Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2015
- 101 participants
- 144 discussions
Hello,
I have set auth=yes in log section from radiusd.conf file in order to
be able to see all the logs for authentication requests, in radius.log
file from /var/log/radius directory. Unfrortunately, I can't see them.
Is there an other setting that I have to do ?
thank you for any help you can provide !
2
1
Custom counter aggregating data from two sources - freeradius 3.0.x
by Michal Tomaszewski 27 Sep '15
by Michal Tomaszewski 27 Sep '15
27 Sep '15
Hello,
Can you suggest how can I make a custom counter that uses e.g. sql query and redis query in single counter?
Is there any possibility to include ulang logic into sqlcounter conf, make a redis query and/or combine data? Or should I use some other module?
Is there a possibility to make queries using different sql pools inside one counter?
I would like to cache some data in redis and reuse it if available. If it is not available - then make a full sql query (long lasting…).
The same logic I would like to implement in several different counters.
I would be grateful for any advice.
Regards,
Mike
________________________________________ Uwaga: Treść niniejszej wiadomości może być poufna i objęta zakazem jej ujawniania. Jeśli czytelnik tej wiadomości nie jest jej zamierzonym adresatem, pracownikiem lub pośrednikiem upoważnionym do jej przekazania adresatowi, informujemy że wszelkie rozprowadzanie, rozpowszechnianie lub powielanie niniejszej wiadomości jest zabronione. Jeśli otrzymałeś tę wiadomość omyłkowo, proszę bezzwłocznie odesłać ją nadawcy, a samą wiadomość usunąć z komputera. Dziękujemy. ________________________________ Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.If you have received this communication in error, please notify the sender immediately by replying to the message and deleting it from your computer. Thank you. ________________________________
2
4
Hi all,
is there any way to change the realm before proxying it to another radius?
Something like this:
realm TOCHANGE.TLD {
pool = backend_pool
nostrip
}
username(a)tochange.tld should be changed in username(a)myrealm.local and
proxyed to backend_pool
Thanks
V
--
Vito A. Smaldino
2
1
26 Sep '15
Hello, and thanks in advance for any help!
Ubuntu 14.04.3 LTS running FreeRADIUS 3.0.9. FreeRADIUS installation
packages were generated using dpkg_dev. AD Domain is 2012R2
I keep getting a logon failure (0xc000006d) using EAP-MSCHAPV2
The full debug is below, but here is the snippet:
(2) mschap: Client is using MS-CHAPv2
(2) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(2) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(2) mschap: --> --username=USER\\ldap_query
(2) mschap: Creating challenge hash with username: ldap_query
(2) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(2) mschap: --> --challenge=57e0b84b2fe82e71
(2) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(2) mschap: -->
--nt-response=756e6bc91594dd2bf971c666a35809a632eed0b76f39551a
(2) mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(2) mschap: External script failed
(2) mschap: ERROR: External script says: Logon failure (0xc000006d)
(2) mschap: ERROR: MS-CHAP2-Response is incorrect
However, when I take these values, and run ntlm_auth from the command line,
I get the NT_KEY
root@freeradius:/# /usr/bin/ntlm_auth --request-nt-key
--username=USER\\ldap_query --challenge=57e0b84b2fe82e71
--nt-response=756e6bc91594dd2bf971c666a35809a632eed0b76f39551a
NT_KEY: 96B0390CCFE02BE8710C5D6848567B60
FULL DEBUG OUTPUT
root@freeradius:~# /usr/sbin/freeradius -X
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/multiotp
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/multiotpmschap
including configuration file /etc/freeradius/mods-enabled/dhcp
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/multiotp
including configuration file /etc/freeradius/policy.d/dhcp
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm USER {
auth_pool = my_auth_failover
}
realm user.agili-key.com {
auth_pool = my_auth_failover
}
realm AGILI-KEY {
auth_pool = my_auth_failover
}
realm agili-key.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.25.102.241 {
ipaddr = 172.25.102.241
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.25.102.242 {
ipaddr = 172.25.102.242
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.25.102.243 {
ipaddr = 172.25.102.243
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.25.102.244 {
ipaddr = 172.25.102.244
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.25.102.245 {
ipaddr = 172.25.102.245
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.25.102.246 {
ipaddr = 172.25.102.246
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 172.25.102.8 {
ipaddr = 172.25.102.8
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = multiotp
# Creating Auth-Type = multiotpmschap
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/mods-enabled/expiration
# Loading module "ntlm_auth" from file
/etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/mods-enabled/replicate
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
ntlm_auth = "/usr/bin/ntlm_auth
--helper-protocol=ntlm-change-password-1"
ntlm_auth_username = "username: %{mschap:User-Name}"
ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
}
allow_retry = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "auth_log" from file
/etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
compat = "cistron"
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loading module "sradutmp" from file
/etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "multiotp" from file
/etc/freeradius/mods-enabled/multiotp
exec multiotp {
wait = yes
program = "/etc/multiotp/multiotp.php %{User-Name} %{User-Password}
-request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "multiotpmschap" from file
/etc/freeradius/mods-enabled/multiotpmschap
mschap multiotpmschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/etc/multiotp/multiotp.php %{User-Name}
%{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}"
passchange {
}
allow_retry = yes
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/freeradius/mods-enabled/dhcp
instantiate {
}
modules {
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "reject" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/mods-enabled/always
# Instantiating module "expiration" from file
/etc/freeradius/mods-enabled/expiration
# Instantiating module "logintime" from file
/etc/freeradius/mods-enabled/logintime
# Instantiating module "linelog" from file
/etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/mods-enabled/linelog
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
identity = "freeradius"
}
# Instantiating module "etc_passwd" from file
/etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "detail" from file
/etc/freeradius/mods-enabled/detail
# Instantiating module "preprocess" from file
/etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "cache_eap" from file
/etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "mschap" from file
/etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "auth_log" from file
/etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/mods-enabled/detail.log
# Instantiating module "files" from file
/etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
[/etc/freeradius/mods-config/files/authorize]:182 Cistron compatibility
checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:189 Cistron compatibility
checks for entry DEFAULT ...
[/etc/freeradius/mods-config/files/authorize]:195 Cistron compatibility
checks for entry DEFAULT ...
