e-bc-44-05 via TLS tunnel)
Tue Aug 25 14:19:42 2015 : Auth: (37222) Login OK: [twinders(a)southplainscollege.edu] (from client lev-wireless1 port 13 cli 04-f1-3e-bc-44-05 via TLS tunnel)
Tue Aug 25 14:19:58 2015 : Auth: (38197) Login OK: [twinders(a)southplainscollege.edu] (from client lev-wireless1 port 13 cli 04-f1-3e-bc-44-05 via TLS tunnel)
Tue Aug 25 14:21:11 2015 : Auth: (41519) Login OK: [twinders(a)southplainscollege.edu] (from client lev-wireless1 port 13 cli 04-f1-3e-bc-44-05 via TLS tunnel)
Tue Aug 25 14:23:00 2015 : Auth: (46534) Login OK: [twinders(a)southplainscollege.edu] (from client lev-wireless1 port 13 cli 04-f1-3e-bc-44-05 via TLS tunnel)
Tue Aug 25 14:23:38 2015 : Auth: (48018) Login OK: [twinders(a)southplainscollege.edu] (from client lev-wireless1 port 13 cli 04-f1-3e-bc-44-05 via TLS tunnel)
I can post additional logs or configuration information if that would be helpful. I’m not sure exactly what would be helpful, so I’ll hold off including anything more for now.
Thank you.
--
Tim Winders
Associate Dean of Information Technology
South Plains College
(806) 716-2369
3
4
Hi,
I would need a little help with UNHEX thing for file query.conf which is
for mysql.
Here is one part that is bothering me from query.conf. I posted it on
pastebin:http://pastebin.com/JXwuc3ST
In accounting request I get like this: CALLEDSTATIONID_WITH_PREFIX =
'88#' but in mysql insert radius is inserting like this '88=23' value
''88#' which is HEX.
OK how to write this part so that I will be inserted like '88#'?
'%{CALLEDSTATIONID_WITH_PREFIX}'
tnx
miha
2
2
Hi,
I'm trying to authenticate a wifi client (wpa_supplicant) using eap-peap
with phase2 autheap=md5. In debug output, eap-peap appears to finalize with
mschapv2 but eap-ttls uses eap-md5. Can I force eap-peap to use eap-md5?
radiusd output eap-peap/autheap=md5
[1mradiusd: FreeRADIUS Version 3.0.3, for host x86_64-redhat-linux-gnu,
built on Jun 3 2014 at 12:39:33[0m
[1mCopyright (C) 1999-2014 The FreeRADIUS server project and
contributors[0m
[1mThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A[0m
[1mPARTICULAR PURPOSE[0m
[1mYou may redistribute copies of FreeRADIUS under the terms of the[0m
[1mGNU General Public License[0m
[1mFor more information about these matters, see the file named
COPYRIGHT[0m
[1mStarting - reading configuration files ...[0m
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/detail.log
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "CVE-2014-0160"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_exec
# Instantiating module "ntlm_auth" from file
/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:2 Cistron compatibility checks for
entry lanforge ...
[/etc/raddb/mods-config/files/authorize]:6 Cistron compatibility checks for
entry testuser ...
[/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:202 Cistron compatibility checks
for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:2 Cistron compatibility checks for
entry lanforge ...
[/etc/raddb/mods-config/files/authorize]:6 Cistron compatibility checks for
entry testuser ...
[/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:202 Cistron compatibility checks
for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_unpack
# Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file
/etc/raddb/mods-enabled/replicate
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Instantiating module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 60874
Ready to process requests.
Received Access-Request Id 58 from 127.0.0.1:35433 to 127.0.0.1:1812 length
199
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x02fc000d017465737475736572
Message-Authenticator = 0x67f928dcf08d49cee2254f7772c38dce
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> testuser
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /(a)\\./)
(0) if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : EAP packet type response id 252 length 13
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply
0xac337ffeacce7bb4
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge Id 58 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message = 0x01fd00160410b5170ee0cf757095a1c0ece75b55c2b2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffeacce7bb44296c44be3bc030a
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 59 from 127.0.0.1:35433 to 127.0.0.1:1812 length
210
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x02fd00060319
State = 0xac337ffeacce7bb44296c44be3bc030a
Message-Authenticator = 0x1994ae87ae4554d634fc95d88c8f6aed
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (User-Name != "%{tolower:%{User-Name}}")
(1) EXPAND %{tolower:%{User-Name}}
(1) --> testuser
(1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) if (User-Name =~ / /)
(1) if (User-Name =~ / /) -> FALSE
(1) if (User-Name =~ /@.*@/ )
(1) if (User-Name =~ /@.*@/ ) -> FALSE
(1) if (User-Name =~ /\\.\\./ )
(1) if (User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(1) if (User-Name =~ /\\.$/)
(1) if (User-Name =~ /\\.$/) -> FALSE
(1) if (User-Name =~ /(a)\\./)
(1) if (User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : EAP packet type response id 253 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files : users: Matched entry testuser at line 6
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) WARNING: pap : Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0xac337ffeacce7bb4
(1) eap : Finished EAP session with state 0xac337ffeacce7bb4
(1) eap : Previous EAP request found for state 0xac337ffeacce7bb4, released
from the list
(1) eap : Peer sent NAK (3)
(1) eap : Found mutually acceptable type PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : Flushing SSL sessions (of #0)
(1) eap_peap : Initiate
(1) eap_peap : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply
0xac337ffeadcd66b4
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge Id 59 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message = 0x01fe00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffeadcd66b44296c44be3bc030a
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 60 from 127.0.0.1:35433 to 127.0.0.1:1812 length
461
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x02fe00ff1980000000f516030100f0010000ec030355db9f2af5ebeda72d7d1e90334bed49da9dfee869c7d09b37d132c932fd925e000084c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c012c00800160013c00dc003000ac02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc0020005000400ff0100003f000b000403000102000a00080006001900180017000d002200200601060206030501050205030401040204030301030203030201020202030101000f000101
State = 0xac337ffeadcd66b44296c44be3bc030a
Message-Authenticator = 0x20d3d3f1dc408bde9e511f4850a7f480
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2) --> testuser
(2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /(a)\\./)
(2) if (User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : EAP packet type response id 254 length 255
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0xac337ffeadcd66b4
(2) eap : Finished EAP session with state 0xac337ffeadcd66b4
(2) eap : Previous EAP request found for state 0xac337ffeadcd66b4, released
from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
TLS Length 245
(2) eap_peap : Length Included
(2) eap_peap : eaptls_verify returned 11
(2) eap_peap : (other): before/accept initialization
(2) eap_peap : TLS_accept: before/accept initialization
(2) eap_peap : <<< TLS 1.0 Handshake [length 00f0], ClientHello
(2) eap_peap : TLS_accept: SSLv3 read client hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 005e], ServerHello
