Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2015
- 78 participants
- 98 discussions
Hello
I use freeradius 3.0.9 , PAM module and RSA server (strong authenticator server)
I have a user with a realm (user_realm), with the proxy function and the PAM module on my radius server, I want to forward the request on my RSA server.
I have a problem because the incoming user on my RSA server is user_realm and not user only
As belong my config
- radiusd.conf
original config with adding
proxy_requests = yes
$INCLUDE proxy.conf
- proxy.conf
original config with adding
realm rsa {
authhost = LOCAL
accthost = LOCAL
}
- sites-enabled/default
original config with adding
authorize {
....
underscore
arobase
....
}
authenticate {
....
Auth-Type PAMRSA {
pam-rsa
}
...
}
preacct {
....
underscore
arobase
..
}
- mods-enabled/pam
pam pam-rsa{
pam_auth = rsasecurid
}
- mods-enabled/realm
realm underscore {
format = suffix
delimiter = "_"
}
realm arobase {
format = suffix
delimiter = "@"
}
My error radius.log
(0) Received Access-Request Id 124 from h.j.k.l:35867 to v.w.x.y :1812 length 115
(0) User-Name = " user_rsa "
(0) User-Password = "xxxxx"
(0) NAS-Port = 1
(0) NAS-Port-Id = "tty1"
(0) NAS-Port-Type = Virtual
(0) Calling-Station-Id = "a.b.c.d"
(0) NAS-IP-Address = e.f.g.h
(0) Event-Timestamp = "Aug 20 2015 17:34:04 CEST"
(0) Message-Authenticator = 0xc1a0732bc8b62562111e7479ca859ee0
(0) Proxy-State = 0x313339
(0) # Executing section authorize from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = " user_rsa ", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) sql1: EXPAND %{User-Name}
(0) sql1: --> user_rsa
(0) sql1: SQL-User-Name set to 'a0327_rsa'
rlm_sql (sql1): Reserved connection (1)
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' user_rsa ' ORDER BY id
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' user_rsa ' ORDER BY id
(0) sql1: User found in radcheck table
(0) sql1: Conditional check items matched, merging assignment check items
(0) sql1: Expiration := "Dec 30 2035 00:00:00 CET"
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = ' user_rsa ' ORDER BY id
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = ' user_rsa ' ORDER BY id
(0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql1: --> SELECT groupname FROM radusergroup WHERE username = ' user_rsa ' ORDER BY priority
(0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = ' user_rsa ' ORDER BY priority
(0) sql1: User found in the group table
(0) sql1: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(0) sql1: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Rebontux_RSA' ORDER BY id
(0) sql1: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Rebontux_RSA' ORDER BY id
(0) sql1: Group "Rebontux_RSA": Conditional check items matched
(0) sql1: Group "Rebontux_RSA": Merging assignment check items
(0) sql1: Auth-Type := PAMRSA
(0) sql1: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id
(0) sql1: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Rebontux_RSA' ORDER BY id
(0) sql1: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Rebontux_RSA' ORDER BY id
(0) sql1: Group "Rebontux_RSA": Merging reply items
(0) sql1: Service-Type = Authenticate-Only
rlm_sql (sql1): Released connection (1)
rlm_sql (sql1): 0 of 6 connections in use. Need more spares
rlm_sql (sql1): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on radiustux1-a.l.infra via TCP/IP, server version 5.6.24-enterprise-commercial-advanced-log, protocol version 10
(0) [sql1] = ok
(0) expiration: Account will expire at 'Dec 30 2035 00:00:00 CET'
(0) [expiration] = ok
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = PAMRSA
(0) # Executing group from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/default
(0) Auth-Type PAMRSA {
(0) pam-rsa: Using pamauth string "rsasecurid" for pam.conf lookup
(0) pam-rsa: ERROR: pam_authenticate failed: Authentication failure
(0) [pam-rsa] = reject
(0) } # Auth-Type PAMRSA = reject
(0) Failed to authenticate the user
(0) Login incorrect (pam-rsa: pam_authenticate failed: Authentication failure): [ user_rsa ]
(0) Using Post-Auth-Type Reject
My error rsa.log
unknow user ' user_rsa '
- --
Eric TANGUY
Réseaux et Infrastructures
Informatique DTI
1, rue Louis Lichou
29480 Le Relecq-Kerhuon
www.arkea.com
T. +33(0)298003671
--
Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite. Tout
message etant susceptible d'alteration, l'emetteur decline toute
responsabilite au titre de ce message s'il a ete altere, deforme ou
falsifie.
-----------------------------------
This message and any attachments (the "message") are confidential and
intended solely for the addressees. Any unauthorised use or
dissemination is prohibited. As e-mails are susceptible to alteration,
the issuer shall not be liable for the message if altered, changed
or falsified.
3
2
Hi,
One of our sites has run into an issue where they are trying to connect to their server with EAP-TTLS. They've used rad_eap_test on the same machine just to test the connection locally and this is the output log. I'm stumped... I've never seen this error before. Any suggestions will be most appreciated! :-)
-- debug log follows --
freeradius -fxx -l stdout
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/dhcp
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/linelog
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/accounting
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/abfab-tls
including configuration file /etc/freeradius/sites-enabled/abfab-tr-idp
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/channel_bindings
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dynamic = yes
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm muj.prostor {
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
Warning: dh_check failed with 8
: the g value is not a generator
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
default_community = "apc.moonshot.ja.net"
rp_realm = "painless-security.com"
trust_router = "localhost"
tr_port = 0
}
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_exec
# Instantiating module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/freeradius/mods-enabled/dhcp
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
# Loaded module rlm_radutmp
# Instantiating module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_detail
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Loaded module rlm_unpack
# Instantiating module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_replicate
# Instantiating module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Instantiating module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Instantiating module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
usersfile = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/freeradius/mods-config/files/authorize
[/etc/freeradius/mods-config/files/authorize]:1 Cistron compatibility checks for entry testuser ...
[/etc/freeradius/mods-config/files/authorize]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:197 Cistron compatibility checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/mods-config/files/authorize
[/etc/freeradius/mods-config/files/authorize]:1 Cistron compatibility checks for entry testuser ...