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "IPASS" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/mods-enabled/realm
# Instantiating module "multiotpmschap" from file
/etc/freeradius/mods-enabled/multiotpmschap
rlm_mschap (multiotpmschap): authenticating by calling 'ntlm_auth'
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 42153
Ready to process requests
(0) Received Access-Request Id 0 from 172.25.102.8:53839 to
172.25.102.15:1812 length 138
(0) User-Name = "USER\\ldap_query"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x0200001401555345525c6c6461705f7175657279
(0) Message-Authenticator = 0x7824ee5950582ab332ae5dd5441c1405
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "USER\ldap_query", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 20
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0x9acbd9fc9acac055
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 0 from 172.25.102.15:1812 to 172.25.102.8:53839
length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x9acbd9fc9acac0550d905c53795e221f
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 172.25.102.8:53839 to
172.25.102.15:1812 length 142
(1) User-Name = "USER\\ldap_query"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x02010006031a
(1) State = 0x9acbd9fc9acac0550d905c53795e221f
(1) Message-Authenticator = 0x0c0275e6c8b803e0ed350429e696cea2
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "USER\ldap_query", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) policy multiotp.authorize {
(1) if (control:Auth-Type == MS-CHAP) {
(1) if (control:Auth-Type == MS-CHAP) -> FALSE
(1) elsif (!control:Auth-Type && User-Password =~ /^([0-9]{6})$/) {
(1) elsif (!control:Auth-Type && User-Password =~ /^([0-9]{6})$/) ->
FALSE
(1) } # policy multiotp.authorize = updated
(1) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x9acbd9fc9acac055
(1) eap: Finished EAP session with state 0x9acbd9fc9acac055
(1) eap: Previous EAP request found for state 0x9acbd9fc9acac055, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type MSCHAPv2 (26)
(1) eap: Calling submodule eap_mschapv2 to process data
(1) eap_mschapv2: Issuing Challenge
(1) eap: Sending EAP Request (code 1) ID 2 length 35
(1) eap: EAP session adding &reply:State = 0x9acbd9fc9bc9c355
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Sent Access-Challenge Id 1 from 172.25.102.15:1812 to 172.25.102.8:53839
length 0
(1) EAP-Message =
0x010200231a0102001e102a19af672e4f271a8f37601b177217f661676b797261643031
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x9acbd9fc9bc9c3550d905c53795e221f
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 172.25.102.8:53839 to
172.25.102.15:1812 length 210
(2) User-Name = "USER\\ldap_query"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message =
0x0202004a1a020200453167739eac74755a8248a8634989b917060000000000000000756e6bc91594dd2bf971c666a35809a632eed0b76f39551a00555345525c6c6461705f7175657279
(2) State = 0x9acbd9fc9bc9c3550d905c53795e221f
(2) Message-Authenticator = 0x750b4d5ec91fb37da9332daaa37974ff
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "USER\ldap_query", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 74
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) policy multiotp.authorize {
(2) if (control:Auth-Type == MS-CHAP) {
(2) if (control:Auth-Type == MS-CHAP) -> FALSE
(2) elsif (!control:Auth-Type && User-Password =~ /^([0-9]{6})$/) {
(2) elsif (!control:Auth-Type && User-Password =~ /^([0-9]{6})$/) ->
FALSE
(2) } # policy multiotp.authorize = updated
(2) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(2) pap: WARNING: Authentication will fail unless a "known good" password
is available
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x9acbd9fc9bc9c355
(2) eap: Finished EAP session with state 0x9acbd9fc9bc9c355
(2) eap: Previous EAP request found for state 0x9acbd9fc9bc9c355, released
from the list
(2) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(2) eap: Calling submodule eap_mschapv2 to process data
(2) eap_mschapv2: # Executing group from file
/etc/freeradius/sites-enabled/default
(2) eap_mschapv2: Auth-Type MS-CHAP {
(2) mschap: Creating challenge hash with username: ldap_query
(2) mschap: Client is using MS-CHAPv2
(2) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(2) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(2) mschap: --> --username=USER\\ldap_query
(2) mschap: Creating challenge hash with username: ldap_query
(2) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(2) mschap: --> --challenge=57e0b84b2fe82e71
(2) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(2) mschap: -->
--nt-response=756e6bc91594dd2bf971c666a35809a632eed0b76f39551a
(2) mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(2) mschap: External script failed
(2) mschap: ERROR: External script says: Logon failure (0xc000006d)
(2) mschap: ERROR: MS-CHAP2-Response is incorrect
(2) [mschap] = reject
(2) } # Auth-Type MS-CHAP = reject
(2) eap: Sending EAP Failure (code 4) ID 2 length 4
(2) eap: Freeing handler
(2) [eap] = reject
(2) } # authenticate = reject
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject: --> USER\\ldap_query
(2) attr_filter.access_reject: Matched entry DEFAULT at line 18
(2) [attr_filter.access_reject] = updated
(2) eap: Reply already contained an EAP-Message, not inserting EAP-Failure
(2) [eap] = noop
(2) policy remove_reply_message_if_eap {
(2) if (&reply:EAP-Message && &reply:Reply-Message) {
(2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(2) else {
(2) [noop] = noop
(2) } # else = noop
(2) } # policy remove_reply_message_if_eap = noop
(2) } # Post-Auth-Type REJECT = updated
(2) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) <delay>: Sending delayed response
(2) <delay>: Sent Access-Reject Id 2 from 172.25.102.15:1812 to
172.25.102.8:53839 length 62
(2) <delay>: MS-CHAP-Error = "\002E=691 R=1"
(2) <delay>: EAP-Message = 0x04020004
(2) <delay>: Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
(0) <done>: Cleaning up request packet ID 0 with timestamp +9
(1) <done>: Cleaning up request packet ID 1 with timestamp +9
Waking up in 0.3 seconds.
(2) <delay>: Cleaning up request packet ID 2 with timestamp +10
Ready to process requests
-Timo
4
4
Hi,
I am trying to debug an EAP-TTLS handshake problem between FreeRADIUS 2.2.4
with OpenSSL 1.0.1f and Mac OS X 10.10.5 and 10.9.5. The Macs are using
WPA2 Enterprise / 802.1x through a Meraki MR34 Access Point. This
configuration works fine with Windows 8 and Android 4.4.1.
My questions for the FreeRADIUS folks:
a) Is there a way that I can view the decoded TLS attributes from the TLS
handshake? (I'm already running with the -X option). For example, I'd like
to see what ciphersuites are being proposed and any additional attributes
in the the ClientHello.
b) FreeRADIUS/OpenSSL and these versions of Mac OS X can all do TLS 1.2.
Does the text "TLS 1.0 Handshake" in the log really mean that it is only
using TLS 1.0 instead of TLS 1.2?
c) There is a message in the log "TLS_accept: failed in SSLv3 read client
certificate A". Does this mean that there was a client certificate
presented by the client? (there shouldn't be a client cert at all)
d) Does anyone have any other suggestions to make this work? I already
tried setting the cipher_list to well used ciphers that the Macs generally
like ('AES+aRSA') and got the same result. (The trace below is with the
default cipher_list).