(2) eap_peap : TLS_accept: SSLv3 write server hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0919], Certificate
(2) eap_peap : TLS_accept: SSLv3 write certificate A
(2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap : TLS_accept: SSLv3 write key exchange A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap : TLS_accept: SSLv3 write server done A
(2) eap_peap : TLS_accept: SSLv3 flush data
(2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply
0xac337ffeaecc66b4
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge Id 60 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x01ff03ec19c000000ada160301005e0200005a030155db9f2a5748fcd51805f2324c2bc9003d983d076d16dfb2c852072864827c45202b5c6979693e22cc640a8726e21abfc4da4779a0d349188a0bb6c87d3233ad0dc014000012ff01000100000b000403000102000f00010116030109190b0009150009120003fd308203f9308202e1a00302010202021004300d06092a864886f70d01010505003081a1310b3009060355040613025553310b30090603550408130257413111300f060355040713084665726e64616c6531223020060355040a131943616e64656c6120546563686e6f6c6f6769657320496e632e3126302406092a864886f70d0109011617737570706f72744063616e64656c61746563682e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303332343139303335385a170d3238313133303139303335385a30818b310b3009060355040613025553310b300906035504081302574131223020060355040a131943616e64656c6120546563686e6f6c6f6769657320496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653126302406092a864886f70d0109011617737570706f72744063616e64656c61746563682e636f6d30820122300d06092
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffeaecc66b44296c44be3bc030a
(2) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 61 from 127.0.0.1:35433 to 127.0.0.1:1812 length
210
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x02ff00061900
State = 0xac337ffeaecc66b44296c44be3bc030a
Message-Authenticator = 0xf134ca7d6d47ce150fa86ceda495b9b6
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (User-Name != "%{tolower:%{User-Name}}")
(3) EXPAND %{tolower:%{User-Name}}
(3) --> testuser
(3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) if (User-Name =~ / /)
(3) if (User-Name =~ / /) -> FALSE
(3) if (User-Name =~ /@.*@/ )
(3) if (User-Name =~ /@.*@/ ) -> FALSE
(3) if (User-Name =~ /\\.\\./ )
(3) if (User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(3) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(3) if (User-Name =~ /\\.$/)
(3) if (User-Name =~ /\\.$/) -> FALSE
(3) if (User-Name =~ /(a)\\./)
(3) if (User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) eap : EAP packet type response id 255 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0xac337ffeaecc66b4
(3) eap : Finished EAP session with state 0xac337ffeaecc66b4
(3) eap : Previous EAP request found for state 0xac337ffeaecc66b4, released
from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply
0xac337ffeaf3366b4
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge Id 61 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x010003e819400bb6c0da3a6f7818873f0279d606e0aeb56f2c2fff8928c6c5eef941db3bc116bbefb9eaa41733c0aa19ab2d764b47e75056a665144fbb09951b20559e50ad910303fd0f3c1eae82526b96e604e51e0e78c5b93b85044d1f27ef07b017dd151e74a778d28c73caa95dee831fc8fa6c02c98d0d8606d2f2a72e7aa15715a710ef07e3e73c76c87c5a5ddee6427a00050f3082050b308203f3a003020102020900a2f025aae13c9c30300d06092a864886f70d01010505003081a1310b3009060355040613025553310b30090603550408130257413111300f060355040713084665726e64616c6531223020060355040a131943616e64656c6120546563686e6f6c6f6769657320496e632e3126302406092a864886f70d0109011617737570706f72744063616e64656c61746563682e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303332343139303335385a170d3238313133303139303335385a3081a1310b3009060355040613025553310b30090603550408130257413111300f060355040713084665726e64616c6531223020060355040a131943616e64656c6120546563686e6f6c6f6769657320496e632e3126302406092a864886f70d0109011617737570706f72744063616e64656c61746
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffeaf3366b44296c44be3bc030a
(3) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 62 from 127.0.0.1:35433 to 127.0.0.1:1812 length
210
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x020000061900
State = 0xac337ffeaf3366b44296c44be3bc030a
Message-Authenticator = 0xcb56c029b6b43ae5dd19540233961ff8
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (User-Name != "%{tolower:%{User-Name}}")
(4) EXPAND %{tolower:%{User-Name}}
(4) --> testuser
(4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) if (User-Name =~ / /)
(4) if (User-Name =~ / /) -> FALSE
(4) if (User-Name =~ /@.*@/ )
(4) if (User-Name =~ /@.*@/ ) -> FALSE
(4) if (User-Name =~ /\\.\\./ )
(4) if (User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(4) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(4) if (User-Name =~ /\\.$/)
(4) if (User-Name =~ /\\.$/) -> FALSE
(4) if (User-Name =~ /(a)\\./)
(4) if (User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) eap : EAP packet type response id 0 length 6
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0xac337ffeaf3366b4
(4) eap : Finished EAP session with state 0xac337ffeaf3366b4
(4) eap : Previous EAP request found for state 0xac337ffeaf3366b4, released
from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply
0xac337ffea83266b4
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge Id 62 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x0101031c190069657320496e632e3126302406092a864886f70d0109011617737570706f72744063616e64656c61746563682e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a2f025aae13c9c30300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d0101050500038201010080f321d1943c002ab4437a720d11daec43be07fdd539a7a17ab1841578cb5c19382dfe5ddb526c247f057b0d6486f23336d7465d4f5bdbc1338c97ad3a4b39b7917a091ed5c8c5c9c16bf0eda8087251516e44a62cf70d7be0c2ab4a8e415e5b03e40d28e40a3d2ddb4e96affa65080ae19fea6a3f9fb6a7daf4a6b43cb901fc7f1446099a5fc80c530839222f948eab2c070e76e34f15e29abdd9f58bf6a84d3493137c3b9cce7f587bc4b32d9e17c587fc2fa0d73965277a12f9858557d303adbc2b59d566989bcfa43dafa87e5bab4d2ff5aa1755f65658bf4c35aec45b9b852dac4f89d7ad5038e4cd12c34b1d0da5e01f4f3b20626b81a1701adc84393e160301014b0c0001470300174104b3d7781cd8a6929f1e5cf585020171c8c7255688b6bc99adc3e1f0eeea09c5a5fe2d0e47967
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffea83266b44296c44be3bc030a
(4) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 63 from 127.0.0.1:35433 to 127.0.0.1:1812 length
348
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x02010090198000000086160301004610000042410468aef3802264953b0ffe64b27b0f83f447a87c59c64bf07d2469a6088befd8f6b83cf6bb4402fe835e0271fdcfdb6e8a5e7ae471f7b7e288e6ddb03ce451053e14030100010116030100309cbdf6ca7f30ad8119e875efea52a26e51ca4774da01e75623932dadf8bf567a04bc278a4d4c6e260a864149c3105ac9
State = 0xac337ffea83266b44296c44be3bc030a
Message-Authenticator = 0xb2950f28a83b928efd6969581896e10c
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (User-Name != "%{tolower:%{User-Name}}")
(5) EXPAND %{tolower:%{User-Name}}
(5) --> testuser
(5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) if (User-Name =~ / /)
(5) if (User-Name =~ / /) -> FALSE
(5) if (User-Name =~ /@.*@/ )
(5) if (User-Name =~ /@.*@/ ) -> FALSE
(5) if (User-Name =~ /\\.\\./ )
(5) if (User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(5) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(5) if (User-Name =~ /\\.$/)
(5) if (User-Name =~ /\\.$/) -> FALSE
(5) if (User-Name =~ /(a)\\./)
(5) if (User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) eap : EAP packet type response id 1 length 144