[/etc/freeradius/mods-config/files/authorize]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:191 Cistron compatibility checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:197 Cistron compatibility checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server abfab-idp { # from file /etc/freeradius/sites-enabled/abfab-tr-idp
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
} # server abfab-idp
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server channel_bindings { # from file /etc/freeradius/sites-enabled/channel_bindings
# Loading authorize {...}
} # server channel_bindings
/etc/freeradius/policy.d/abfab-tr[29] Please change %{gss-acceptor-host-name}} to &gss-acceptor-host-name}
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
virtual_server = "abfab-idp"
ipaddr = *
port = 2083
proto = "tcp"
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 8192
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
require_client_cert = yes
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
Thread 5 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
clients = "radsec-abfab"
client default {
ipaddr = 0.0.0.0/0
require_message_authenticator = no
proto = "tls"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth proto tcp address * port 2083 (TLS) bound to server abfab-idp
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 37846
Ready to process requests
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
(0) Received Access-Request Id 0 from 127.0.0.1:56718 to 127.0.0.1:1812 length 151
(0) User-Name = 'testuser(a)muj.prostor'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '70-6F-6C-69-73-68'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'rad_eap_test + eapol_test'
(0) EAP-Message = 0x02000019017465737475736572406d756a2e70726f73746f72
(0) Message-Authenticator = 0xed71a7d4f2b5822548f6f2f3a6a5d07e
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "muj.prostor" for User-Name = "testuser(a)muj.prostor"
(0) suffix: Found realm "muj.prostor"
(0) suffix: Adding Stripped-User-Name = "testuser"
(0) suffix: Adding Realm = "muj.prostor"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap: Peer sent code Response (2) ID 0 length 25
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent method Identity (1)
(0) eap: Calling eap_ttls to process EAP data
(0) eap_ttls: Flushing SSL sessions (of #0)
(0) eap_ttls: Initiate
(0) eap_ttls: Start returned 1
(0) eap: EAP session adding &reply:State = 0x46d103e846d0160f
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:56718 length 64
(0) EAP-Message = 0x010100061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x46d103e846d0160f61e71b3cd5f9b6f6
(0) Finished request
Thread 5 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 1, (1 handled so far)
(1) Received Access-Request Id 1 from 127.0.0.1:56718 to 127.0.0.1:1812 length 439
(1) User-Name = 'testuser(a)muj.prostor'
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = '70-6F-6C-69-73-68'
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = 'rad_eap_test + eapol_test'
(1) EAP-Message = 0x020101251500160301011a01000116030355dc61f58c4c31193cddd93c26520c7eddc459e4e09204c951b419d67933a97b000082c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c012c00800160013c00dc003000ac02fc02bc0
(1) State = 0x46d103e846d0160f61e71b3cd5f9b6f6
(1) Message-Authenticator = 0xc80ae9487430191ab0f2a75c134138ff
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "muj.prostor" for User-Name = "testuser(a)muj.prostor"
(1) suffix: Found realm "muj.prostor"
(1) suffix: Adding Stripped-User-Name = "testuser"
(1) suffix: Adding Realm = "muj.prostor"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) eap: Peer sent code Response (2) ID 1 length 293
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x46d103e846d0160f
(1) eap: Finished EAP session with state 0x46d103e846d0160f
(1) eap: Previous EAP request found for state 0x46d103e846d0160f, released from the list
(1) eap: Peer sent method TTLS (21)
(1) eap: EAP TTLS (21)
(1) eap: Calling eap_ttls to process EAP data
(1) eap_ttls: Authenticate
(1) eap_ttls: processing EAP-TLS
(1) eap_ttls: eaptls_verify returned 7
(1) eap_ttls: Done initial handshake
(1) eap_ttls: (other): before/accept initialization
(1) eap_ttls: TLS_accept: before/accept initialization
(1) eap_ttls: <<< Unknown TLS version [length 011a]
(1) eap_ttls: TLS_accept: SSLv3 read client hello A
(1) eap_ttls: >>> Unknown TLS version [length 005e]
(1) eap_ttls: TLS_accept: SSLv3 write server hello A
(1) eap_ttls: >>> Unknown TLS version [length 08d0]
(1) eap_ttls: TLS_accept: SSLv3 write certificate A
(1) eap_ttls: >>> Unknown TLS version [length 014d]
(1) eap_ttls: TLS_accept: SSLv3 write key exchange A
(1) eap_ttls: >>> Unknown TLS version [length 0004]
(1) eap_ttls: TLS_accept: SSLv3 write server done A
(1) eap_ttls: TLS_accept: SSLv3 flush data
(1) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_ttls: TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_ttls: eaptls_process returned 13
(1) eap: EAP session adding &reply:State = 0x46d103e847d3160f
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:56718 length 1068
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 2, (1 handled so far)
(2) Received Access-Request Id 2 from 127.0.0.1:56718 to 127.0.0.1:1812 length 150
(2) User-Name = 'testuser(a)muj.prostor'
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = '70-6F-6C-69-73-68'
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = 'rad_eap_test + eapol_test'
(2) EAP-Message = 0x020200061500
(2) State = 0x46d103e847d3160f61e71b3cd5f9b6f6
(2) Message-Authenticator = 0x84302ab07957fd907f96539016886952
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "muj.prostor" for User-Name = "testuser(a)muj.prostor"
(2) suffix: Found realm "muj.prostor"
(2) suffix: Adding Stripped-User-Name = "testuser"
(2) suffix: Adding Realm = "muj.prostor"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) eap: Peer sent code Response (2) ID 2 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x46d103e847d3160f
(2) eap: Finished EAP session with state 0x46d103e847d3160f
(2) eap: Previous EAP request found for state 0x46d103e847d3160f, released from the list
(2) eap: Peer sent method TTLS (21)
(2) eap: EAP TTLS (21)
(2) eap: Calling eap_ttls to process EAP data
(2) eap_ttls: Authenticate
(2) eap_ttls: processing EAP-TLS
(2) eap_ttls: Received TLS ACK
(2) eap_ttls: Received TLS ACK
(2) eap_ttls: ACK handshake fragment handler
(2) eap_ttls: eaptls_verify returned 1
(2) eap_ttls: eaptls_process returned 13
(2) eap: EAP session adding &reply:State = 0x46d103e844d2160f
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:56718 length 1068
(2) EAP-Message = 0x010303ec15c000000a93e2c34c916a4923a0a7cb7d119c2dd6e88d64047881f0345c6a783e137e4ad1b43a5d9ab52cc0c73125f99bfef62dbf29ad4bdd1cf290f17fb81e3561fee9cd6dd01ee4bec7dc5e0a41c8556d075599629772825b591745e91a70039acdd4ea1b08bddefeb11003f1d66b8f4faa
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x46d103e844d2160f61e71b3cd5f9b6f6
(2) Finished request
Thread 3 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 3, (1 handled so far)
(3) Received Access-Request Id 3 from 127.0.0.1:56718 to 127.0.0.1:1812 length 150
(3) User-Name = 'testuser(a)muj.prostor'
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = '70-6F-6C-69-73-68'
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = 'rad_eap_test + eapol_test'
(3) EAP-Message = 0x020300061500
(3) State = 0x46d103e844d2160f61e71b3cd5f9b6f6
(3) Message-Authenticator = 0x11e45ebcedd7f01a46e41f4b533fa08e
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (!&User-Name) {
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "muj.prostor" for User-Name = "testuser(a)muj.prostor"
(3) suffix: Found realm "muj.prostor"
(3) suffix: Adding Stripped-User-Name = "testuser"
(3) suffix: Adding Realm = "muj.prostor"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) eap: Peer sent code Response (2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x46d103e844d2160f
(3) eap: Finished EAP session with state 0x46d103e844d2160f
(3) eap: Previous EAP request found for state 0x46d103e844d2160f, released from the list
(3) eap: Peer sent method TTLS (21)
(3) eap: EAP TTLS (21)
(3) eap: Calling eap_ttls to process EAP data
(3) eap_ttls: Authenticate
(3) eap_ttls: processing EAP-TLS
(3) eap_ttls: Received TLS ACK
(3) eap_ttls: Received TLS ACK
(3) eap_ttls: ACK handshake fragment handler
(3) eap_ttls: eaptls_verify returned 1
(3) eap_ttls: eaptls_process returned 13
(3) eap: EAP session adding &reply:State = 0x46d103e845d5160f
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:56718 length 791
(3) EAP-Message = 0x010402d9158000000a93696361746520417574686f72697479820900aa79031e627d0b9b300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x46d103e845d5160f61e71b3cd5f9b6f6
(3) Finished request
Thread 1 waiting to be assigned a request
(1) EAP-Message = 0x010203ec15c000000a93160303005e0200005a030355dc61f59ac52305bad83957a2594d506564f4919ded134816948fc39c4652072033a218d505462c178a405e16e5bed8f0817d9f80e78b6093836ce2edb7050e38c030000012ff01000100000b000403000102000f00010116030308d00b0008cc00
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x46d103e847d3160f61e71b3cd5f9b6f6
(1) Finished request
Thread 4 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 4, (1 handled so far)
(4) Received Access-Request Id 4 from 127.0.0.1:56718 to 127.0.0.1:1812 length 276
(4) User-Name = 'testuser(a)muj.prostor'