Many thanks,
-rohan
eap.conf:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = somepasswordhere
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
dh_file = ${certdir}/dh
CA_path = ${cadir}
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
random_file = /dev/urandom
cache {
enable = yes
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
}
FreeRADIUS Log file:
rad_recv: Access-Request packet from host 10.0.2.2 port 34931, id=8,
length=164
User-Name = "anonymous"
NAS-IP-Address = 10.0.10.203
NAS-Port = 0
Called-Station-Id = "02-18-5A-1D-AE-03:Remind101-SSO"
Calling-Station-Id = "9C-F3-87-C2-62-C6"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02ba000e01616e6f6e796d6f7573
Message-Authenticator = 0x61ebdbe946edd0fdc49b8c3e41c387a8
Wed Sep 23 17:29:11 2015 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group authorize {...}
Wed Sep 23 17:29:11 2015 : Info: ++[preprocess] returns ok
Wed Sep 23 17:29:11 2015 : Info: [eap] EAP packet type response id 186
length 14
Wed Sep 23 17:29:11 2015 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Sep 23 17:29:11 2015 : Info: ++[eap] returns updated
Wed Sep 23 17:29:11 2015 : Info: ++[expiration] returns noop
Wed Sep 23 17:29:11 2015 : Info: ++[logintime] returns noop
Wed Sep 23 17:29:11 2015 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Wed Sep 23 17:29:11 2015 : Info: ++[pap] returns noop
Wed Sep 23 17:29:11 2015 : Info: Found Auth-Type = EAP
Wed Sep 23 17:29:11 2015 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group authenticate {...}
Wed Sep 23 17:29:11 2015 : Info: [eap] EAP Identity
Wed Sep 23 17:29:11 2015 : Info: [eap] processing type tls
Wed Sep 23 17:29:11 2015 : Info: [tls] Flushing SSL sessions (of #0)
Wed Sep 23 17:29:11 2015 : Info: [tls] Initiate
Wed Sep 23 17:29:11 2015 : Info: [tls] Start returned 1
Wed Sep 23 17:29:11 2015 : Info: ++[eap] returns handled
Sending Access-Challenge of id 8 to 10.0.2.2 port 34931
EAP-Message = 0x01bb00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xccf836bacc4323f9b322d4bda37008ed
Wed Sep 23 17:29:11 2015 : Info: Finished request 0.
Wed Sep 23 17:29:11 2015 : Debug: Going to the next request
Wed Sep 23 17:29:11 2015 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34931, id=9,
length=320
User-Name = "anonymous"
NAS-IP-Address = 10.0.10.203
NAS-Port = 0
Called-Station-Id = "02-18-5A-1D-AE-03:Remind101-SSO"
Calling-Station-Id = "9C-F3-87-C2-62-C6"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message =
0x02bb009815800000008e16030100890100008503015602e16a73b82ed270ffcaa50eac91e3c23b8ed8dbca78c08f2e2e7ceb43a60f00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
State = 0xccf836bacc4323f9b322d4bda37008ed
Message-Authenticator = 0x6ae3c689ec343b04cf0eb36a770f298e
Wed Sep 23 17:29:11 2015 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group authorize {...}
Wed Sep 23 17:29:11 2015 : Info: ++[preprocess] returns ok
Wed Sep 23 17:29:11 2015 : Info: [eap] EAP packet type response id 187
length 152
Wed Sep 23 17:29:11 2015 : Info: [eap] Continuing tunnel setup.
Wed Sep 23 17:29:11 2015 : Info: ++[eap] returns ok
Wed Sep 23 17:29:11 2015 : Info: Found Auth-Type = EAP
Wed Sep 23 17:29:11 2015 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group authenticate {...}
Wed Sep 23 17:29:11 2015 : Info: [eap] Request found, released from the list
Wed Sep 23 17:29:11 2015 : Info: [eap] EAP/ttls
Wed Sep 23 17:29:11 2015 : Info: [eap] processing type ttls
Wed Sep 23 17:29:11 2015 : Info: [ttls] Authenticate
Wed Sep 23 17:29:11 2015 : Info: [ttls] processing EAP-TLS
Wed Sep 23 17:29:11 2015 : Debug: TLS Length 142
Wed Sep 23 17:29:11 2015 : Info: [ttls] Length Included
Wed Sep 23 17:29:11 2015 : Info: [ttls] eaptls_verify returned 11
Wed Sep 23 17:29:11 2015 : Info: [ttls] (other): before/accept
initialization
Wed Sep 23 17:29:11 2015 : Info: [ttls] TLS_accept: before/accept
initialization
Wed Sep 23 17:29:11 2015 : Info: [ttls] <<< TLS 1.0 Handshake [length
0089], ClientHello
Wed Sep 23 17:29:11 2015 : Info: [ttls] TLS_accept: SSLv3 read client
hello A
Wed Sep 23 17:29:11 2015 : Info: [ttls] >>> TLS 1.0 Handshake [length
0059], ServerHello
Wed Sep 23 17:29:11 2015 : Info: [ttls] TLS_accept: SSLv3 write server
hello A
Wed Sep 23 17:29:11 2015 : Info: [ttls] >>> TLS 1.0 Handshake [length
03f6], Certificate
Wed Sep 23 17:29:11 2015 : Info: [ttls] TLS_accept: SSLv3 write
certificate A
Wed Sep 23 17:29:11 2015 : Info: [ttls] >>> TLS 1.0 Handshake [length
014b], ServerKeyExchange
Wed Sep 23 17:29:11 2015 : Info: [ttls] TLS_accept: SSLv3 write key
exchange A
Wed Sep 23 17:29:11 2015 : Info: [ttls] >>> TLS 1.0 Handshake [length
0004], ServerHelloDone
Wed Sep 23 17:29:11 2015 : Info: [ttls] TLS_accept: SSLv3 write server
done A
Wed Sep 23 17:29:11 2015 : Info: [ttls] TLS_accept: SSLv3 flush data
Wed Sep 23 17:29:11 2015 : Info: [ttls] TLS_accept: Need to read more
data: SSLv3 read client certificate A
Wed Sep 23 17:29:11 2015 : Debug: In SSL Handshake Phase
Wed Sep 23 17:29:11 2015 : Debug: In SSL Accept mode
Wed Sep 23 17:29:11 2015 : Info: [ttls] eaptls_process returned 13
Wed Sep 23 17:29:11 2015 : Info: ++[eap] returns handled
Sending Access-Challenge of id 9 to 10.0.2.2 port 34931
EAP-Message =
0x01bc040015c0000005b2160301005902000055030113d3df9c72a85ca65f386048d87391ee9afc3c8e76736fcafa1c90308bc16fd120ecd03fda52b76224194100c0ac75ba9e3b8c138945a39636e9bcebffdeb76340c01400000dff01000100000b00040300010216030103f60b0003f20003ef0003ec308203e8308202d0a003020102020102300d06092a864886f70d0101050500308199310b30090603550406130255533113301106035504080c0a43616c69666f726e69613116301406035504070c0d53616e204672616e636973636f31123010060355040a0c0952656d696e64204851311f301d06092a864886f70d010901161061646d696e
EAP-Message =
0x4072656d696e642e636f6d3128302606035504030c1f52656d696e6420485120436572746966696361746520417574686f72697479301e170d3135303831313232343133395a170d3136303831303232343133395a308183310b30090603550406130255533113301106035504080c0a43616c69666f726e696131123010060355040a0c0952656d696e64204851312a302806035504030c2152656d696e64204851205769466920536572766572204365727469666963617465311f301d06092a864886f70d010901161061646d696e4072656d696e642e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f4
EAP-Message =
0x88df40780f23fd9c004763db97703d78fb881aa9b1f7997fe78f78e4a607f577a089c68d35a37ba1b5be35df87d33c4c57ab4ffece858ee922bfc46147f210b0d460da5341e18242a59a52498a1d4bf62b9ad4c600767e5d2ad93b7d8a13481325ffea7d5c738873761e9b450ffc2de000bcbd690fd8397866a8a1ecf08e2596ce146826a83da3b531fe14bee2d94f6ada414e9e7f4b8af806de0cd692fb61353e7b66735f655a74130dde40b55594d71f847704c8f78c2cfa81e58a67e41e0d32d97ceaf2987575b32239bff27fbcc84ef6b3904846fab1234739c66af20c2fed514a33b2c171f909233e7ee3a441f78315d4490e7b89fa96501c6761
EAP-Message =
0x310f0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100a5a587d02f2245d7058b7e15a99660290b3e61278c38b78eeb664a2b076c9b060b694d225c01681eaf09284641fedd80e42a0299dda8f026615e8a59633f949bee830cc0b35b75a66468518416889600bae0a5a4c818caed479e000b322cb8082e0c5133e0fb827682adb12b4264ca0a02e9cdbefbf596944ecd677f9f043c2fbcd824a11c841d32ec27e246753a177e3a
EAP-Message = 0x8c447f914a438a685741f3b5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xccf836bacd4423f9b322d4bda37008ed
Wed Sep 23 17:29:11 2015 : Info: Finished request 1.