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0xac337ffea83266b4
(5) eap : Finished EAP session with state 0xac337ffea83266b4
(5) eap : Previous EAP request found for state 0xac337ffea83266b4, released
from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
TLS Length 134
(5) eap_peap : Length Included
(5) eap_peap : eaptls_verify returned 11
(5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap : TLS_accept: SSLv3 read client key exchange A
(5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 read finished A
(5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 write finished A
(5) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session
2b5c6979693e22cc640a8726e21abfc4da4779a0d349188a0bb6c87d3233ad0d to cache
(5) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply
0xac337ffea93166b4
(5) [eap] = handled
(5) } # authenticate = handled
Sending Access-Challenge Id 63 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x01020041190014030100010116030100308eae5a41f6e395126186db8125de0b004e3ae1e8264e9acd8c82ab24482555bf6190fdd8be5dc9ce6cbf8887e886e1eb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffea93166b44296c44be3bc030a
(5) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 64 from 127.0.0.1:35433 to 127.0.0.1:1812 length
210
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x020200061900
State = 0xac337ffea93166b44296c44be3bc030a
Message-Authenticator = 0x101a53003bdd588a9d9e5923504506b5
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (User-Name != "%{tolower:%{User-Name}}")
(6) EXPAND %{tolower:%{User-Name}}
(6) --> testuser
(6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(6) if (User-Name =~ / /)
(6) if (User-Name =~ / /) -> FALSE
(6) if (User-Name =~ /@.*@/ )
(6) if (User-Name =~ /@.*@/ ) -> FALSE
(6) if (User-Name =~ /\\.\\./ )
(6) if (User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(6) if (User-Name =~ /\\.$/)
(6) if (User-Name =~ /\\.$/) -> FALSE
(6) if (User-Name =~ /(a)\\./)
(6) if (User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) eap : EAP packet type response id 2 length 6
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0xac337ffea93166b4
(6) eap : Finished EAP session with state 0xac337ffea93166b4
(6) eap : Previous EAP request found for state 0xac337ffea93166b4, released
from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : Received TLS ACK
(6) eap_peap : Received TLS ACK
(6) eap_peap : ACK handshake is finished
(6) eap_peap : eaptls_verify returned 3
(6) eap_peap : eaptls_process returned 3
(6) eap_peap : FR_TLS_SUCCESS
(6) eap_peap : Session established. Decoding tunneled attributes.
(6) eap_peap : Peap state TUNNEL ESTABLISHED
(6) eap : New EAP session, adding 'State' attribute to reply
0xac337ffeaa3066b4
(6) [eap] = handled
(6) } # authenticate = handled
Sending Access-Challenge Id 64 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x0103002b19001703010020d8963167cb2c91701ba58e1bd30091199cad2114d0ef5eebffb2506ba9a61c50
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffeaa3066b44296c44be3bc030a
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 65 from 127.0.0.1:35433 to 127.0.0.1:1812 length
284
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x020300501900170301002019e34d12ed021daad5109ab27ba81e2dd80c4006a3137fe2cbb4584c08b2e0c91703010020f274e1276548e21e74bccff55e31ec2e69fd2c23d10129e1cfe2e5a12000fe6e
State = 0xac337ffeaa3066b44296c44be3bc030a
Message-Authenticator = 0x4d70591d71e8115e95bc9188bc4e7e44
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (User-Name != "%{tolower:%{User-Name}}")
(7) EXPAND %{tolower:%{User-Name}}
(7) --> testuser
(7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(7) if (User-Name =~ / /)
(7) if (User-Name =~ / /) -> FALSE
(7) if (User-Name =~ /@.*@/ )
(7) if (User-Name =~ /@.*@/ ) -> FALSE
(7) if (User-Name =~ /\\.\\./ )
(7) if (User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (User-Name =~ /\\.$/)
(7) if (User-Name =~ /\\.$/) -> FALSE
(7) if (User-Name =~ /(a)\\./)
(7) if (User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) eap : EAP packet type response id 3 length 80
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0xac337ffeaa3066b4
(7) eap : Finished EAP session with state 0xac337ffeaa3066b4
(7) eap : Previous EAP request found for state 0xac337ffeaa3066b4, released
from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes.
(7) eap_peap : Peap state WAITING FOR INNER IDENTITY
(7) eap_peap : Identity - testuser
(7) eap_peap : Got inner identity 'testuser'
(7) eap_peap : Setting default EAP type for tunneled EAP session.
(7) eap_peap : Got tunneled request
EAP-Message = 0x0203000d017465737475736572
server default {
(7) eap_peap : Setting User-Name to testuser
Sending tunneled request
EAP-Message = 0x0203000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'testuser'
server inner-tunnel {
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : EAP packet type response id 3 length 13
(7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Peer sent Identity (1)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : Issuing Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0xb1be9a22b1ba80a3
(7) [eap] = handled
(7) } # authenticate = handled
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010400221a0104001d10027ae9f0cd1c776d593ea7329525024b7465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb1be9a22b1ba80a3164ac945e67a1095
(7) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010400221a0104001d10027ae9f0cd1c776d593ea7329525024b7465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb1be9a22b1ba80a3164ac945e67a1095
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0xac337ffeab3766b4
(7) [eap] = handled
(7) } # authenticate = handled
Sending Access-Challenge Id 65 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x0104004b190017030100407891a16aa2b3472c046f41f0e18d7b91991cdd2415e05527ead38adf7c992b7138371115d7410f4dd47175742f6326e25d991fecf1c1664047cbed2d7c4947df
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffeab3766b44296c44be3bc030a
(7) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 66 from 127.0.0.1:35433 to 127.0.0.1:1812 length
348
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x02040090190017030100207efb9a41982ebc4831585f9fc96a3aa74e1735a6b09a1be5369a156d6e55ae121703010060ccea57586e02203538208536cb2dfd3bd2e67510b7ea0ec2c7e5b5fd551f38b25ddbe523a7e811878c69856a2770b10af175930120f6db569c878cc39836354de44475593dc6b61c2142896e59ece5f0a38acccc3a4faeee156a41f958399798
State = 0xac337ffeab3766b44296c44be3bc030a
Message-Authenticator = 0x110a83574ebcde0b705ebe475a27cd09
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (User-Name != "%{tolower:%{User-Name}}")
(8) EXPAND %{tolower:%{User-Name}}
(8) --> testuser
(8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(8) if (User-Name =~ / /)
(8) if (User-Name =~ / /) -> FALSE
(8) if (User-Name =~ /@.*@/ )
(8) if (User-Name =~ /@.*@/ ) -> FALSE
(8) if (User-Name =~ /\\.\\./ )
(8) if (User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(8) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(8) if (User-Name =~ /\\.$/)
(8) if (User-Name =~ /\\.$/) -> FALSE
(8) if (User-Name =~ /(a)\\./)
(8) if (User-Name =~ /(a)\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) eap : EAP packet type response id 4 length 144
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0xb1be9a22b1ba80a3
(8) eap : Finished EAP session with state 0xac337ffeab3766b4
(8) eap : Previous EAP request found for state 0xac337ffeab3766b4, released