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = '70-6F-6C-69-73-68'
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = 'rad_eap_test + eapol_test'
(4) EAP-Message = 0x020400841500160303004610000042410481a878870091dbc32381894b3e7fba2cb9a93e7b008584396f1cac88db37617f18ba55919a1b9d1015b6029a2eef48a4d927a1db72b840799cc11aee416b97fc14030300010116030300289bb9f986e5ca653f81b6ba7f28e6ee93e19764d9132d5ebcc40fee
(4) State = 0x46d103e845d5160f61e71b3cd5f9b6f6
(4) Message-Authenticator = 0x92430f432b19026a1bbeba45a11720f2
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (!&User-Name) {
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "muj.prostor" for User-Name = "testuser(a)muj.prostor"
(4) suffix: Found realm "muj.prostor"
(4) suffix: Adding Stripped-User-Name = "testuser"
(4) suffix: Adding Realm = "muj.prostor"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) eap: Peer sent code Response (2) ID 4 length 132
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x46d103e845d5160f
(4) eap: Finished EAP session with state 0x46d103e845d5160f
(4) eap: Previous EAP request found for state 0x46d103e845d5160f, released from the list
(4) eap: Peer sent method TTLS (21)
(4) eap: EAP TTLS (21)
(4) eap: Calling eap_ttls to process EAP data
(4) eap_ttls: Authenticate
(4) eap_ttls: processing EAP-TLS
(4) eap_ttls: eaptls_verify returned 7
(4) eap_ttls: Done initial handshake
(4) eap_ttls: <<< Unknown TLS version [length 0046]
(4) eap_ttls: TLS_accept: SSLv3 read client key exchange A
(4) eap_ttls: <<< Unknown TLS version [length 0001]
(4) eap_ttls: <<< Unknown TLS version [length 0010]
(4) eap_ttls: TLS_accept: SSLv3 read finished A
(4) eap_ttls: >>> Unknown TLS version [length 0001]
(4) eap_ttls: TLS_accept: SSLv3 write change cipher spec A
(4) eap_ttls: >>> Unknown TLS version [length 0010]
(4) eap_ttls: TLS_accept: SSLv3 write finished A
(4) eap_ttls: TLS_accept: SSLv3 flush data
SSL: adding session 33a218d505462c178a405e16e5bed8f0817d9f80e78b6093836ce2edb7050e38 to cache
(4) eap_ttls: (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_ttls: eaptls_process returned 13
(4) eap: EAP session adding &reply:State = 0x46d103e842d4160f
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:56718 length 119
(4) EAP-Message = 0x0105003d1580000000331403030001011603030028d2f96f0244ac87d5119f22c6ae3674bc26cad6b86e55ba9bcf36306e4fd27a4c435176c40bac962d
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x46d103e842d4160f61e71b3cd5f9b6f6
(4) Finished request
Thread 2 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 5, (2 handled so far)
(5) Received Access-Request Id 5 from 127.0.0.1:56718 to 127.0.0.1:1812 length 299
(5) User-Name = 'testuser(a)muj.prostor'
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = '70-6F-6C-69-73-68'
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = 'rad_eap_test + eapol_test'
(5) EAP-Message = 0x0205009b150017030300909bb9f986e5ca65406ad6d8a5567e4030dd6799f0d9e62358ccb7757c9dc4e604195a0f82566daf76417338606b1bd876e23263daa71a931ea157e4a1f2d869b4a1c41b135062418f2d930e5f670f351de2b29881ad79287339240d86db4e56e2c1e583df8e12f998e33ebdef
(5) State = 0x46d103e842d4160f61e71b3cd5f9b6f6
(5) Message-Authenticator = 0x06a44849163989b16f3b13a91e6847b9
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (!&User-Name) {
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "muj.prostor" for User-Name = "testuser(a)muj.prostor"
(5) suffix: Found realm "muj.prostor"
(5) suffix: Adding Stripped-User-Name = "testuser"
(5) suffix: Adding Realm = "muj.prostor"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) eap: Peer sent code Response (2) ID 5 length 155
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x46d103e842d4160f
(5) eap: Finished EAP session with state 0x46d103e842d4160f
(5) eap: Previous EAP request found for state 0x46d103e842d4160f, released from the list
(5) eap: Peer sent method TTLS (21)
(5) eap: EAP TTLS (21)
(5) eap: Calling eap_ttls to process EAP data
(5) eap_ttls: Authenticate
(5) eap_ttls: processing EAP-TLS
(5) eap_ttls: eaptls_verify returned 7
(5) eap_ttls: Done initial handshake
(5) eap_ttls: eaptls_process returned 7
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Tunneled challenge is incorrect
SSL: Removing session 33a218d505462c178a405e16e5bed8f0817d9f80e78b6093836ce2edb7050e38 from the cache
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> testuser(a)muj.prostor
(5) attr_filter.access_reject: Matched entry DEFAULT at line 18
(5) [attr_filter.access_reject] = updated
(5) eap: Reply already contained an EAP-Message, not inserting EAP-Failure
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Thread 5 waiting to be assigned a request
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 5 from 127.0.0.1:1812 to 127.0.0.1:56718 length 44
(5) EAP-Message = 0x04050004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) <done>: Cleaning up request packet ID 0 with timestamp +14
(1) <done>: Cleaning up request packet ID 1 with timestamp +14
(2) <done>: Cleaning up request packet ID 2 with timestamp +14
(3) <done>: Cleaning up request packet ID 3 with timestamp +14
(4) <done>: Cleaning up request packet ID 4 with timestamp +14
(5) Cleaning up request packet ID 5 with timestamp +14
Ready to process requests
-- debug log ends --
Thank you :-)
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp(a)jabber.dev.ja.net
skype: stefan.paetow.janet
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
2
2
Hi List,
Is there a way to set a connect timeout for a MySQL-Server? At the
moment it seems to be a bit longer then 60 seconds, but I cannot find
where this is set (Using freeradius 3.0.9).
Thanks for your help
Susan
--
S.Barnes
Cologne University IT/Networking Dept.
2
5
No Pool-Name defined - how should I connect an IP poolwith an APN or requests from a specific NAS?
by Sophie Loewenthal 24 Aug '15
by Sophie Loewenthal 24 Aug '15
24 Aug '15
Hi,
We have FreeRadius running on Centos 6 (
freeradius-2.1.12-1.el6.x86_64) . I have a new NAS set up and I would
like to have a Pool configured for this.
We have several existing NAS and Pool_Names set up that work. They were
configured by a previous team.
I cannot find the logic between how an incoming request for IP
allocation and a Pool-Name. The message was,
Mon Aug 24 10:39:10 2015 : Auth: Login OK: [0000008fa] (from client
v-nas-x2x port 9380 cli 882393728079768)
Mon Aug 24 10:39:10 2015 : Info: No Pool-Name defined (did
x2x.v.trimbletl.com cli 882393728079768 port 9380 user 0000008fa)
How could I assigned a Pool-Name to requests from our APN?
I should create some IP addresses i radippool for this, but I would
prefer the incoming APN x2x.v.trimbletl.com to use an existing IP pool
for now.
/etc/raddb/users contains some entries,
DEFAULT NAS-IP-Address == 172.200.100.1, Pool-Name := v
DEFAULT NAS-IP-Address == 195.232.123.0, Pool-Name := v-x2x
DEFAULT NAS-IP-Address == 10.123.255.254, Pool-Name := p-c
DEFAULT NAS-IP-Address == 10.123.255.254, Pool-Name := p-m
DEFAULT ramed-IP-Netmask = 255.255.255.255
Our ip pool has four pool_names defined and we have lots of IP addresses,
mysql> select count(*) from radippool;
+----------+
| count(*) |
+----------+
| 422652 |
I've read up on the sqlippool dox and could not how ours worked.
Any ideas?
Kind regards,
Sophie
2
1
Hello all Users,
Freeradius dialupadmin is a very nice and native GUI for Freeradius
2.2. However, it does not work any more after php version 5.3.
I want to start an invitation for raising a fund for developing it so
that it can still work up to php 5.6, and also redesign its GUI to have
a modern outlook.
I think a few hundred US$ will do. If any body is interested, we can
share the expense. 10 participants are cheap enough to complete this
project.
Yours Faithfully,
Timmy
6
7
Hi all,
Are there any official places (i.e. PPAs) to get pre-compiled FreeRADIUS packages later then 3.0.4 from?
"http://packages.networkradius.com/ubuntu trusty main" only has 3.0.4 in it.
I'm after 3.0.9.
Cheers all
Kev/.
3
6
Morning,
Has anyone use freeradius and the built-in dhcp server in freeradius for a
small cable modem plant?
I am using LDAP for the authentication part and it works.
Radius just seems like a much cleaner solution.
So, the idea I have in mind is using freeradius for authentication and go
ahead and use it for DHCP. I will use a SQL database backend to keep track
of users.
So, my question has to do with documentation. Most of seems to be dealing
with version 2, and the main page says.. hey.. do not use version 2 configs
as a starting space.
Also, documentation seems weak on the new DHCP options.
The way I figure it, if I am going to complain about documentation or lack
thereof, I just need to write some documentation and submit to the group.
That being said, some directions in the right direction would help me get
started. I have seen documentation on each of the separate items below, but
not much in tieing it all together.
Platform will be Linux running a standard LAMP installation.
SQL database (mysql, postgress, I do not care) to keep track of
information, specifically the MAC address which will be used for
authentication.
DHCP? Should I use the DHCP built into Radius? Or outside DHCP server. I
kind like the idea of allowing Radius handling it all.
So. At the end, I guess I am looking for some general advice on best
practices of setting this up.
Once I get an overview setup, then I can start working on specifics.
John
5
13
I have configured and working wifi with eap-tls authentication.