Wed Sep 23 17:29:11 2015 : Debug: Going to the next request
Wed Sep 23 17:29:11 2015 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34931, id=10,
length=174
User-Name = "anonymous"
NAS-IP-Address = 10.0.10.203
NAS-Port = 0
Called-Station-Id = "02-18-5A-1D-AE-03:Remind101-SSO"
Calling-Station-Id = "9C-F3-87-C2-62-C6"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02bc00061500
State = 0xccf836bacd4423f9b322d4bda37008ed
Message-Authenticator = 0x76a0ebaf55da4ea748e3a91d1c5cec57
Wed Sep 23 17:29:11 2015 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group authorize {...}
Wed Sep 23 17:29:11 2015 : Info: ++[preprocess] returns ok
Wed Sep 23 17:29:11 2015 : Info: [eap] EAP packet type response id 188
length 6
Wed Sep 23 17:29:11 2015 : Info: [eap] Continuing tunnel setup.
Wed Sep 23 17:29:11 2015 : Info: ++[eap] returns ok
Wed Sep 23 17:29:11 2015 : Info: Found Auth-Type = EAP
Wed Sep 23 17:29:11 2015 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group authenticate {...}
Wed Sep 23 17:29:11 2015 : Info: [eap] Request found, released from the list
Wed Sep 23 17:29:11 2015 : Info: [eap] EAP/ttls
Wed Sep 23 17:29:11 2015 : Info: [eap] processing type ttls
Wed Sep 23 17:29:11 2015 : Info: [ttls] Authenticate
Wed Sep 23 17:29:11 2015 : Info: [ttls] processing EAP-TLS
Wed Sep 23 17:29:11 2015 : Info: [ttls] Received TLS ACK
Wed Sep 23 17:29:11 2015 : Info: [ttls] ACK handshake fragment handler
Wed Sep 23 17:29:11 2015 : Info: [ttls] eaptls_verify returned 1
Wed Sep 23 17:29:11 2015 : Info: [ttls] eaptls_process returned 13
Wed Sep 23 17:29:11 2015 : Info: ++[eap] returns handled
Sending Access-Challenge of id 10 to 10.0.2.2 port 34931
EAP-Message =
0x01bd01c61580000005b2fb46633c5848cee0329bc65d69b76e0fbdaea7a3908b670c77fd43386dda5b7dfd5b6194b2e217630e7ed3fcaf4b58c9557fcc863e662005a929f556bc5238ed01b4cac3358590385cd0e8a6b29cec783c0e110a955813876b2df0631ad835b2ad9888160301014b0c00014703001741045121517bd8ad0efeac7a598718fe61bb8af1e6808aa1336ca156dd9d478105035e2d6ea738e43581419c240db2fff0ca113416a99feb214cb9aa801d9e6ef9750100d41b74c1d5fc7adef7cbb7f2630bc1d1f455bd158e3bfaf422298670906fcd98d276ff57063e33113f5c2e32f76b793d21c69555a03c8bd365e4ad850bf7345b
EAP-Message =
0x3e8e65a3eb436972c79ee1a91fd4c81b1a8ad83b8bae15666a28f66d14c8b6ad9eb5e2555ef01a005730a582cc84a83abdda1455beb911acbd6f7345d6b1e56d1b9b4c77382e1274afdab7e270ce8b031039cae39264ffa5578c2dc4803c43e0ab40f2bc885eebb10e8e5e5b59f651bb5020ab4b7a669b7d0506570134d2efb56f81a54314233e01503ca4417db967597455f1e1dce5f307f63ff3b9946a69c35cc162991a253e322cdf649a153b0814b2a908c6099a2b7e7770b133fe5cec0316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xccf836bace4523f9b322d4bda37008ed
Wed Sep 23 17:29:11 2015 : Info: Finished request 2.
Wed Sep 23 17:29:11 2015 : Debug: Going to the next request
Wed Sep 23 17:29:11 2015 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34931, id=11,
length=185
User-Name = "anonymous"
NAS-IP-Address = 10.0.10.203
NAS-Port = 0
Called-Station-Id = "02-18-5A-1D-AE-03:Remind101-SSO"
Calling-Station-Id = "9C-F3-87-C2-62-C6"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02bd001115800000000715030100020100
State = 0xccf836bace4523f9b322d4bda37008ed
Message-Authenticator = 0x9cb7425be35279493d1aec7a86122067
Wed Sep 23 17:29:11 2015 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group authorize {...}
Wed Sep 23 17:29:11 2015 : Info: ++[preprocess] returns ok
Wed Sep 23 17:29:11 2015 : Info: [eap] EAP packet type response id 189
length 17
Wed Sep 23 17:29:11 2015 : Info: [eap] Continuing tunnel setup.
Wed Sep 23 17:29:11 2015 : Info: ++[eap] returns ok
Wed Sep 23 17:29:11 2015 : Info: Found Auth-Type = EAP
Wed Sep 23 17:29:11 2015 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group authenticate {...}
Wed Sep 23 17:29:11 2015 : Info: [eap] Request found, released from the list
Wed Sep 23 17:29:11 2015 : Info: [eap] EAP/ttls
Wed Sep 23 17:29:11 2015 : Info: [eap] processing type ttls
Wed Sep 23 17:29:11 2015 : Info: [ttls] Authenticate
Wed Sep 23 17:29:11 2015 : Info: [ttls] processing EAP-TLS
Wed Sep 23 17:29:11 2015 : Debug: TLS Length 7
Wed Sep 23 17:29:11 2015 : Info: [ttls] Length Included
Wed Sep 23 17:29:11 2015 : Info: [ttls] eaptls_verify returned 11
Wed Sep 23 17:29:11 2015 : Info: [ttls] <<< TLS 1.0 Alert [length 0002],
warning close_notify
Wed Sep 23 17:29:11 2015 : Error: TLS Alert read:warning:close notify
Wed Sep 23 17:29:11 2015 : Error: TLS_accept: failed in SSLv3 read
client certificate A
Wed Sep 23 17:29:11 2015 : Error: rlm_eap: SSL error error:140940E5:SSL
routines:SSL3_READ_BYTES:ssl handshake failure
Wed Sep 23 17:29:11 2015 : Error: SSL: SSL_read failed in a system call
(-1), TLS session fails.