from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message =
0x020400431a0204003e31a7bbe3cde881d2e06d41a5b6a44f0d94000000000000000069d59066f3db91279151c9f6dac509f5418c01689cf27420007465737475736572
server default {
(8) eap_peap : Setting User-Name to testuser
Sending tunneled request
EAP-Message =
0x020400431a0204003e31a7bbe3cde881d2e06d41a5b6a44f0d94000000000000000069d59066f3db91279151c9f6dac509f5418c01689cf27420007465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'testuser'
State = 0xb1be9a22b1ba80a3164ac945e67a1095
server inner-tunnel {
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : EAP packet type response id 4 length 67
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files : users: Matched entry testuser at line 6
(8) [files] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) WARNING: pap : Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0xb1be9a22b1ba80a3
(8) eap : Finished EAP session with state 0xb1be9a22b1ba80a3
(8) eap : Previous EAP request found for state 0xb1be9a22b1ba80a3, released
from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2 : Auth-Type MS-CHAP {
(8) mschap : Found Cleartext-Password, hashing to create LM-Password
(8) mschap : Found Cleartext-Password, hashing to create NT-Password
(8) mschap : Creating challenge hash with username: testuser
(8) mschap : Client is using MS-CHAPv2
(8) mschap : Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(8) eap : New EAP session, adding 'State' attribute to reply
0xb1be9a22b0bb80a3
(8) [eap] = handled
(8) } # authenticate = handled
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010500331a0304002e533d39434644443638374641354143433544414444363231413738393232313443323137324238443136
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb1be9a22b0bb80a3164ac945e67a1095
(8) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010500331a0304002e533d39434644443638374641354143433544414444363231413738393232313443323137324238443136
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb1be9a22b0bb80a3164ac945e67a1095
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply
0xac337ffea43666b4
(8) [eap] = handled
(8) } # authenticate = handled
Sending Access-Challenge Id 66 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x0105005b1900170301005088813548ddf94724b53a20fdbc87fd1c46cce9cb304463628b94edbf3ccce0f8db9c8820d2ff1187b5a5410a8485ae18e99d36f48180441d914360a165bb11572625ee26bcb38e940bede46acd1078dd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffea43666b44296c44be3bc030a
(8) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 67 from 127.0.0.1:35433 to 127.0.0.1:1812 length
284
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x0205005019001703010020f09ba916b1bb58e1700e3b1ca5851eee9b039c85e8e6d846367d9d6cca7a68a4170301002091a3f0516ee8f4b1cd8bd7f571ab50adc3a38373ba07180ac04d9511ea3aa4f0
State = 0xac337ffea43666b44296c44be3bc030a
Message-Authenticator = 0x92f7efa862baddcd14f8f37226c93cc4
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (User-Name != "%{tolower:%{User-Name}}")
(9) EXPAND %{tolower:%{User-Name}}
(9) --> testuser
(9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(9) if (User-Name =~ / /)
(9) if (User-Name =~ / /) -> FALSE
(9) if (User-Name =~ /@.*@/ )
(9) if (User-Name =~ /@.*@/ ) -> FALSE
(9) if (User-Name =~ /\\.\\./ )
(9) if (User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(9) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(9) if (User-Name =~ /\\.$/)
(9) if (User-Name =~ /\\.$/) -> FALSE
(9) if (User-Name =~ /(a)\\./)
(9) if (User-Name =~ /(a)\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(9) suffix : No such realm "NULL"
(9) [suffix] = noop
(9) eap : EAP packet type response id 5 length 80
(9) eap : Continuing tunnel setup.
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0xb1be9a22b0bb80a3
(9) eap : Finished EAP session with state 0xac337ffea43666b4
(9) eap : Previous EAP request found for state 0xac337ffea43666b4, released
from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes.
(9) eap_peap : Peap state phase2
(9) eap_peap : EAP type MSCHAPv2 (26)
(9) eap_peap : Got tunneled request
EAP-Message = 0x020500061a03
server default {
(9) eap_peap : Setting User-Name to testuser
Sending tunneled request
EAP-Message = 0x020500061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'testuser'
State = 0xb1be9a22b0bb80a3164ac945e67a1095
server inner-tunnel {
(9) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(9) suffix : No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) Proxy-To-Realm := 'LOCAL'
(9) } # update control = noop
(9) eap : EAP packet type response id 5 length 6
(9) eap : EAP-MSCHAPV2 success, returning short-circuit ok
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap : Expiring EAP session with state 0xb1be9a22b0bb80a3
(9) eap : Finished EAP session with state 0xb1be9a22b0bb80a3
(9) eap : Previous EAP request found for state 0xb1be9a22b0bb80a3, released
from the list
(9) eap : Peer sent MSCHAPv2 (26)
(9) eap : EAP MSCHAPv2 (26)
(9) eap : Calling eap_mschapv2 to process EAP data
(9) eap : Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(9) (null) post-auth { ... } # empty sub-section is ignored
} # server inner-tunnel
(9) eap_peap : Got tunneled reply code 2
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x62b5d44437c16ef3e9639a6e70630dce
MS-MPPE-Recv-Key = 0x53749455e55cad37bb61abd38f93ffde
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'testuser'
(9) eap_peap : Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x62b5d44437c16ef3e9639a6e70630dce
MS-MPPE-Recv-Key = 0x53749455e55cad37bb61abd38f93ffde
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'testuser'
(9) eap_peap : Tunneled authentication was successful.
(9) eap_peap : SUCCESS
(9) eap : New EAP session, adding 'State' attribute to reply
0xac337ffea53566b4
(9) [eap] = handled
(9) } # authenticate = handled
Sending Access-Challenge Id 67 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x0106002b19001703010020696438a4d8a852d2b5fd2c3fad99ed06f8a1e864ac9db9c91a10b76df019806b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xac337ffea53566b44296c44be3bc030a
(9) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 68 from 127.0.0.1:35433 to 127.0.0.1:1812 length
284
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000006'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x02060050190017030100208cd6608dbef4cecccee1609aa390bd34c942a7213e02eef520eaa7c07e3415071703010020fefd8e765597b61f693aa7a85b63f9a76f288bd27597cf75bb04d9465b8dc65a
State = 0xac337ffea53566b44296c44be3bc030a
Message-Authenticator = 0x04686e408fa7398a03cade732d7cd4e0
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) filter_username filter_username {
(10) if (User-Name != "%{tolower:%{User-Name}}")
(10) EXPAND %{tolower:%{User-Name}}
(10) --> testuser
(10) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(10) if (User-Name =~ / /)
(10) if (User-Name =~ / /) -> FALSE
(10) if (User-Name =~ /@.*@/ )
(10) if (User-Name =~ /@.*@/ ) -> FALSE
(10) if (User-Name =~ /\\.\\./ )
(10) if (User-Name =~ /\\.\\./ ) -> FALSE
(10) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(10) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(10) if (User-Name =~ /\\.$/)
(10) if (User-Name =~ /\\.$/) -> FALSE
(10) if (User-Name =~ /(a)\\./)
(10) if (User-Name =~ /(a)\\./) -> FALSE
(10) } # filter_username filter_username = notfound
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(10) suffix : No such realm "NULL"
(10) [suffix] = noop
(10) eap : EAP packet type response id 6 length 80
(10) eap : Continuing tunnel setup.