I want to use another root ca, so I did the following steps.
openssl genrsa -aes256 -out private/wifi,beta,ca.key 4096
openssl req -new -out cacerts/wifi,beta,ca.pem -subj "/C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-ca/emailAddress=kjonca(a)poczta.onet.pl" -x509 -days 3650 -extensions v3_ca -key private/wifi,beta,ca.key
openssl req -new -out req.csr -subj "/C=PL/ST=Mazowieckie/O=beta/OU=beta.kjonca/CN=selen.kjonca" -key ../private/selen.kjonca.1.key #this is phone key
openssl ca -in req.csr -cert cacerts/wifi,beta,ca.pem -keyfile private/wifi,beta,ca.key -extensions xpclient_ext -extfile ../xp.ext -out certs/wifi,selen,1.pem
openssl x509 -x509toreq -in certs/wifi,beta-wifi-beta,2,1.pem -out req.csr -signkey private/wifi,beta-wifi-beta,2.key #this is key for freeradius instance
openssl ca -in req.csr -cert cacerts/wifi,beta,ca.pem -keyfile private/wifi,beta,ca.key -out certs/wifi,beta-wifi-beta,2.5.pem
openssl pkcs12 -export -certfile cacerts/wifi,beta,ca.pem -in certs/wifi,selen,1.pem -inkey ../private/selen.kjonca.1.key -out wifi,selen.p12
Then *.p12 file was sent to phone and imported into cert store.
And strange things happen:
When "CA cert" field in wifi network definition is set then phone can't
connect. When is empty - eweything works.
Here some logs.
12:02:28 2015 : Info: Cleaning up request 83 ID 240 with timestamp +1556
Sat Aug 22 12:02:28 2015 : Info: Cleaning up request 84 ID 241 with timestamp +1556
Sat Aug 22 12:02:28 2015 : Info: Cleaning up request 85 ID 242 with timestamp +1556
Sat Aug 22 12:02:28 2015 : Info: Cleaning up request 86 ID 243 with timestamp +1556
Sat Aug 22 12:02:28 2015 : Info: Cleaning up request 87 ID 244 with timestamp +1556
Sat Aug 22 12:02:28 2015 : Info: Cleaning up request 88 ID 245 with timestamp +1556
Sat Aug 22 12:02:28 2015 : Info: Ready to process requests.
Sat Aug 22 12:04:43 2015 : Debug: Thread 5 got semaphore
Sat Aug 22 12:04:43 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:04:43 2015 : Debug: Thread 5 handling request 89, (18 handled so far)
Sat Aug 22 12:04:43 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:43 2015 : Info: +group authorize {
Sat Aug 22 12:04:43 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:04:43 2015 : Info: ++[chap] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[digest] = noop
Sat Aug 22 12:04:43 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:04:43 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:04:43 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:04:43 2015 : Info: [eap] EAP packet type response id 154 length 17
Sat Aug 22 12:04:43 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:04:43 2015 : Info: ++[eap] = updated
Sat Aug 22 12:04:43 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:04:43 2015 : Info: ++[files] = ok
Sat Aug 22 12:04:43 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:04:43 2015 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Sat Aug 22 12:04:43 2015 : Info: ++[pap] = noop
Sat Aug 22 12:04:43 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:04:43 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:04:43 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:43 2015 : Info: +group authenticate {
Sat Aug 22 12:04:43 2015 : Info: [eap] EAP Identity
Sat Aug 22 12:04:43 2015 : Info: [eap] processing type tls
Sat Aug 22 12:04:43 2015 : Info: [tls] Requiring client certificate
Sat Aug 22 12:04:43 2015 : Info: [tls] Initiate
Sat Aug 22 12:04:43 2015 : Info: [tls] Start returned 1
Sat Aug 22 12:04:43 2015 : Info: ++[eap] = handled
Sat Aug 22 12:04:43 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:04:43 2015 : Info: Finished request 89.
Sat Aug 22 12:04:43 2015 : Debug: Going to the next request
Sat Aug 22 12:04:43 2015 : Debug: Thread 5 waiting to be assigned a request
Sat Aug 22 12:04:43 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:04:43 2015 : Debug: Thread 3 got semaphore
Sat Aug 22 12:04:43 2015 : Debug: Thread 3 handling request 90, (19 handled so far)
Sat Aug 22 12:04:43 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:43 2015 : Info: +group authorize {
Sat Aug 22 12:04:43 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:04:43 2015 : Info: ++[chap] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[digest] = noop
Sat Aug 22 12:04:43 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:04:43 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:04:43 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:04:43 2015 : Info: [eap] EAP packet type response id 155 length 204
Sat Aug 22 12:04:43 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:04:43 2015 : Info: ++[eap] = updated
Sat Aug 22 12:04:43 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:04:43 2015 : Info: ++[files] = ok
Sat Aug 22 12:04:43 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[pap] = noop
Sat Aug 22 12:04:43 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:04:43 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:04:43 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:43 2015 : Info: +group authenticate {
Sat Aug 22 12:04:43 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:04:43 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:04:43 2015 : Info: [eap] processing type tls
Sat Aug 22 12:04:43 2015 : Info: [tls] Authenticate
Sat Aug 22 12:04:43 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:04:43 2015 : Info: [tls] eaptls_verify returned 7
Sat Aug 22 12:04:43 2015 : Info: [tls] Done initial handshake
Sat Aug 22 12:04:43 2015 : Info: [tls] (other): before/accept initialization
Sat Aug 22 12:04:43 2015 : Info: [tls] TLS_accept: before/accept initialization
Sat Aug 22 12:04:43 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:04:43 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 00c1], ClientHello
Sat Aug 22 12:04:43 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:43 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:04:43 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 0039], ServerHello
Sat Aug 22 12:04:43 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:43 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:04:43 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 0695], Certificate
Sat Aug 22 12:04:43 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:43 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:04:43 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
Sat Aug 22 12:04:43 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:43 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:04:43 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 000e], CertificateRequest
Sat Aug 22 12:04:43 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:43 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:43 2015 : Info: [tls] TLS_accept: Need to read more data: unknown state
Sat Aug 22 12:04:43 2015 : Debug: In SSL Handshake Phase
Sat Aug 22 12:04:43 2015 : Debug: In SSL Accept mode
Sat Aug 22 12:04:43 2015 : Info: [tls] eaptls_process returned 13
Sat Aug 22 12:04:43 2015 : Info: ++[eap] = handled
Sat Aug 22 12:04:43 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:04:43 2015 : Info: Finished request 90.
Sat Aug 22 12:04:43 2015 : Debug: Going to the next request
Sat Aug 22 12:04:43 2015 : Debug: Thread 3 waiting to be assigned a request
Sat Aug 22 12:04:43 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:04:43 2015 : Debug: Thread 4 got semaphore
Sat Aug 22 12:04:43 2015 : Debug: Thread 4 handling request 91, (19 handled so far)
Sat Aug 22 12:04:43 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:43 2015 : Info: +group authorize {
Sat Aug 22 12:04:43 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:04:43 2015 : Info: ++[chap] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[digest] = noop
Sat Aug 22 12:04:43 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:04:43 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:04:43 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:04:43 2015 : Info: [eap] EAP packet type response id 156 length 6
Sat Aug 22 12:04:43 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:04:43 2015 : Info: ++[eap] = updated
Sat Aug 22 12:04:43 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:04:43 2015 : Info: ++[files] = ok
Sat Aug 22 12:04:43 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:04:43 2015 : Info: ++[pap] = noop
Sat Aug 22 12:04:43 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:04:43 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:04:43 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:43 2015 : Info: +group authenticate {
Sat Aug 22 12:04:43 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:04:43 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:04:43 2015 : Info: [eap] processing type tls
Sat Aug 22 12:04:43 2015 : Info: [tls] Authenticate
Sat Aug 22 12:04:43 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:04:43 2015 : Info: [tls] Received TLS ACK
Sat Aug 22 12:04:43 2015 : Info: [tls] ACK handshake fragment handler
Sat Aug 22 12:04:43 2015 : Info: [tls] eaptls_verify returned 1
Sat Aug 22 12:04:43 2015 : Info: [tls] eaptls_process returned 13
Sat Aug 22 12:04:43 2015 : Info: ++[eap] = handled
Sat Aug 22 12:04:43 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:04:43 2015 : Info: Finished request 91.