Wed Sep 23 17:29:11 2015 : Debug: TLS receive handshake failed during
operation
Wed Sep 23 17:29:11 2015 : Info: [ttls] eaptls_process returned 4
Wed Sep 23 17:29:11 2015 : Info: [eap] Handler failed in EAP/ttls
Wed Sep 23 17:29:11 2015 : Info: [eap] Failed in EAP select
Wed Sep 23 17:29:11 2015 : Info: ++[eap] returns invalid
Wed Sep 23 17:29:11 2015 : Info: Failed to authenticate the user.
Wed Sep 23 17:29:11 2015 : Info: Using Post-Auth-Type Reject
Wed Sep 23 17:29:11 2015 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Wed Sep 23 17:29:11 2015 : Info: +- entering group REJECT {...}
Wed Sep 23 17:29:11 2015 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> anonymous
Wed Sep 23 17:29:11 2015 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Sep 23 17:29:11 2015 : Info: ++[attr_filter.access_reject] returns
updated
Wed Sep 23 17:29:11 2015 : Info: Delaying reject of request 3 for 1 seconds
Wed Sep 23 17:29:11 2015 : Debug: Going to the next request
Wed Sep 23 17:29:11 2015 : Debug: Waking up in 0.9 seconds.
Wed Sep 23 17:29:12 2015 : Info: Sending delayed reject for request 3
Sending Access-Reject of id 11 to 10.0.2.2 port 34931
EAP-Message = 0x04bd0004
Message-Authenticator = 0x00000000000000000000000000000000
7
26
multiOTP - /etc/freeradius/policy.conf[33]: Expecting section start brace '{' after "else if"
by Timothy 25 Sep '15
by Timothy 25 Sep '15
25 Sep '15
Thanks in advance for any assistance!
System: Ubuntu 14.0.4 LTS, FreeRADIUS installed from apt-get install.
FreeRADIUS works fine for what we have been using it for: MSCHAPV2 &
various types of EAP against AD. We would like to add multiOTP to the mix.
multiOTP testing (not using FreeRADIUS) works fine from the command line.
After doing all of the steps from the guide (
http://wiki.freeradius.org/guide/multiOTP-HOWTO) I get the following error
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26
2015 at 14:47:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/multiotp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/multiotpmschap
including configuration file /etc/freeradius/modules/
sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
/etc/freeradius/policy.conf[33]: Expecting section start brace '{' after
"else if"
Errors reading /etc/freeradius/radiusd.conf
--------------------------------------------------------------------------------------
The policy has been copied verbatim from the multiOTP howto, and inserted
above the existing policy. The line in question is this:
>> else if (!control:Auth-Type && User-Password =~
/^${policy.multiotp_prefix}([0-9]{10})$/) {
if I change it to this (adding another closing bracket), FreeRadius will
start, but then I get a different error when doing a radtest -t pap from
the command line
>> else {
>> if (!control:Auth-Type && User-Password =~
/^${policy.multiotp_prefix}([0-9]{10})$/) {
error on radtest:
? Evaluating (control:Auth-Type == 'MS-CHAP') -> FALSE
+++? if (control:Auth-Type == 'MS-CHAP') -> FALSE
+++- entering else else {...}
++++? if (!control:Auth-Type && User-Password =~
/^${policy.multiotp_prefix}([0-9]{10})$/)
? Evaluating !(control:Auth-Type ) -> TRUE
ERROR: Failed compiling regular expression: Invalid preceding regular
expression
+++- else else returns noop
++- policy multiotp.authorize returns noop
If I try any other RegEx (like nested if's), it still has the "invalid
preceding regular expression" error.
My concern is that the policy.conf modification in the HowTo might not work
in my case.
If someone can shed some light on this matter, I would gratefully
appreciate it!
Timo
2
2
Hi All,
Think I am seeing the Inner tunnel issue but I am simply passing through
unless the inner tunnel config has changed, It appears to be the same as
with the 2x. Just to clarify I never changed any settings from the
default both in 2x and 3.0.4.
No other errors on radius -X (fixed the warnings about client ipaddr
being needed in clients)
Connection receives request and ID's it then
Invalid packet code 1 sent to a proxy port from home server x.x.x.x port
37438 - ID 124 : IGNORED
Tried Commenting out the suffix and domain stuff in
sites-enabled/inner-tunnel but that did not work either.
Thoughts on things to try?
Thanks,
Brad
3
6
Hi
I am probably doing something wrong, but I can't figure out why I seem to
be loosing attributes during the processing of a DHCP request.
As I understand it, the snippet here shows that the attribute
DHCP-Your-IP-Address is added by rlm_perl and later on that the attribute
does not exist:
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Your-IP-Address =
$RAD_REPLY{'DHCP-Your-IP-Address'} -> '10.200.0.50'
...
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP: Failed to find
DHCP-Client-IP-Address or DHCP-Your-IP-Address for request; not responding
What I can't understand is why the attribute cannot be found later on in
the processing of the request. This server is running the latest 3.0. and
it is successfully processing other DHCP packets. The only difference I can
see with this packet is that is from a locally attached client wheras the
other clients are behind relays.
I would be grateful for any help.
Here is the full debug:
Received DHCP-Discover of Id 35a1700b from 0.0.0.0:68 to 255.255.255.255:67
0: 01 01 06 00 35 a1 70 0b 00 00 80 00 00 00 00 00
16: 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 29 06
32: ca 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00
48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
224: 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63
240: 35 01 01 74 01 01 3d 07 01 00 0c 29 06 ca 30 32
256: 04 a9 fe 85 6a 0c 0f 68 6f 6d 65 2d 63 63 37 61
272: 64 34 37 61 34 31 3c 08 4d 53 46 54 20 35 2e 30
288: 37 0b 01 0f 03 06 2c 2e 2f 1f 21 f9 2b 2b 02 dc
304: 00 ff
DHCP-Opcode = Client-Message
DHCP-Hardware-Type = Ethernet
DHCP-Hardware-Address-Length = 6
DHCP-Hop-Count = 0
DHCP-Transaction-Id = 899772427
DHCP-Number-of-Seconds = 0
DHCP-Flags = Broadcast
DHCP-Client-IP-Address = 0.0.0.0
DHCP-Your-IP-Address = 0.0.0.0
DHCP-Server-IP-Address = 0.0.0.0
DHCP-Gateway-IP-Address = 0.0.0.0
DHCP-Client-Hardware-Address = 00:0c:29:06:ca:30
DHCP-Message-Type = DHCP-Discover
DHCP-Auto-Config = 1
DHCP-Client-Identifier = 0x01000c2906ca30
DHCP-Requested-IP-Address = 169.254.133.106
DHCP-Hostname = "home-cc7ad47a41"
DHCP-Vendor-Class-Identifier = 0x4d53465420352e30
DHCP-Parameter-Request-List = DHCP-Subnet-Mask
DHCP-Parameter-Request-List = DHCP-Domain-Name
DHCP-Parameter-Request-List = DHCP-Router-Address
DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers
DHCP-Parameter-Request-List = DHCP-NETBIOS-Node-Type
DHCP-Parameter-Request-List = DHCP-NETBIOS
DHCP-Parameter-Request-List = DHCP-Perform-Router-Discovery
DHCP-Parameter-Request-List = DHCP-Static-Routes
DHCP-Parameter-Request-List = DHCP-Site-specific-25
DHCP-Parameter-Request-List = DHCP-Vendor
DHCP-Vendor = 0xdc00
Wed Sep 23 08:46:42 2015 : Debug: (5) Received code 1025 Id 899772427 from
0.0.0.0:68 to 255.255.255.255:67 length 306
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Opcode = Client-Message
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Hardware-Type = Ethernet