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap : Expiring EAP session with state 0xac337ffea53566b4
(10) eap : Finished EAP session with state 0xac337ffea53566b4
(10) eap : Previous EAP request found for state 0xac337ffea53566b4,
released from the list
(10) eap : Peer sent PEAP (25)
(10) eap : EAP PEAP (25)
(10) eap : Calling eap_peap to process EAP data
(10) eap_peap : processing EAP-TLS
(10) eap_peap : eaptls_verify returned 7
(10) eap_peap : Done initial handshake
(10) eap_peap : eaptls_process returned 7
(10) eap_peap : FR_TLS_OK
(10) eap_peap : Session established. Decoding tunneled attributes.
(10) eap_peap : Peap state send tlv success
(10) eap_peap : Received EAP-TLV response.
(10) eap_peap : Success
(10) WARNING: eap_peap : No information to cache: session caching will be
disabled for session
2b5c6979693e22cc640a8726e21abfc4da4779a0d349188a0bb6c87d3233ad0d
SSL: Removing session
2b5c6979693e22cc640a8726e21abfc4da4779a0d349188a0bb6c87d3233ad0d from the
cache
(10) eap : Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(10) post-auth {
(10) [exec] = noop
(10) remove_reply_message_if_eap remove_reply_message_if_eap {
(10) if (reply:EAP-Message && reply:Reply-Message)
(10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(10) else else {
(10) [noop] = noop
(10) } # else else = noop
(10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(10) } # post-auth = noop
Sending Access-Accept Id 68 from 127.0.0.1:1812 to 127.0.0.1:35433
MS-MPPE-Recv-Key =
0xba01a942a8b3dfda0603e53c13c857c7d1a76001693e7ca2d16dec6e0f9b7077
MS-MPPE-Send-Key =
0x6bab05ab2b1e70f9f7509cea40e5f580bea110c5804f19833e6544bb8ea44f56
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'testuser'
(10) Finished request
Waking up in 0.2 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 58 with timestamp +28
(1) Cleaning up request packet ID 59 with timestamp +28
(2) Cleaning up request packet ID 60 with timestamp +28
(3) Cleaning up request packet ID 61 with timestamp +28
(4) Cleaning up request packet ID 62 with timestamp +28
(5) Cleaning up request packet ID 63 with timestamp +28
(6) Cleaning up request packet ID 64 with timestamp +28
(7) Cleaning up request packet ID 65 with timestamp +28
(8) Cleaning up request packet ID 66 with timestamp +28
(9) Cleaning up request packet ID 67 with timestamp +28
(10) Cleaning up request packet ID 68 with timestamp +28
Ready to process requests.
radiusd output eap-ttls/autheap=md5
[1mradiusd: FreeRADIUS Version 3.0.3, for host x86_64-redhat-linux-gnu,
built on Jun 3 2014 at 12:39:33[0m
[1mCopyright (C) 1999-2014 The FreeRADIUS server project and
contributors[0m
[1mThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A[0m
[1mPARTICULAR PURPOSE[0m
[1mYou may redistribute copies of FreeRADIUS under the terms of the[0m
[1mGNU General Public License[0m
[1mFor more information about these matters, see the file named
COPYRIGHT[0m
[1mStarting - reading configuration files ...[0m
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/detail.log
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "CVE-2014-0160"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_exec
# Instantiating module "ntlm_auth" from file
/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:2 Cistron compatibility checks for
entry lanforge ...
[/etc/raddb/mods-config/files/authorize]:6 Cistron compatibility checks for
entry testuser ...
[/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:202 Cistron compatibility checks
for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:2 Cistron compatibility checks for
entry lanforge ...
[/etc/raddb/mods-config/files/authorize]:6 Cistron compatibility checks for
entry testuser ...
[/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:202 Cistron compatibility checks
for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_unpack
# Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file
/etc/raddb/mods-enabled/replicate
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Instantiating module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 46457
Ready to process requests.
Received Access-Request Id 69 from 127.0.0.1:35433 to 127.0.0.1:1812 length
199
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000007'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x025c000d017465737475736572
Message-Authenticator = 0x1e1963353af55f1a65eb716257a1e5ec
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> testuser
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /(a)\\./)
(0) if (User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : EAP packet type response id 92 length 13
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply
0x50d301f2508e05e4
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge Id 69 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message = 0x015d00160410b3641ca954151e4533a20422cc0d5499
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50d301f2508e05e49f3c072d4998f54e
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 70 from 127.0.0.1:35433 to 127.0.0.1:1812 length
210
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000007'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x025d00060315
State = 0x50d301f2508e05e49f3c072d4998f54e
Message-Authenticator = 0x72f583eed65978a196eef4b1230c8969
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (User-Name != "%{tolower:%{User-Name}}")
(1) EXPAND %{tolower:%{User-Name}}
(1) --> testuser
(1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) if (User-Name =~ / /)
(1) if (User-Name =~ / /) -> FALSE
(1) if (User-Name =~ /@.*@/ )
(1) if (User-Name =~ /@.*@/ ) -> FALSE
(1) if (User-Name =~ /\\.\\./ )
(1) if (User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(1) if (User-Name =~ /\\.$/)
(1) if (User-Name =~ /\\.$/) -> FALSE
(1) if (User-Name =~ /(a)\\./)
(1) if (User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : EAP packet type response id 93 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files : users: Matched entry testuser at line 6
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) WARNING: pap : Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x50d301f2508e05e4
(1) eap : Finished EAP session with state 0x50d301f2508e05e4
(1) eap : Previous EAP request found for state 0x50d301f2508e05e4, released
from the list
(1) eap : Peer sent NAK (3)
(1) eap : Found mutually acceptable type TTLS (21)
(1) eap : Calling eap_ttls to process EAP data
(1) eap_ttls : Flushing SSL sessions (of #0)
(1) eap_ttls : Initiate
(1) eap_ttls : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply
0x50d301f2518d14e4
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge Id 70 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message = 0x015e00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50d301f2518d14e49f3c072d4998f54e
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 71 from 127.0.0.1:35433 to 127.0.0.1:1812 length
455