Sat Aug 22 12:04:43 2015 : Debug: Going to the next request
Sat Aug 22 12:04:43 2015 : Debug: Thread 4 waiting to be assigned a request
Sat Aug 22 12:04:44 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:04:44 2015 : Debug: Thread 1 got semaphore
Sat Aug 22 12:04:44 2015 : Debug: Thread 1 handling request 92, (19 handled so far)
Sat Aug 22 12:04:44 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:44 2015 : Info: +group authorize {
Sat Aug 22 12:04:44 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:04:44 2015 : Info: ++[chap] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[digest] = noop
Sat Aug 22 12:04:44 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:04:44 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:04:44 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:04:44 2015 : Info: [eap] EAP packet type response id 157 length 253
Sat Aug 22 12:04:44 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:04:44 2015 : Info: ++[eap] = updated
Sat Aug 22 12:04:44 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:04:44 2015 : Info: ++[files] = ok
Sat Aug 22 12:04:44 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[pap] = noop
Sat Aug 22 12:04:44 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:04:44 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:04:44 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:44 2015 : Info: +group authenticate {
Sat Aug 22 12:04:44 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:04:44 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:04:44 2015 : Info: [eap] processing type tls
Sat Aug 22 12:04:44 2015 : Info: [tls] Authenticate
Sat Aug 22 12:04:44 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:04:44 2015 : Debug: TLS Length 1577
Sat Aug 22 12:04:44 2015 : Info: [tls] Received EAP-TLS First Fragment of the message
Sat Aug 22 12:04:44 2015 : Info: [tls] eaptls_verify returned 9
Sat Aug 22 12:04:44 2015 : Info: [tls] eaptls_process returned 13
Sat Aug 22 12:04:44 2015 : Info: ++[eap] = handled
Sat Aug 22 12:04:44 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:04:44 2015 : Info: Finished request 92.
Sat Aug 22 12:04:44 2015 : Debug: Going to the next request
Sat Aug 22 12:04:44 2015 : Debug: Thread 1 waiting to be assigned a request
Sat Aug 22 12:04:44 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:04:44 2015 : Debug: Thread 2 got semaphore
Sat Aug 22 12:04:44 2015 : Debug: Thread 2 handling request 93, (19 handled so far)
Sat Aug 22 12:04:44 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:44 2015 : Info: +group authorize {
Sat Aug 22 12:04:44 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:04:44 2015 : Info: ++[chap] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[digest] = noop
Sat Aug 22 12:04:44 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:04:44 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:04:44 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:04:44 2015 : Info: [eap] EAP packet type response id 158 length 185
Sat Aug 22 12:04:44 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:04:44 2015 : Info: ++[eap] = updated
Sat Aug 22 12:04:44 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:04:44 2015 : Info: ++[files] = ok
Sat Aug 22 12:04:44 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[pap] = noop
Sat Aug 22 12:04:44 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:04:44 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:04:44 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:44 2015 : Info: +group authenticate {
Sat Aug 22 12:04:44 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:04:44 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:04:44 2015 : Info: [eap] processing type tls
Sat Aug 22 12:04:44 2015 : Info: [tls] Authenticate
Sat Aug 22 12:04:44 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:04:44 2015 : Info: [tls] eaptls_verify returned 7
Sat Aug 22 12:04:44 2015 : Info: [tls] Done initial handshake
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 0493], Certificate
Sat Aug 22 12:04:44 2015 : Info: [tls] chain-depth=1,
Sat Aug 22 12:04:44 2015 : Info: [tls] error=0
Sat Aug 22 12:04:44 2015 : Info: [tls] --> User-Name = selen.kjonca
Sat Aug 22 12:04:44 2015 : Info: [tls] --> BUF-Name = beta-wifi-ca-2
Sat Aug 22 12:04:44 2015 : Info: [tls] --> subject = /C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-ca-2/emailAddress=kjonca(a)poczta.onet.pl
Sat Aug 22 12:04:44 2015 : Info: [tls] --> issuer = /C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-ca-2/emailAddress=kjonca(a)poczta.onet.pl
Sat Aug 22 12:04:44 2015 : Info: [tls] --> verify return:1
Sat Aug 22 12:04:44 2015 : Info: [tls] expand: %{User-Name} -> selen.kjonca
Sat Aug 22 12:04:44 2015 : Info: [tls] checking certificate CN (selen.kjonca) with xlat'ed value (selen.kjonca)
Sat Aug 22 12:04:44 2015 : Info: [tls] chain-depth=0,
Sat Aug 22 12:04:44 2015 : Info: [tls] error=0
Sat Aug 22 12:04:44 2015 : Info: [tls] --> User-Name = selen.kjonca
Sat Aug 22 12:04:44 2015 : Info: [tls] --> BUF-Name = selen.kjonca
Sat Aug 22 12:04:44 2015 : Info: [tls] --> subject = /C=PL/ST=Mazowieckie/O=beta/OU=beta.kjonca/CN=selen.kjonca
Sat Aug 22 12:04:44 2015 : Info: [tls] --> issuer = /C=PL/ST=Mazowieckie/L=Warszawa/O=beta/OU=wifi/CN=beta-wifi-ca-2/emailAddress=kjonca(a)poczta.onet.pl
Sat Aug 22 12:04:44 2015 : Info: [tls] --> verify return:1
Sat Aug 22 12:04:44 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
Sat Aug 22 12:04:44 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify
Sat Aug 22 12:04:44 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:04:44 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 0010], Finished
Sat Aug 22 12:04:44 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:44 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:04:44 2015 : Info: [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
Sat Aug 22 12:04:44 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:44 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:04:44 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 0010], Finished
Sat Aug 22 12:04:44 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:44 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:04:44 2015 : Info: [tls] (other): SSL negotiation finished successfully
Sat Aug 22 12:04:44 2015 : Debug: SSL Connection Established
Sat Aug 22 12:04:44 2015 : Info: [tls] eaptls_process returned 13
Sat Aug 22 12:04:44 2015 : Info: ++[eap] = handled
Sat Aug 22 12:04:44 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:04:44 2015 : Info: Finished request 93.
Sat Aug 22 12:04:44 2015 : Debug: Going to the next request
Sat Aug 22 12:04:44 2015 : Debug: Thread 2 waiting to be assigned a request
Sat Aug 22 12:04:44 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:04:44 2015 : Debug: Thread 5 got semaphore
Sat Aug 22 12:04:44 2015 : Debug: Thread 5 handling request 94, (19 handled so far)
Sat Aug 22 12:04:44 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:44 2015 : Info: +group authorize {
Sat Aug 22 12:04:44 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:04:44 2015 : Info: ++[chap] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[digest] = noop
Sat Aug 22 12:04:44 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:04:44 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:04:44 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:04:44 2015 : Info: [eap] EAP packet type response id 159 length 6
Sat Aug 22 12:04:44 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:04:44 2015 : Info: ++[eap] = updated
Sat Aug 22 12:04:44 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:04:44 2015 : Info: ++[files] = ok
Sat Aug 22 12:04:44 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:04:44 2015 : Info: ++[pap] = noop
Sat Aug 22 12:04:44 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:04:44 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:04:44 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:44 2015 : Info: +group authenticate {
Sat Aug 22 12:04:44 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:04:44 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:04:44 2015 : Info: [eap] processing type tls
Sat Aug 22 12:04:44 2015 : Info: [tls] Authenticate
Sat Aug 22 12:04:44 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:04:44 2015 : Info: [tls] Received TLS ACK
Sat Aug 22 12:04:44 2015 : Info: [tls] ACK handshake is finished
Sat Aug 22 12:04:44 2015 : Info: [tls] eaptls_verify returned 3
Sat Aug 22 12:04:44 2015 : Info: [tls] eaptls_process returned 3
Sat Aug 22 12:04:44 2015 : Info: [tls] Adding user data to cached session
Sat Aug 22 12:04:44 2015 : Info: [eap] Freeing handler
Sat Aug 22 12:04:44 2015 : Info: ++[eap] = ok
Sat Aug 22 12:04:44 2015 : Info: +} # group authenticate = ok
Sat Aug 22 12:04:44 2015 : Auth: Login OK: [selen.kjonca] (from client ni port 2 cli 00-08-22-4F-62-54)
Sat Aug 22 12:04:44 2015 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:04:44 2015 : Info: +group post-auth {
Sat Aug 22 12:04:44 2015 : Info: ++[exec] = noop
Sat Aug 22 12:04:44 2015 : Info: +} # group post-auth = noop
Sat Aug 22 12:04:44 2015 : Info: Finished request 94.
Sat Aug 22 12:04:44 2015 : Debug: Going to the next request
Sat Aug 22 12:04:44 2015 : Debug: Thread 5 waiting to be assigned a request
Sat Aug 22 12:04:45 2015 : Debug: Waking up in 3.9 seconds.
Sat Aug 22 12:04:48 2015 : Info: Cleaning up request 89 ID 246 with timestamp +1696
Sat Aug 22 12:04:48 2015 : Info: Cleaning up request 90 ID 247 with timestamp +1696
Sat Aug 22 12:04:48 2015 : Info: Cleaning up request 91 ID 248 with timestamp +1696
Sat Aug 22 12:04:49 2015 : Info: Cleaning up request 92 ID 249 with timestamp +1697
Sat Aug 22 12:04:49 2015 : Info: Cleaning up request 93 ID 250 with timestamp +1697
Sat Aug 22 12:04:49 2015 : Info: Cleaning up request 94 ID 251 with timestamp +1697
Sat Aug 22 12:04:49 2015 : Info: Ready to process requests.