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Hardware-Address-Length = 6
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Hop-Count = 0
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Transaction-Id = 899772427
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Number-of-Seconds = 0
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Flags = Broadcast
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Client-IP-Address = 0.0.0.0
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Your-IP-Address = 0.0.0.0
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Server-IP-Address = 0.0.0.0
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Gateway-IP-Address = 0.0.0.0
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Client-Hardware-Address =
00:0c:29:06:ca:30
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Message-Type = DHCP-Discover
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Auto-Config = 1
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Client-Identifier =
0x01000c2906ca30
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Requested-IP-Address =
169.254.133.106
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Hostname = "home-cc7ad47a41"
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Vendor-Class-Identifier =
0x4d53465420352e30
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-Subnet-Mask
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-Domain-Name
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-Router-Address
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-Domain-Name-Server
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-NETBIOS-Name-Servers
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-NETBIOS-Node-Type
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-NETBIOS
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-Perform-Router-Discovery
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-Static-Routes
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-Site-specific-25
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Parameter-Request-List =
DHCP-Vendor
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP-Vendor = 0xdc00
Wed Sep 23 08:46:42 2015 : Debug: Trying sub-section dhcp DHCP-Discover
{...}
Wed Sep 23 08:46:42 2015 : Debug: (5) dhcp DHCP-Discover {
Wed Sep 23 08:46:42 2015 : Debug: (5) modsingle[post-auth]: calling
linelog-dhcp (rlm_linelog) for request 5
Wed Sep 23 08:46:42 2015 : Debug:
%{%{reply:DHCP-Message-Type}:-%{request:DHCP-Message-Type}}
Wed Sep 23 08:46:42 2015 : Debug: Parsed xlat tree:
Wed Sep 23 08:46:42 2015 : Debug: if {
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Message-Type
Wed Sep 23 08:46:42 2015 : Debug: }
Wed Sep 23 08:46:42 2015 : Debug: else {
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Message-Type
Wed Sep 23 08:46:42 2015 : Debug: }
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: EXPAND
%{%{reply:DHCP-Message-Type}:-%{request:DHCP-Message-Type}}
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: --> DHCP-Discover
Wed Sep 23 08:46:42 2015 : Debug:
/usr/local/var/log/radius-dhcp/linelog-dhcp.log
Wed Sep 23 08:46:42 2015 : Debug: Parsed xlat tree:
Wed Sep 23 08:46:42 2015 : Debug: literal -->
/usr/local/var/log/radius-dhcp/linelog-dhcp.log
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: EXPAND
/usr/local/var/log/radius-dhcp/linelog-dhcp.log
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: -->
/usr/local/var/log/radius-dhcp/linelog-dhcp.log
Wed Sep 23 08:46:42 2015 : Debug: %S --> Transaction-ID:
%{DHCP-Transaction-Id} DISCOVER: [%{DHCP-Client-Hardware-Address}] via
(%{DHCP-Gateway-IP-Address}), hop count = %{DHCP-Hop-Count}, Relay =
%{DHCP-Relay-Remote-Id}, Hostname = %{DHCP-Hostname}
Wed Sep 23 08:46:42 2015 : Debug: Parsed xlat tree:
Wed Sep 23 08:46:42 2015 : Debug: percent --> S
Wed Sep 23 08:46:42 2015 : Debug: literal --> --> Transaction-ID:
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Transaction-Id
Wed Sep 23 08:46:42 2015 : Debug: literal --> DISCOVER: [
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Client-Hardware-Address
Wed Sep 23 08:46:42 2015 : Debug: literal --> ] via (
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Gateway-IP-Address
Wed Sep 23 08:46:42 2015 : Debug: literal --> ), hop count =
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Hop-Count
Wed Sep 23 08:46:42 2015 : Debug: literal --> , Relay =
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Relay-Remote-Id
Wed Sep 23 08:46:42 2015 : Debug: literal --> , Hostname =
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Hostname
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: EXPAND %S -->
Transaction-ID: %{DHCP-Transaction-Id} DISCOVER:
[%{DHCP-Client-Hardware-Address}] via (%{DHCP-Gateway-IP-Address}), hop
count = %{DHCP-Hop-Count}, Relay = %{DHCP-Relay-Remote-Id}, Hostname =
%{DHCP-Hostname}
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: --> 2015-09-23
08:46:42 --> Transaction-ID: 899772427 DISCOVER: [00:0c:29:06:ca:30] via
(0.0.0.0), hop count = 0, Relay = , Hostname = home-cc7ad47a41
Wed Sep 23 08:46:42 2015 : Debug: (5) modsingle[post-auth]: returned
from linelog-dhcp (rlm_linelog) for request 5
Wed Sep 23 08:46:42 2015 : Debug: (5) [linelog-dhcp] = ok
Wed Sep 23 08:46:42 2015 : Debug: (5) update reply {
Wed Sep 23 08:46:42 2015 : Debug: (5) &DHCP-DHCP-Server-Identifier =
10.200.0.1
Wed Sep 23 08:46:42 2015 : Debug: (5) &DHCP-Flags = 0
Wed Sep 23 08:46:42 2015 : Debug: (5) } # update reply = noop
Wed Sep 23 08:46:42 2015 : Debug: (5) modsingle[post-auth]: calling
perl (rlm_perl) for request 5
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: $RAD_REQUEST{'DHCP-Opcode'} =
&request:DHCP-Opcode -> 'Client-Message'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Hardware-Type'} = &request:DHCP-Hardware-Type ->
'Ethernet'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Hardware-Address-Length'} =
&request:DHCP-Hardware-Address-Length -> '6'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Hop-Count'} = &request:DHCP-Hop-Count -> '0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Transaction-Id'} = &request:DHCP-Transaction-Id ->
'899772427'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Number-of-Seconds'} = &request:DHCP-Number-of-Seconds ->
'0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: $RAD_REQUEST{'DHCP-Flags'} =
&request:DHCP-Flags -> 'Broadcast'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Client-IP-Address'} = &request:DHCP-Client-IP-Address ->
'0.0.0.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Your-IP-Address'} = &request:DHCP-Your-IP-Address ->
'0.0.0.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Server-IP-Address'} = &request:DHCP-Server-IP-Address ->
'0.0.0.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Gateway-IP-Address'} = &request:DHCP-Gateway-IP-Address
-> '0.0.0.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Client-Hardware-Address'} =
&request:DHCP-Client-Hardware-Address -> '00:0c:29:06:ca:30'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: $RAD_REQUEST{'DHCP-Hostname'}