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000007'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x025e00fb150016030100f0010000ec030355db9f58716436253836d68898c5a8dcc1dcd5798cb7577260ef17cf8ba35277000084c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c012c00800160013c00dc003000ac02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f009600410007c011c007c00cc0020005000400ff0100003f000b000403000102000a00080006001900180017000d002200200601060206030501050205030401040204030301030203030201020202030101000f000101
State = 0x50d301f2518d14e49f3c072d4998f54e
Message-Authenticator = 0xcd476cd25bce3078ad79a7fc0114694e
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2) --> testuser
(2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /(a)\\./)
(2) if (User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : EAP packet type response id 94 length 251
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x50d301f2518d14e4
(2) eap : Finished EAP session with state 0x50d301f2518d14e4
(2) eap : Previous EAP request found for state 0x50d301f2518d14e4, released
from the list
(2) eap : Peer sent TTLS (21)
(2) eap : EAP TTLS (21)
(2) eap : Calling eap_ttls to process EAP data
(2) eap_ttls : Authenticate
(2) eap_ttls : processing EAP-TLS
(2) eap_ttls : eaptls_verify returned 7
(2) eap_ttls : Done initial handshake
(2) eap_ttls : (other): before/accept initialization
(2) eap_ttls : TLS_accept: before/accept initialization
(2) eap_ttls : <<< TLS 1.0 Handshake [length 00f0], ClientHello
(2) eap_ttls : TLS_accept: SSLv3 read client hello A
(2) eap_ttls : >>> TLS 1.0 Handshake [length 005e], ServerHello
(2) eap_ttls : TLS_accept: SSLv3 write server hello A
(2) eap_ttls : >>> TLS 1.0 Handshake [length 0919], Certificate
(2) eap_ttls : TLS_accept: SSLv3 write certificate A
(2) eap_ttls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_ttls : TLS_accept: SSLv3 write key exchange A
(2) eap_ttls : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_ttls : TLS_accept: SSLv3 write server done A
(2) eap_ttls : TLS_accept: SSLv3 flush data
(2) eap_ttls : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_ttls : eaptls_process returned 13
(2) eap : New EAP session, adding 'State' attribute to reply
0x50d301f2528c14e4
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge Id 71 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x015f03ec15c000000ada160301005e0200005a030155db9f584db34533da4fee646fb40168204255dcf2fa3ed4953b699db4776a7d209016094a0dd1b7a76e0e05e547fa1af2e5d1de4a0360ef30daaa052a58d60a2fc014000012ff01000100000b000403000102000f00010116030109190b0009150009120003fd308203f9308202e1a00302010202021004300d06092a864886f70d01010505003081a1310b3009060355040613025553310b30090603550408130257413111300f060355040713084665726e64616c6531223020060355040a131943616e64656c6120546563686e6f6c6f6769657320496e632e3126302406092a864886f70d0109011617737570706f72744063616e64656c61746563682e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303332343139303335385a170d3238313133303139303335385a30818b310b3009060355040613025553310b300906035504081302574131223020060355040a131943616e64656c6120546563686e6f6c6f6769657320496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653126302406092a864886f70d0109011617737570706f72744063616e64656c61746563682e636f6d30820122300d06092
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50d301f2528c14e49f3c072d4998f54e
(2) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 72 from 127.0.0.1:35433 to 127.0.0.1:1812 length
210
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000007'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x025f00061500
State = 0x50d301f2528c14e49f3c072d4998f54e
Message-Authenticator = 0x0d0c97b08ee84812e23243f4490db586
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (User-Name != "%{tolower:%{User-Name}}")
(3) EXPAND %{tolower:%{User-Name}}
(3) --> testuser
(3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) if (User-Name =~ / /)
(3) if (User-Name =~ / /) -> FALSE
(3) if (User-Name =~ /@.*@/ )
(3) if (User-Name =~ /@.*@/ ) -> FALSE
(3) if (User-Name =~ /\\.\\./ )
(3) if (User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(3) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(3) if (User-Name =~ /\\.$/)
(3) if (User-Name =~ /\\.$/) -> FALSE
(3) if (User-Name =~ /(a)\\./)
(3) if (User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) eap : EAP packet type response id 95 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x50d301f2528c14e4
(3) eap : Finished EAP session with state 0x50d301f2528c14e4
(3) eap : Previous EAP request found for state 0x50d301f2528c14e4, released
from the list
(3) eap : Peer sent TTLS (21)
(3) eap : EAP TTLS (21)
(3) eap : Calling eap_ttls to process EAP data
(3) eap_ttls : Authenticate
(3) eap_ttls : processing EAP-TLS
(3) eap_ttls : Received TLS ACK
(3) eap_ttls : Received TLS ACK
(3) eap_ttls : ACK handshake fragment handler
(3) eap_ttls : eaptls_verify returned 1
(3) eap_ttls : eaptls_process returned 13
(3) eap : New EAP session, adding 'State' attribute to reply
0x50d301f253b314e4
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge Id 72 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x016003ec15c000000ada0bb6c0da3a6f7818873f0279d606e0aeb56f2c2fff8928c6c5eef941db3bc116bbefb9eaa41733c0aa19ab2d764b47e75056a665144fbb09951b20559e50ad910303fd0f3c1eae82526b96e604e51e0e78c5b93b85044d1f27ef07b017dd151e74a778d28c73caa95dee831fc8fa6c02c98d0d8606d2f2a72e7aa15715a710ef07e3e73c76c87c5a5ddee6427a00050f3082050b308203f3a003020102020900a2f025aae13c9c30300d06092a864886f70d01010505003081a1310b3009060355040613025553310b30090603550408130257413111300f060355040713084665726e64616c6531223020060355040a131943616e64656c6120546563686e6f6c6f6769657320496e632e3126302406092a864886f70d0109011617737570706f72744063616e64656c61746563682e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3135303332343139303335385a170d3238313133303139303335385a3081a1310b3009060355040613025553310b30090603550408130257413111300f060355040713084665726e64616c6531223020060355040a131943616e64656c6120546563686e6f6c6f6769657320496e632e3126302406092a864886f70d0109011617737570706f72744063616e646
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50d301f253b314e49f3c072d4998f54e
(3) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 73 from 127.0.0.1:35433 to 127.0.0.1:1812 length
210
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000007'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message = 0x026000061500
State = 0x50d301f253b314e49f3c072d4998f54e
Message-Authenticator = 0x908f1679efeb92e028fc30a7dcb9b7ba
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (User-Name != "%{tolower:%{User-Name}}")
(4) EXPAND %{tolower:%{User-Name}}
(4) --> testuser
(4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) if (User-Name =~ / /)
(4) if (User-Name =~ / /) -> FALSE
(4) if (User-Name =~ /@.*@/ )
(4) if (User-Name =~ /@.*@/ ) -> FALSE
(4) if (User-Name =~ /\\.\\./ )