Sat Aug 22 12:05:05 2015 : Debug: Thread 3 got semaphore
Sat Aug 22 12:05:05 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:05:05 2015 : Debug: Thread 3 handling request 95, (20 handled so far)
Sat Aug 22 12:05:05 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group authorize {
Sat Aug 22 12:05:05 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:05:05 2015 : Info: ++[chap] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[digest] = noop
Sat Aug 22 12:05:05 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:05:05 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:05:05 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:05:05 2015 : Info: [eap] EAP packet type response id 60 length 17
Sat Aug 22 12:05:05 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:05:05 2015 : Info: ++[eap] = updated
Sat Aug 22 12:05:05 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:05:05 2015 : Info: ++[files] = ok
Sat Aug 22 12:05:05 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:05:05 2015 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Sat Aug 22 12:05:05 2015 : Info: ++[pap] = noop
Sat Aug 22 12:05:05 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:05:05 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:05:05 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group authenticate {
Sat Aug 22 12:05:05 2015 : Info: [eap] EAP Identity
Sat Aug 22 12:05:05 2015 : Info: [eap] processing type tls
Sat Aug 22 12:05:05 2015 : Info: [tls] Requiring client certificate
Sat Aug 22 12:05:05 2015 : Info: [tls] Initiate
Sat Aug 22 12:05:05 2015 : Info: [tls] Start returned 1
Sat Aug 22 12:05:05 2015 : Info: ++[eap] = handled
Sat Aug 22 12:05:05 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:05:05 2015 : Info: Finished request 95.
Sat Aug 22 12:05:05 2015 : Debug: Going to the next request
Sat Aug 22 12:05:05 2015 : Debug: Thread 3 waiting to be assigned a request
Sat Aug 22 12:05:05 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:05:05 2015 : Debug: Thread 4 got semaphore
Sat Aug 22 12:05:05 2015 : Debug: Thread 4 handling request 96, (20 handled so far)
Sat Aug 22 12:05:05 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group authorize {
Sat Aug 22 12:05:05 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:05:05 2015 : Info: ++[chap] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[digest] = noop
Sat Aug 22 12:05:05 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:05:05 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:05:05 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:05:05 2015 : Info: [eap] EAP packet type response id 61 length 204
Sat Aug 22 12:05:05 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:05:05 2015 : Info: ++[eap] = updated
Sat Aug 22 12:05:05 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:05:05 2015 : Info: ++[files] = ok
Sat Aug 22 12:05:05 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[pap] = noop
Sat Aug 22 12:05:05 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:05:05 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:05:05 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group authenticate {
Sat Aug 22 12:05:05 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:05:05 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:05:05 2015 : Info: [eap] processing type tls
Sat Aug 22 12:05:05 2015 : Info: [tls] Authenticate
Sat Aug 22 12:05:05 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:05:05 2015 : Info: [tls] eaptls_verify returned 7
Sat Aug 22 12:05:05 2015 : Info: [tls] Done initial handshake
Sat Aug 22 12:05:05 2015 : Info: [tls] (other): before/accept initialization
Sat Aug 22 12:05:05 2015 : Info: [tls] TLS_accept: before/accept initialization
Sat Aug 22 12:05:05 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:05:05 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 00c1], ClientHello
Sat Aug 22 12:05:05 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:05 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:05:05 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 0039], ServerHello
Sat Aug 22 12:05:05 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:05 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:05:05 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 0695], Certificate
Sat Aug 22 12:05:05 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:05 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:05:05 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
Sat Aug 22 12:05:05 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:05 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:05:05 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 000e], CertificateRequest
Sat Aug 22 12:05:05 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:05 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:05 2015 : Info: [tls] TLS_accept: Need to read more data: unknown state
Sat Aug 22 12:05:05 2015 : Debug: In SSL Handshake Phase
Sat Aug 22 12:05:05 2015 : Debug: In SSL Accept mode
Sat Aug 22 12:05:05 2015 : Info: [tls] eaptls_process returned 13
Sat Aug 22 12:05:05 2015 : Info: ++[eap] = handled
Sat Aug 22 12:05:05 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:05:05 2015 : Info: Finished request 96.
Sat Aug 22 12:05:05 2015 : Debug: Going to the next request
Sat Aug 22 12:05:05 2015 : Debug: Thread 4 waiting to be assigned a request
Sat Aug 22 12:05:05 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:05:05 2015 : Debug: Thread 1 got semaphore
Sat Aug 22 12:05:05 2015 : Debug: Thread 1 handling request 97, (20 handled so far)
Sat Aug 22 12:05:05 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group authorize {
Sat Aug 22 12:05:05 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:05:05 2015 : Info: ++[chap] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[digest] = noop
Sat Aug 22 12:05:05 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:05:05 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:05:05 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:05:05 2015 : Info: [eap] EAP packet type response id 62 length 6
Sat Aug 22 12:05:05 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:05:05 2015 : Info: ++[eap] = updated
Sat Aug 22 12:05:05 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:05:05 2015 : Info: ++[files] = ok
Sat Aug 22 12:05:05 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[pap] = noop
Sat Aug 22 12:05:05 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:05:05 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:05:05 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group authenticate {
Sat Aug 22 12:05:05 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:05:05 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:05:05 2015 : Info: [eap] processing type tls
Sat Aug 22 12:05:05 2015 : Info: [tls] Authenticate
Sat Aug 22 12:05:05 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:05:05 2015 : Info: [tls] Received TLS ACK
Sat Aug 22 12:05:05 2015 : Info: [tls] ACK handshake fragment handler
Sat Aug 22 12:05:05 2015 : Info: [tls] eaptls_verify returned 1
Sat Aug 22 12:05:05 2015 : Info: [tls] eaptls_process returned 13
Sat Aug 22 12:05:05 2015 : Info: ++[eap] = handled
Sat Aug 22 12:05:05 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:05:05 2015 : Info: Finished request 97.
Sat Aug 22 12:05:05 2015 : Debug: Going to the next request
Sat Aug 22 12:05:05 2015 : Debug: Thread 1 waiting to be assigned a request
Sat Aug 22 12:05:05 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:05:05 2015 : Debug: Thread 2 got semaphore
Sat Aug 22 12:05:05 2015 : Debug: Thread 2 handling request 98, (20 handled so far)
Sat Aug 22 12:05:05 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group authorize {
Sat Aug 22 12:05:05 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:05:05 2015 : Info: ++[chap] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[digest] = noop
Sat Aug 22 12:05:05 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:05:05 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:05:05 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:05:05 2015 : Info: [eap] EAP packet type response id 63 length 13
Sat Aug 22 12:05:05 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:05:05 2015 : Info: ++[eap] = updated
Sat Aug 22 12:05:05 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:05:05 2015 : Info: ++[files] = ok
Sat Aug 22 12:05:05 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:05:05 2015 : Info: ++[pap] = noop
Sat Aug 22 12:05:05 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:05:05 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:05:05 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group authenticate {
Sat Aug 22 12:05:05 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:05:05 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:05:05 2015 : Info: [eap] processing type tls
Sat Aug 22 12:05:05 2015 : Info: [tls] Authenticate
Sat Aug 22 12:05:05 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:05:05 2015 : Info: [tls] eaptls_verify returned 7
Sat Aug 22 12:05:05 2015 : Info: [tls] Done initial handshake
Sat Aug 22 12:05:05 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:05:05 2015 : Info: [tls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
Sat Aug 22 12:05:05 2015 : Error: TLS Alert read:fatal:unknown CA
Sat Aug 22 12:05:05 2015 : Error: TLS_accept: failed in unknown state
Sat Aug 22 12:05:05 2015 : Error: rlm_eap: SSL error error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Sat Aug 22 12:05:05 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Sat Aug 22 12:05:05 2015 : Debug: TLS receive handshake failed during operation
Sat Aug 22 12:05:05 2015 : Info: [tls] eaptls_process returned 4
Sat Aug 22 12:05:05 2015 : Info: [eap] Handler failed in EAP/tls
Sat Aug 22 12:05:05 2015 : Info: [eap] Failed in EAP select
Sat Aug 22 12:05:05 2015 : Info: ++[eap] = invalid
Sat Aug 22 12:05:05 2015 : Info: +} # group authenticate = invalid
Sat Aug 22 12:05:05 2015 : Info: Failed to authenticate the user.