= &request:DHCP-Hostname -> 'home-cc7ad47a41'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: $RAD_REQUEST{'DHCP-Vendor'} =
&request:DHCP-Vendor -> '0xdc00'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Requested-IP-Address'} =
&request:DHCP-Requested-IP-Address -> '169.254.133.106'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Message-Type'} = &request:DHCP-Message-Type ->
'DHCP-Discover'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[0] =
&request:DHCP-Parameter-Request-List -> 'DHCP-Subnet-Mask'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[1] =
&request:DHCP-Parameter-Request-List -> 'DHCP-Domain-Name'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[2] =
&request:DHCP-Parameter-Request-List -> 'DHCP-Router-Address'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[3] =
&request:DHCP-Parameter-Request-List -> 'DHCP-Domain-Name-Server'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[4] =
&request:DHCP-Parameter-Request-List -> 'DHCP-NETBIOS-Name-Servers'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[5] =
&request:DHCP-Parameter-Request-List -> 'DHCP-NETBIOS-Node-Type'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[6] =
&request:DHCP-Parameter-Request-List -> 'DHCP-NETBIOS'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[7] =
&request:DHCP-Parameter-Request-List -> 'DHCP-Perform-Router-Discovery'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[8] =
&request:DHCP-Parameter-Request-List -> 'DHCP-Static-Routes'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[9] =
&request:DHCP-Parameter-Request-List -> 'DHCP-Site-specific-25'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Parameter-Request-List'}[10] =
&request:DHCP-Parameter-Request-List -> 'DHCP-Vendor'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Vendor-Class-Identifier'} =
&request:DHCP-Vendor-Class-Identifier -> '0x4d53465420352e30'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Client-Identifier'} = &request:DHCP-Client-Identifier ->
'0x01000c2906ca30'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REQUEST{'DHCP-Auto-Config'} = &request:DHCP-Auto-Config -> '1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: $RAD_REPLY{'DHCP-Flags'} =
&reply:DHCP-Flags -> '0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
$RAD_REPLY{'DHCP-DHCP-Server-Identifier'} =
&reply:DHCP-DHCP-Server-Identifier -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Your-IP-Address =
$RAD_REQUEST{'DHCP-Your-IP-Address'} -> '0.0.0.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Message-Type =
$RAD_REQUEST{'DHCP-Message-Type'} -> 'DHCP-Discover'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Vendor-Class-Identifier =
$RAD_REQUEST{'DHCP-Vendor-Class-Identifier'} -> '0x4d53465420352e30'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Hop-Count =
$RAD_REQUEST{'DHCP-Hop-Count'} -> '0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Number-of-Seconds
= $RAD_REQUEST{'DHCP-Number-of-Seconds'} -> '0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Client-IP-Address
= $RAD_REQUEST{'DHCP-Client-IP-Address'} -> '0.0.0.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Gateway-IP-Address = $RAD_REQUEST{'DHCP-Gateway-IP-Address'}
-> '0.0.0.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Hardware-Type =
$RAD_REQUEST{'DHCP-Hardware-Type'} -> 'Ethernet'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Flags =
$RAD_REQUEST{'DHCP-Flags'} -> 'Broadcast'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Hardware-Address-Length =
$RAD_REQUEST{'DHCP-Hardware-Address-Length'} -> '6'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Hostname =
$RAD_REQUEST{'DHCP-Hostname'} -> 'home-cc7ad47a41'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Opcode =
$RAD_REQUEST{'DHCP-Opcode'} -> 'Client-Message'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Transaction-Id =
$RAD_REQUEST{'DHCP-Transaction-Id'} -> '899772427'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-Subnet-Mask'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-Domain-Name'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-Router-Address'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-Domain-Name-Server'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-NETBIOS-Name-Servers'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-NETBIOS-Node-Type'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-NETBIOS'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} ->
'DHCP-Perform-Router-Discovery'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-Static-Routes'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-Site-specific-25'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Parameter-Request-List +=
$RAD_REQUEST{'DHCP-Parameter-Request-List'} -> 'DHCP-Vendor'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Client-Hardware-Address =
$RAD_REQUEST{'DHCP-Client-Hardware-Address'} -> '00:0c:29:06:ca:30'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Server-IP-Address
= $RAD_REQUEST{'DHCP-Server-IP-Address'} -> '0.0.0.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&request:DHCP-Requested-IP-Address =
$RAD_REQUEST{'DHCP-Requested-IP-Address'} -> '169.254.133.106'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Auto-Config =
$RAD_REQUEST{'DHCP-Auto-Config'} -> '1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Vendor =
$RAD_REQUEST{'DHCP-Vendor'} -> '0xdc00'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &request:DHCP-Client-Identifier
= $RAD_REQUEST{'DHCP-Client-Identifier'} -> '0x01000c2906ca30'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Your-IP-Address =
$RAD_REPLY{'DHCP-Your-IP-Address'} -> '10.200.0.50'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Domain-Name-Server
+= $RAD_REPLY{'DHCP-Domain-Name-Server'} -> '10.1.1.253'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Domain-Name-Server
+= $RAD_REPLY{'DHCP-Domain-Name-Server'} -> '10.1.1.254'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-WWW-Server-Address
= $RAD_REPLY{'DHCP-WWW-Server-Address'} -> 'www.censored'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Time-Offset =
$RAD_REPLY{'DHCP-Time-Offset'} -> '2'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-SMTP-Server-Address
= $RAD_REPLY{'DHCP-SMTP-Server-Address'} -> 'smtp.censored'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-POP3-Server-Address
= $RAD_REPLY{'DHCP-POP3-Server-Address'} -> 'mail.censored'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Site-specific-25 =
$RAD_REPLY{'DHCP-Site-specific-25'} ->
'0x100a010ac80001100a020ac80001100a0a0ac800010cac100ac800010cac200ac8000108ef0ac80032'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Boot-Filename =
$RAD_REPLY{'DHCP-Boot-Filename'} -> 'hydra.bin'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&reply:DHCP-IP-Address-Lease-Time =
$RAD_REPLY{'DHCP-IP-Address-Lease-Time'} -> '300'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Time-Server =
$RAD_REPLY{'DHCP-Time-Server'} -> 'time.censored'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&reply:DHCP-DHCP-Server-Identifier =
$RAD_REPLY{'DHCP-DHCP-Server-Identifier'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Subnet-Mask =