(4) if (User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(4) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(4) if (User-Name =~ /\\.$/)
(4) if (User-Name =~ /\\.$/) -> FALSE
(4) if (User-Name =~ /(a)\\./)
(4) if (User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) eap : EAP packet type response id 96 length 6
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x50d301f253b314e4
(4) eap : Finished EAP session with state 0x50d301f253b314e4
(4) eap : Previous EAP request found for state 0x50d301f253b314e4, released
from the list
(4) eap : Peer sent TTLS (21)
(4) eap : EAP TTLS (21)
(4) eap : Calling eap_ttls to process EAP data
(4) eap_ttls : Authenticate
(4) eap_ttls : processing EAP-TLS
(4) eap_ttls : Received TLS ACK
(4) eap_ttls : Received TLS ACK
(4) eap_ttls : ACK handshake fragment handler
(4) eap_ttls : eaptls_verify returned 1
(4) eap_ttls : eaptls_process returned 13
(4) eap : New EAP session, adding 'State' attribute to reply
0x50d301f254b214e4
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge Id 73 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x01610320158000000ada69657320496e632e3126302406092a864886f70d0109011617737570706f72744063616e64656c61746563682e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a2f025aae13c9c30300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d0101050500038201010080f321d1943c002ab4437a720d11daec43be07fdd539a7a17ab1841578cb5c19382dfe5ddb526c247f057b0d6486f23336d7465d4f5bdbc1338c97ad3a4b39b7917a091ed5c8c5c9c16bf0eda8087251516e44a62cf70d7be0c2ab4a8e415e5b03e40d28e40a3d2ddb4e96affa65080ae19fea6a3f9fb6a7daf4a6b43cb901fc7f1446099a5fc80c530839222f948eab2c070e76e34f15e29abdd9f58bf6a84d3493137c3b9cce7f587bc4b32d9e17c587fc2fa0d73965277a12f9858557d303adbc2b59d566989bcfa43dafa87e5bab4d2ff5aa1755f65658bf4c35aec45b9b852dac4f89d7ad5038e4cd12c34b1d0da5e01f4f3b20626b81a1701adc84393e160301014b0c0001470300174104fbf2d53615bc5c819ef155d1dfa5071da42b39e57fd34ec2646ddf46a2dfeb45208
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50d301f254b214e49f3c072d4998f54e
(4) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 74 from 127.0.0.1:35433 to 127.0.0.1:1812 length
344
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000007'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x0261008c1500160301004610000042410423e3dfe2477a63232b6e4fccf08158a5924191052d1a251f00c953ebbc3523599aa6f86a24ce4193484477c0090530017619efcfc52af399d120d9b74d1be5821403010001011603010030d112d500999066dba189d981474584fc8bfa41a8840b2470a0ae3ce511b8f008c0cb43fe1b296f26781f3cde714b03f9
State = 0x50d301f254b214e49f3c072d4998f54e
Message-Authenticator = 0x825ea105175bc59e94ff872a81b99d10
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (User-Name != "%{tolower:%{User-Name}}")
(5) EXPAND %{tolower:%{User-Name}}
(5) --> testuser
(5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) if (User-Name =~ / /)
(5) if (User-Name =~ / /) -> FALSE
(5) if (User-Name =~ /@.*@/ )
(5) if (User-Name =~ /@.*@/ ) -> FALSE
(5) if (User-Name =~ /\\.\\./ )
(5) if (User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(5) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(5) if (User-Name =~ /\\.$/)
(5) if (User-Name =~ /\\.$/) -> FALSE
(5) if (User-Name =~ /(a)\\./)
(5) if (User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) eap : EAP packet type response id 97 length 140
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x50d301f254b214e4
(5) eap : Finished EAP session with state 0x50d301f254b214e4
(5) eap : Previous EAP request found for state 0x50d301f254b214e4, released
from the list
(5) eap : Peer sent TTLS (21)
(5) eap : EAP TTLS (21)
(5) eap : Calling eap_ttls to process EAP data
(5) eap_ttls : Authenticate
(5) eap_ttls : processing EAP-TLS
(5) eap_ttls : eaptls_verify returned 7
(5) eap_ttls : Done initial handshake
(5) eap_ttls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_ttls : TLS_accept: SSLv3 read client key exchange A
(5) eap_ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_ttls : <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_ttls : TLS_accept: SSLv3 read finished A
(5) eap_ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_ttls : TLS_accept: SSLv3 write change cipher spec A
(5) eap_ttls : >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_ttls : TLS_accept: SSLv3 write finished A
(5) eap_ttls : TLS_accept: SSLv3 flush data
SSL: adding session
9016094a0dd1b7a76e0e05e547fa1af2e5d1de4a0360ef30daaa052a58d60a2f to cache
(5) eap_ttls : (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_ttls : eaptls_process returned 13
(5) eap : New EAP session, adding 'State' attribute to reply
0x50d301f255b114e4
(5) [eap] = handled
(5) } # authenticate = handled
Sending Access-Challenge Id 74 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x0162004515800000003b14030100010116030100302d049a98a8f080fea5ed9220f940a8ee70324e43ed9e93d80f6decc9c0e32c1ac82222b1b19e56f79eeb753cdc90513f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50d301f255b114e49f3c072d4998f54e
(5) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 75 from 127.0.0.1:35433 to 127.0.0.1:1812 length
300
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000007'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x02620060150017030100207ea8b262a94e87b5234baae2960c2d8facdc610d567f3bab979a0f3c8a7077121703010030a7e47e5b30b3a97a92fba6aacfe6533fee5f3dc6b8fe386160c71b022a3fb6184edb679f240fb32ee8e6580fb82d71da
State = 0x50d301f255b114e49f3c072d4998f54e
Message-Authenticator = 0x7113dafe2b68a99d6e9d20b902c5688e
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (User-Name != "%{tolower:%{User-Name}}")
(6) EXPAND %{tolower:%{User-Name}}
(6) --> testuser
(6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(6) if (User-Name =~ / /)
(6) if (User-Name =~ / /) -> FALSE
(6) if (User-Name =~ /@.*@/ )
(6) if (User-Name =~ /@.*@/ ) -> FALSE
(6) if (User-Name =~ /\\.\\./ )
(6) if (User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(6) if (User-Name =~ /\\.$/)
(6) if (User-Name =~ /\\.$/) -> FALSE
(6) if (User-Name =~ /(a)\\./)
(6) if (User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) eap : EAP packet type response id 98 length 96
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0x50d301f255b114e4
(6) eap : Finished EAP session with state 0x50d301f255b114e4
(6) eap : Previous EAP request found for state 0x50d301f255b114e4, released
from the list
(6) eap : Peer sent TTLS (21)
(6) eap : EAP TTLS (21)
(6) eap : Calling eap_ttls to process EAP data
(6) eap_ttls : Authenticate
(6) eap_ttls : processing EAP-TLS
(6) eap_ttls : eaptls_verify returned 7
(6) eap_ttls : Done initial handshake
(6) eap_ttls : eaptls_process returned 7
(6) eap_ttls : Session established. Proceeding to decode tunneled
attributes.
(6) eap_ttls : Got tunneled request
EAP-Message = 0x0200000d017465737475736572
(6) eap_ttls : Got tunneled identity of testuser
(6) eap_ttls : Setting default EAP type for tunneled EAP session.