Sat Aug 22 12:05:05 2015 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [selen.kjonca] (from client ni port 2 cli 00-08-22-4F-62-54)
Sat Aug 22 12:05:05 2015 : Info: Using Post-Auth-Type REJECT
Sat Aug 22 12:05:05 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:05 2015 : Info: +group REJECT {
Sat Aug 22 12:05:05 2015 : Info: [attr_filter.access_reject] expand: %{User-Name} -> selen.kjonca
Sat Aug 22 12:05:05 2015 : Debug: attr_filter: Matched entry DEFAULT at line 11
Sat Aug 22 12:05:05 2015 : Info: ++[attr_filter.access_reject] = updated
Sat Aug 22 12:05:05 2015 : Info: +} # group REJECT = updated
Sat Aug 22 12:05:05 2015 : Info: Delaying reject of request 98 for 1 seconds
Sat Aug 22 12:05:05 2015 : Debug: Going to the next request
Sat Aug 22 12:05:05 2015 : Debug: Thread 2 waiting to be assigned a request
Sat Aug 22 12:05:06 2015 : Info: Sending delayed reject for request 98
Sat Aug 22 12:05:06 2015 : Debug: Waking up in 3.9 seconds.
Sat Aug 22 12:05:07 2015 : Debug: Thread 5 got semaphore
Sat Aug 22 12:05:07 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:05:07 2015 : Debug: Thread 5 handling request 99, (20 handled so far)
Sat Aug 22 12:05:07 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group authorize {
Sat Aug 22 12:05:07 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:05:07 2015 : Info: ++[chap] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[digest] = noop
Sat Aug 22 12:05:07 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:05:07 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:05:07 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:05:07 2015 : Info: [eap] EAP packet type response id 162 length 17
Sat Aug 22 12:05:07 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:05:07 2015 : Info: ++[eap] = updated
Sat Aug 22 12:05:07 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:05:07 2015 : Info: ++[files] = ok
Sat Aug 22 12:05:07 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:05:07 2015 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Sat Aug 22 12:05:07 2015 : Info: ++[pap] = noop
Sat Aug 22 12:05:07 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:05:07 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:05:07 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group authenticate {
Sat Aug 22 12:05:07 2015 : Info: [eap] EAP Identity
Sat Aug 22 12:05:07 2015 : Info: [eap] processing type tls
Sat Aug 22 12:05:07 2015 : Info: [tls] Requiring client certificate
Sat Aug 22 12:05:07 2015 : Info: [tls] Initiate
Sat Aug 22 12:05:07 2015 : Info: [tls] Start returned 1
Sat Aug 22 12:05:07 2015 : Info: ++[eap] = handled
Sat Aug 22 12:05:07 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:05:07 2015 : Info: Finished request 99.
Sat Aug 22 12:05:07 2015 : Debug: Going to the next request
Sat Aug 22 12:05:07 2015 : Debug: Thread 5 waiting to be assigned a request
Sat Aug 22 12:05:07 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:05:07 2015 : Debug: Thread 3 got semaphore
Sat Aug 22 12:05:07 2015 : Debug: Thread 3 handling request 100, (21 handled so far)
Sat Aug 22 12:05:07 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group authorize {
Sat Aug 22 12:05:07 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:05:07 2015 : Info: ++[chap] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[digest] = noop
Sat Aug 22 12:05:07 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:05:07 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:05:07 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:05:07 2015 : Info: [eap] EAP packet type response id 163 length 204
Sat Aug 22 12:05:07 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:05:07 2015 : Info: ++[eap] = updated
Sat Aug 22 12:05:07 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:05:07 2015 : Info: ++[files] = ok
Sat Aug 22 12:05:07 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[pap] = noop
Sat Aug 22 12:05:07 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:05:07 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:05:07 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group authenticate {
Sat Aug 22 12:05:07 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:05:07 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:05:07 2015 : Info: [eap] processing type tls
Sat Aug 22 12:05:07 2015 : Info: [tls] Authenticate
Sat Aug 22 12:05:07 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:05:07 2015 : Info: [tls] eaptls_verify returned 7
Sat Aug 22 12:05:07 2015 : Info: [tls] Done initial handshake
Sat Aug 22 12:05:07 2015 : Info: [tls] (other): before/accept initialization
Sat Aug 22 12:05:07 2015 : Info: [tls] TLS_accept: before/accept initialization
Sat Aug 22 12:05:07 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:05:07 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 00c1], ClientHello
Sat Aug 22 12:05:07 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:07 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:05:07 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 0039], ServerHello
Sat Aug 22 12:05:07 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:07 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:05:07 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 0695], Certificate
Sat Aug 22 12:05:07 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:07 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:05:07 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
Sat Aug 22 12:05:07 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:07 2015 : Info: [tls] >>> Unknown TLS version [length 0005]
Sat Aug 22 12:05:07 2015 : Info: [tls] >>> TLS 1.0 Handshake [length 000e], CertificateRequest
Sat Aug 22 12:05:07 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:07 2015 : Info: [tls] TLS_accept: unknown state
Sat Aug 22 12:05:07 2015 : Info: [tls] TLS_accept: Need to read more data: unknown state
Sat Aug 22 12:05:07 2015 : Debug: In SSL Handshake Phase
Sat Aug 22 12:05:07 2015 : Debug: In SSL Accept mode
Sat Aug 22 12:05:07 2015 : Info: [tls] eaptls_process returned 13
Sat Aug 22 12:05:07 2015 : Info: ++[eap] = handled
Sat Aug 22 12:05:07 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:05:07 2015 : Info: Finished request 100.
Sat Aug 22 12:05:07 2015 : Debug: Going to the next request
Sat Aug 22 12:05:07 2015 : Debug: Thread 3 waiting to be assigned a request
Sat Aug 22 12:05:07 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:05:07 2015 : Debug: Thread 4 got semaphore
Sat Aug 22 12:05:07 2015 : Debug: Thread 4 handling request 101, (21 handled so far)
Sat Aug 22 12:05:07 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group authorize {
Sat Aug 22 12:05:07 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:05:07 2015 : Info: ++[chap] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[digest] = noop
Sat Aug 22 12:05:07 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:05:07 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:05:07 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:05:07 2015 : Info: [eap] EAP packet type response id 164 length 6
Sat Aug 22 12:05:07 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:05:07 2015 : Info: ++[eap] = updated
Sat Aug 22 12:05:07 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:05:07 2015 : Info: ++[files] = ok
Sat Aug 22 12:05:07 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[pap] = noop
Sat Aug 22 12:05:07 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:05:07 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:05:07 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group authenticate {
Sat Aug 22 12:05:07 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:05:07 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:05:07 2015 : Info: [eap] processing type tls
Sat Aug 22 12:05:07 2015 : Info: [tls] Authenticate
Sat Aug 22 12:05:07 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:05:07 2015 : Info: [tls] Received TLS ACK
Sat Aug 22 12:05:07 2015 : Info: [tls] ACK handshake fragment handler
Sat Aug 22 12:05:07 2015 : Info: [tls] eaptls_verify returned 1
Sat Aug 22 12:05:07 2015 : Info: [tls] eaptls_process returned 13
Sat Aug 22 12:05:07 2015 : Info: ++[eap] = handled
Sat Aug 22 12:05:07 2015 : Info: +} # group authenticate = handled
Sat Aug 22 12:05:07 2015 : Info: Finished request 101.
Sat Aug 22 12:05:07 2015 : Debug: Going to the next request
Sat Aug 22 12:05:07 2015 : Debug: Thread 4 waiting to be assigned a request
Sat Aug 22 12:05:07 2015 : Debug: Waking up in 0.9 seconds.