$RAD_REPLY{'DHCP-Subnet-Mask'} -> '255.255.255.0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-NNTP-Server-Address
= $RAD_REPLY{'DHCP-NNTP-Server-Address'} -> 'ntp.censored'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Router-Address =
$RAD_REPLY{'DHCP-Router-Address'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.1.1.5'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.1.2.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.2.2.7'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.2.2.8'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.2.2.9'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.2.2.11'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.1.1.250'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.1.1.252'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.1.1.254'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-Static-Routes +=
$RAD_REPLY{'DHCP-Static-Routes'} -> '10.200.0.1'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-IP-Forward-Enable =
$RAD_REPLY{'DHCP-IP-Forward-Enable'} -> '0'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl:
&reply:DHCP-Classless-Static-Route =
$RAD_REPLY{'DHCP-Classless-Static-Route'} ->
'0x100a010ac80001100a020ac80001100a0a0ac800010cac100ac800010cac200ac8000108ef0ac80032'
Wed Sep 23 08:46:42 2015 : Debug: (5) perl: &reply:DHCP-NTP-Servers =
$RAD_REPLY{'DHCP-NTP-Servers'} -> 'ntp.censored'
Wed Sep 23 08:46:42 2015 : Debug: (5) modsingle[post-auth]: returned
from perl (rlm_perl) for request 5
Wed Sep 23 08:46:42 2015 : Debug: (5) [perl] = ok
Wed Sep 23 08:46:42 2015 : Debug: (5) if (ok) {
Wed Sep 23 08:46:42 2015 : Debug: (5) if (ok) -> TRUE
Wed Sep 23 08:46:42 2015 : Debug: (5) if (ok) {
Wed Sep 23 08:46:42 2015 : Debug: (5) update reply {
Wed Sep 23 08:46:42 2015 : Debug: (5) &DHCP-Message-Type =
DHCP-Offer
Wed Sep 23 08:46:42 2015 : Debug: (5) &DHCP-Server-IP-Address =
10.200.0.1
Wed Sep 23 08:46:42 2015 : Debug: (5) } # update reply = noop
Wed Sep 23 08:46:42 2015 : Debug: (5) } # if (ok) = noop
Wed Sep 23 08:46:42 2015 : Debug: (5) ... skipping else for request 5:
Preceding "if" was taken
Wed Sep 23 08:46:42 2015 : Debug: (5) modsingle[post-auth]: calling
linelog-dhcp (rlm_linelog) for request 5
Wed Sep 23 08:46:42 2015 : Debug:
%{%{reply:DHCP-Message-Type}:-%{request:DHCP-Message-Type}}
Wed Sep 23 08:46:42 2015 : Debug: Parsed xlat tree:
Wed Sep 23 08:46:42 2015 : Debug: if {
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Message-Type
Wed Sep 23 08:46:42 2015 : Debug: }
Wed Sep 23 08:46:42 2015 : Debug: else {
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Message-Type
Wed Sep 23 08:46:42 2015 : Debug: }
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: EXPAND
%{%{reply:DHCP-Message-Type}:-%{request:DHCP-Message-Type}}
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: --> DHCP-Offer
Wed Sep 23 08:46:42 2015 : Debug:
/usr/local/var/log/radius-dhcp/linelog-dhcp.log
Wed Sep 23 08:46:42 2015 : Debug: Parsed xlat tree:
Wed Sep 23 08:46:42 2015 : Debug: literal -->
/usr/local/var/log/radius-dhcp/linelog-dhcp.log
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: EXPAND
/usr/local/var/log/radius-dhcp/linelog-dhcp.log
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: -->
/usr/local/var/log/radius-dhcp/linelog-dhcp.log
Wed Sep 23 08:46:42 2015 : Debug: %S <-- Transaction-ID:
%{DHCP-Transaction-Id} OFFER: %{reply:DHCP-Your-IP-Address} to
[%{DHCP-Client-Hardware-Address}] ...
Wed Sep 23 08:46:42 2015 : Debug: Parsed xlat tree:
Wed Sep 23 08:46:42 2015 : Debug: percent --> S
Wed Sep 23 08:46:42 2015 : Debug: literal --> <-- Transaction-ID:
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Transaction-Id
Wed Sep 23 08:46:42 2015 : Debug: literal --> OFFER:
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Your-IP-Address
Wed Sep 23 08:46:42 2015 : Debug: literal --> to [
Wed Sep 23 08:46:42 2015 : Debug: attribute --> DHCP-Client-Hardware-Address
Wed Sep 23 08:46:42 2015 : Debug: literal --> ] ...
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: EXPAND %S <--
Transaction-ID: %{DHCP-Transaction-Id} OFFER: %{reply:DHCP-Your-IP-Address}
to [%{DHCP-Client-Hardware-Address}] ...
Wed Sep 23 08:46:42 2015 : Debug: (5) linelog-dhcp: --> 2015-09-23
08:46:42 <-- Transaction-ID: 899772427 OFFER: to [00:0c:29:06:ca:30] ...
Wed Sep 23 08:46:42 2015 : Debug: (5) modsingle[post-auth]: returned
from linelog-dhcp (rlm_linelog) for request 5
Wed Sep 23 08:46:42 2015 : Debug: (5) [linelog-dhcp] = ok
Wed Sep 23 08:46:42 2015 : Debug: (5) modsingle[post-auth]: calling ok
(rlm_always) for request 5
Wed Sep 23 08:46:42 2015 : Debug: (5) modsingle[post-auth]: returned
from ok (rlm_always) for request 5
Wed Sep 23 08:46:42 2015 : Debug: (5) [ok] = ok
Wed Sep 23 08:46:42 2015 : Debug: (5) } # dhcp DHCP-Discover = ok
Wed Sep 23 08:46:42 2015 : Debug: (5) DHCP: Failed to find
DHCP-Client-IP-Address or DHCP-Your-IP-Address for request; not responding
Wed Sep 23 08:46:42 2015 : Debug: (5) Not sending reply to client.
Wed Sep 23 08:46:42 2015 : Debug: (5) Finished request
Wed Sep 23 08:46:42 2015 : Debug: (5) Cleaning up request packet ID
899772427 with timestamp +39
2
4
Hi everyone,
I have set the daily traffic limit to VPN user.
-----------------------------
sqlcounter dailytrafficcounter {
counter-name = Daily-Traffic
check-name = Max-Daily-Traffic
reply-name = Daily-Traffic-Limit
sqlmod-inst = sql
key = User-Name
reset = daily
query = "SELECT SUM(acctinputoctets + acctoutputoctets) FROM
radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"
}
--------------------------------------
When the limit reaches, users cant login.
And the next day ,users login fine till the daily limit reaches.
But in the next day ,the bindwith not reset to 0,just follow the
yesterday's data.
How can i make the data reset to 0 ?
Thanks.
--
Best regards,
Xu
1
0
FR 3.0.9 on Debian Jessie: proto_dhcp.so present in both freeradius-dhcp and freeradius
by Martin Pauly 25 Sep '15
by Martin Pauly 25 Sep '15
25 Sep '15
Hi,
just a minor issue in Debian packaging of 3.0.9:
Building the .deb packages is fine, but when I try to install them with dpkg -i I get
Selecting previously unselected package freeradius-dhcp.
(Reading database ... 39805 files and directories currently installed.)
Preparing to unpack freeradius-dhcp_3.0.9+git_amd64.deb ...
Unpacking freeradius-dhcp (3.0.9+git) ...
dpkg: error processing archive freeradius-dhcp_3.0.9+git_amd64.deb (--install):
trying to overwrite '/usr/lib/freeradius/proto_dhcp.so', which is also in package freeradius 3.0.9+git
... or the other way round when swapping install sequence.
Indeed I can see it doubly:
root@vhrz715:~/freeradius-3.0.9# dpkg -c freeradius-dhcp_3.0.9+git_amd64.deb | grep proto_dhcp.so
-rw-r--r-- root/root 15256 2015-09-16 10:03 ./usr/lib/freeradius/proto_dhcp.so
root@vhrz715:~/freeradius-3.0.9# dpkg -c freeradius_3.0.9+git_amd64.deb | grep proto_dhcp.so
-rw-r--r-- root/root 15256 2015-09-16 10:03 ./usr/lib/freeradius/proto_dhcp.so
Perhaps that was missed when moving the DHCP things to their own package?
Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly(a)HRZ.Uni-Marburg.DE
D-35032 Marburg
3
5