(6) eap_ttls : Sending tunneled request
EAP-Message = 0x0200000d017465737475736572
User-Name = 'testuser'
server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) Proxy-To-Realm := 'LOCAL'
(6) } # update control = noop
(6) eap : EAP packet type response id 0 length 13
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap : Peer sent Identity (1)
(6) eap : Calling eap_md5 to process EAP data
(6) eap_md5 : Issuing MD5 Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0xc301a575c300a1f9
(6) [eap] = handled
(6) } # authenticate = handled
} # server inner-tunnel
(6) eap_ttls : Got tunneled reply code 11
EAP-Message = 0x0101001604105792cb508a0c0a2fbb7a527d155230a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc301a575c300a1f9b738300baef24065
(6) eap_ttls : Got tunneled Access-Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0x50d301f256b014e4
(6) [eap] = handled
(6) } # authenticate = handled
Sending Access-Challenge Id 75 from 127.0.0.1:1812 to 127.0.0.1:35433
EAP-Message =
0x0163004f1580000000451703010040e1174a3efa0dd5a00aa5494cd878f1949acb9e63883254544b7072953d48be56d929b37cfc30840b827e99b545e44151eb9fd27e871170152c16068221086f90
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50d301f256b014e49f3c072d4998f54e
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 76 from 127.0.0.1:35433 to 127.0.0.1:1812 length
316
User-Name = 'testuser'
NAS-IP-Address = 127.0.0.1
Called-Station-Id = '04-F0-21-17-94-44:ac-vap-ch149'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '04-F0-21-E7-56-41'
Connect-Info = 'CONNECT 54Mbps 802.11a'
Acct-Session-Id = '55DB92D7-00000007'
X-Ascend-Home-Agent-UDP-Port = 1027076
X-Ascend-Multilink-ID = 1027074
X-Ascend-Num-In-Multilink = 1027073
Framed-MTU = 1400
EAP-Message =
0x0263007015001703010020e06ee46476e095c41e67b99cebf1e4247fec25b3ecd26c9c3861e69cd3aeb51317030100409e6b93afcaa0cc118fdc9f334fb4330860da522423d57eceb4e6c844ec9ef16a7e4cff2b6493fbc3ee8e18bed186c1c1353ef86b9909e09a74b3a8c7191306bd
State = 0x50d301f256b014e49f3c072d4998f54e
Message-Authenticator = 0xfa22560254781849b5ec116212e464a4
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (User-Name != "%{tolower:%{User-Name}}")
(7) EXPAND %{tolower:%{User-Name}}
(7) --> testuser
(7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(7) if (User-Name =~ / /)
(7) if (User-Name =~ / /) -> FALSE
(7) if (User-Name =~ /@.*@/ )
(7) if (User-Name =~ /@.*@/ ) -> FALSE
(7) if (User-Name =~ /\\.\\./ )
(7) if (User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (User-Name =~ /\\.$/)
(7) if (User-Name =~ /\\.$/) -> FALSE
(7) if (User-Name =~ /(a)\\./)
(7) if (User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) eap : EAP packet type response id 99 length 112
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0xc301a575c300a1f9
(7) eap : Finished EAP session with state 0x50d301f256b014e4
(7) eap : Previous EAP request found for state 0x50d301f256b014e4, released
from the list
(7) eap : Peer sent TTLS (21)
(7) eap : EAP TTLS (21)
(7) eap : Calling eap_ttls to process EAP data
(7) eap_ttls : Authenticate
(7) eap_ttls : processing EAP-TLS
(7) eap_ttls : eaptls_verify returned 7
(7) eap_ttls : Done initial handshake
(7) eap_ttls : eaptls_process returned 7
(7) eap_ttls : Session established. Proceeding to decode tunneled
attributes.
(7) eap_ttls : Got tunneled request
EAP-Message = 0x020100160410ba01eba69294cd1d8c7a8e6d35630693
(7) eap_ttls : Sending tunneled request
EAP-Message = 0x020100160410ba01eba69294cd1d8c7a8e6d35630693
User-Name = 'testuser'
State = 0xc301a575c300a1f9b738300baef24065
server inner-tunnel {
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : EAP packet type response id 1 length 22
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) files : users: Matched entry testuser at line 6
(7) [files] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) WARNING: pap : Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Expiring EAP session with state 0xc301a575c300a1f9
(7) eap : Finished EAP session with state 0xc301a575c300a1f9
(7) eap : Previous EAP request found for state 0xc301a575c300a1f9, released
from the list
(7) eap : Peer sent MD5 (4)
(7) eap : EAP MD5 (4)
(7) eap : Calling eap_md5 to process EAP data
(7) eap : Freeing handler
(7) [eap] = ok
(7) } # authenticate = ok
(7) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(7) (null) post-auth { ... } # empty sub-section is ignored
} # server inner-tunnel
(7) eap_ttls : Got tunneled reply code 2
EAP-Message = 0x03010004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'testuser'
(7) eap_ttls : Got tunneled Access-Accept
(7) WARNING: eap_ttls : No information to cache: session caching will be
disabled for session
9016094a0dd1b7a76e0e05e547fa1af2e5d1de4a0360ef30daaa052a58d60a2f
SSL: Removing session
9016094a0dd1b7a76e0e05e547fa1af2e5d1de4a0360ef30daaa052a58d60a2f from the
cache
(7) eap : Freeing handler
rlm_eap_ttls: Freeing handler for user testuser
(7) [eap] = ok
(7) } # authenticate = ok
(7) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(7) post-auth {
(7) [exec] = noop
(7) remove_reply_message_if_eap remove_reply_message_if_eap {
(7) if (reply:EAP-Message && reply:Reply-Message)
(7) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(7) else else {
(7) [noop] = noop
(7) } # else else = noop
(7) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(7) } # post-auth = noop
Sending Access-Accept Id 76 from 127.0.0.1:1812 to 127.0.0.1:35433
MS-MPPE-Recv-Key =
0x4a4d9dfb87504956f93d37026a663aef7e83282c328bfcf16d830d6410f47dd9
MS-MPPE-Send-Key =
0x652c8825bf925a95a7c7776c3bc73dd67f8387c570977550015dea4a6d6c23ad
EAP-Message = 0x03630004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'testuser'
(7) Finished request
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
4
8
On Tue, Aug 25, 2015 at 04:26:38PM -0700, Siddharth Katragadda wrote:
> With the noop change, I get:
>
> 145) [passwd] = ok
> (145) if ("%{escape:%{control:EAP-Sim-Rand1}}"=="h"){
> (145) EXPAND %{escape:%{control:EAP-Sim-Rand1}}
> (145) -->
So it expanded to nothing.
> (145) if ("%{escape:%{control:EAP-Sim-Rand1}}"=="h") -> FALSE
> (145) eap: Peer sent EAP Response (code 2) ID 2 length 6
>
> Does this mean passwd is not saving the values properly after reading them
> from simtriplets.dat?
Or you're reading the wrong file, or something else simple like
that. There's been no significant code changes in rlm_passwd
between 3.0.9 and HEAD, so if it works here then you must have
something wrong in your config. And I used the config you posted
verbatim, so it's probably something very obscure, or more likely
blindingly simple.
Start with a completely clean install. Just set up rlm_passwd to
read the file, no need for eap or anything else like that. Send in
a request, and see if it gets EAP-Sim-Rand1 as expected with the
above expansion. That's what I had here. If so then you've got
something wrong in your config, so start diffing to work out what.
If the simple config doesn't work as expected, post the *whole*
debug output to the list, rather than small bits of it, which
leaves everyone guessing and is incredibly annoying.
Matthew
--
Matthew Newton, Ph.D. <mcn4(a)le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp(a)le.ac.uk>
1
0