Sat Aug 22 12:05:07 2015 : Debug: Thread 1 got semaphore
Sat Aug 22 12:05:07 2015 : Debug: Thread 1 handling request 102, (21 handled so far)
Sat Aug 22 12:05:07 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group authorize {
Sat Aug 22 12:05:07 2015 : Info: ++[preprocess] = ok
Sat Aug 22 12:05:07 2015 : Info: ++[chap] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[mschap] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[digest] = noop
Sat Aug 22 12:05:07 2015 : Info: [suffix] No '@' in User-Name = "selen.kjonca", looking up realm NULL
Sat Aug 22 12:05:07 2015 : Info: [suffix] No such realm "NULL"
Sat Aug 22 12:05:07 2015 : Info: ++[suffix] = noop
Sat Aug 22 12:05:07 2015 : Info: [eap] EAP packet type response id 165 length 13
Sat Aug 22 12:05:07 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Sat Aug 22 12:05:07 2015 : Info: ++[eap] = updated
Sat Aug 22 12:05:07 2015 : Info: [files] users: Matched entry selen.kjonca at line 12
Sat Aug 22 12:05:07 2015 : Info: ++[files] = ok
Sat Aug 22 12:05:07 2015 : Info: ++[expiration] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[logintime] = noop
Sat Aug 22 12:05:07 2015 : Info: ++[pap] = noop
Sat Aug 22 12:05:07 2015 : Info: +} # group authorize = updated
Sat Aug 22 12:05:07 2015 : Info: Found Auth-Type = EAP
Sat Aug 22 12:05:07 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group authenticate {
Sat Aug 22 12:05:07 2015 : Info: [eap] Request found, released from the list
Sat Aug 22 12:05:07 2015 : Info: [eap] EAP/tls
Sat Aug 22 12:05:07 2015 : Info: [eap] processing type tls
Sat Aug 22 12:05:07 2015 : Info: [tls] Authenticate
Sat Aug 22 12:05:07 2015 : Info: [tls] processing EAP-TLS
Sat Aug 22 12:05:07 2015 : Info: [tls] eaptls_verify returned 7
Sat Aug 22 12:05:07 2015 : Info: [tls] Done initial handshake
Sat Aug 22 12:05:07 2015 : Info: [tls] <<< Unknown TLS version [length 0005]
Sat Aug 22 12:05:07 2015 : Info: [tls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
Sat Aug 22 12:05:07 2015 : Error: TLS Alert read:fatal:unknown CA
Sat Aug 22 12:05:07 2015 : Error: TLS_accept: failed in unknown state
Sat Aug 22 12:05:07 2015 : Error: rlm_eap: SSL error error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Sat Aug 22 12:05:07 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Sat Aug 22 12:05:07 2015 : Debug: TLS receive handshake failed during operation
Sat Aug 22 12:05:07 2015 : Info: [tls] eaptls_process returned 4
Sat Aug 22 12:05:07 2015 : Info: [eap] Handler failed in EAP/tls
Sat Aug 22 12:05:07 2015 : Info: [eap] Failed in EAP select
Sat Aug 22 12:05:07 2015 : Info: ++[eap] = invalid
Sat Aug 22 12:05:07 2015 : Info: +} # group authenticate = invalid
Sat Aug 22 12:05:07 2015 : Info: Failed to authenticate the user.
Sat Aug 22 12:05:07 2015 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [selen.kjonca] (from client ni port 2 cli 00-08-22-4F-62-54)
Sat Aug 22 12:05:07 2015 : Info: Using Post-Auth-Type REJECT
Sat Aug 22 12:05:07 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Aug 22 12:05:07 2015 : Info: +group REJECT {
Sat Aug 22 12:05:07 2015 : Info: [attr_filter.access_reject] expand: %{User-Name} -> selen.kjonca
Sat Aug 22 12:05:07 2015 : Debug: attr_filter: Matched entry DEFAULT at line 11
Sat Aug 22 12:05:07 2015 : Info: ++[attr_filter.access_reject] = updated
Sat Aug 22 12:05:07 2015 : Info: +} # group REJECT = updated
Sat Aug 22 12:05:07 2015 : Info: Delaying reject of request 102 for 1 seconds
Sat Aug 22 12:05:07 2015 : Debug: Going to the next request
Sat Aug 22 12:05:07 2015 : Debug: Thread 1 waiting to be assigned a request
Sat Aug 22 12:05:08 2015 : Info: Sending delayed reject for request 102
Sat Aug 22 12:05:08 2015 : Debug: Waking up in 1.7 seconds.
Sat Aug 22 12:05:10 2015 : Info: Cleaning up request 95 ID 252 with timestamp +1718
Sat Aug 22 12:05:10 2015 : Info: Cleaning up request 96 ID 253 with timestamp +1718
Sat Aug 22 12:05:10 2015 : Info: Cleaning up request 97 ID 254 with timestamp +1718
Sat Aug 22 12:05:10 2015 : Debug: Waking up in 1.0 seconds.
Sat Aug 22 12:05:11 2015 : Info: Cleaning up request 98 ID 255 with timestamp +1718
Sat Aug 22 12:05:11 2015 : Debug: Waking up in 1.2 seconds.
Sat Aug 22 12:05:12 2015 : Info: Cleaning up request 99 ID 0 with timestamp +1720
Sat Aug 22 12:05:12 2015 : Info: Cleaning up request 100 ID 1 with timestamp +1720
Sat Aug 22 12:05:12 2015 : Info: Cleaning up request 101 ID 2 with timestamp +1720
Sat Aug 22 12:05:12 2015 : Debug: Waking up in 1.0 seconds.
Sat Aug 22 12:05:13 2015 : Info: Cleaning up request 102 ID 3 with timestamp +1720
Sat Aug 22 12:05:13 2015 : Info: Ready to process requests.
--
http://wolnelektury.pl/wesprzyj/teraz/
share, n.:
To give in, endure humiliation.
3
7
freeradius not starting when default rediswho module is enabled - freeradius 3.0.10 - current git
by Michal Tomaszewski 21 Aug '15
by Michal Tomaszewski 21 Aug '15
21 Aug '15
Hi all,
After enabling rediswho module and adding rediswho to accounting section (and only this section) there is an error:
Fri Aug 21 16:06:29 2015 : Debug: Loading library using absolute path "//lib/rlm_rediswho.so"
Fri Aug 21 16:06:29 2015 : Debug: Loaded rlm_rediswho, checking if it's valid
Fri Aug 21 16:06:29 2015 : Debug: # Loaded module rlm_rediswho
Fri Aug 21 16:06:29 2015 : Debug: # Loading module "rediswho" from file //etc/raddb/mods-enabled/rediswho
Fri Aug 21 16:06:29 2015 : Debug: rediswho {
Fri Aug 21 16:06:29 2015 : Debug: redis_module_instance = "redis"
Fri Aug 21 16:06:29 2015 : Debug: trim_count = 15
Fri Aug 21 16:06:29 2015 : Error: //etc/raddb/mods-enabled/rediswho[10]: Configuration item "insert" must have a value
Fri Aug 21 16:06:29 2015 : Error: //etc/raddb/mods-enabled/rediswho[10]: Invalid configuration for module "rediswho"
Default configuration of rediswho from mods-enabled is used.
As I understand the file /mods-available/rediswho should have e.g. changed sections. It probably has changed since freeradius 2.x. Can you advice the correct one?
Regards,
Michał Tomaszewski
________________________________________ Uwaga: Treść niniejszej wiadomości może być poufna i objęta zakazem jej ujawniania. Jeśli czytelnik tej wiadomości nie jest jej zamierzonym adresatem, pracownikiem lub pośrednikiem upoważnionym do jej przekazania adresatowi, informujemy że wszelkie rozprowadzanie, rozpowszechnianie lub powielanie niniejszej wiadomości jest zabronione. Jeśli otrzymałeś tę wiadomość omyłkowo, proszę bezzwłocznie odesłać ją nadawcy, a samą wiadomość usunąć z komputera. Dziękujemy. ________________________________ Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.If you have received this communication in error, please notify the sender immediately by replying to the message and deleting it from your computer. Thank you. ________________________________
2
2
Hi,
I'm setting up a RADIUS server which among others has to be linked to
PAM. One of my primary requirements is that is uses secure
cryptography. The main question is:
1. Does the PAM Radius module support EAP-TTLS with an inner tunnel of PAP?
I did some research and came accross
http://lists.freeradius.org/pipermail/freeradius-users/2013-December/069408…,
which unfortunately doesn't answer my question.
I scanned through the sourcecode of the PAM_radius module, which does
not have any indication of TLS support.
Background:
Most supported protocols are based on MD5, which has been severly
comprimised[1], or a single DES key (MSCHAP V2) [2], which is also
comprimised. So that only leaves the TLS based protocols,
Based on [3] I assume I should use PAP for the inner tunnel, because
this enables me to store hashed password (will use SSHA512).
If you know a more secure setup, don't hesitate to advice me :). Also
if I made a mistake somewhere, don't hesitate to correct me :)
As a final remark, I think it would be beneficial for the security of
many account details, both transfered and stored for (FREE)RADIUS, to
include clear warnings on the pages about insecure
protocols/authentication standards.
[1] https://en.wikipedia.org/wiki/MD5
[2] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
[3] http://deployingradius.com/documents/protocols/compatibility.html
3
5