Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
November 2016
- 73 participants
- 105 discussions
Having a hard time setting up my new freeRADIUS 3.0.12 on Ubuntu 16.04. I am trying to turn on ldap; I altered the file in sites-available, and hand created a symlink to it from sites-enabled. But now I am getting an error in radiusd -X of
/usr/local/etc/raddb/mods-enabled/ldap[8]: Failed to link to module 'rlm_ldap': /usr/local/lib/rlm_ldap.so: cannot open shared object file: No such file or directory
I have verified that there is no rlm-ldap.so file in /usr/local/lib. This site (https://access.redhat.com/solutions/2262901) suggests that I missed something during the make process. Are shared objects only created during the make process? How do I get one when it is missing? All the stuff I am reading implies all that is needed to make any module work is the symlink.
Daniel Wruck
7
12
Hello,
I am running CentOS7, Samba 4.2.10, FreeRADIUS 3.0.4 The client I'm having
trouble with is an iPhone 6 running iOS 10.1.1
With help from this list I was able to get LDAP queries and EAP-TLS certificates working on
Windows devices. Now I am on to iPhones and running into EAP-TLS/SSL errors that I was hoping to get
insight on as well. I've added the full radius -X below but the part I think is the issue is the following:
(11) eap : Peer sent method TLS (13)
(11) eap : EAP TLS (13)
(11) eap : Calling eap_tls to process EAP data
(11) eap_tls : Authenticate
(11) eap_tls : processing EAP-TLS
TLS Length 7
(11) eap_tls : Length Included
(11) eap_tls : eaptls_verify returned 11
(11) eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(11) ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(11) ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(11) eap_tls : eaptls_process returned 4
(11) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(11) eap : Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
At this point I don't know if the issue is the certificates I'm using such as
Apple/iOS devices requiring additional attributes for certificates the
way WindowsXP does, or perhaps a configuration issue on my FreeRADIUS server
that I can change to allow the iPhone to connect successfully?
I have added the individual .p12 certificate for the iPhone and the root
CA of the FreeRADIUS server to the iPhone via MobileIron. The WiFi network shows
up on the iPhone and when I click the WPA2 Enterprise test network to join,
it spins for a little bit before failing.
As always, any help or insights would be greatly appreciated.
Thank you,
Travis
***** radius -X *****
Ready to process requests
Received Access-Request Id 102 from 10.10.2.164:50046 to 10.10.0.238:1812 length 169
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02a8000e0174656c736265727279
Message-Authenticator = 0xf92f238034e67c450f8ae544f95a1c15
(0) Received Access-Request packet from host 10.10.2.164 port 50046, id=102, length=169
(0) User-Name = 'telsberry'
(0) NAS-IP-Address = 10.10.2.164
(0) NAS-Identifier = '24a43c08fe80'
(0) NAS-Port = 0
(0) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(0) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 0Mbps 802.11b'
(0) EAP-Message = 0x02a8000e0174656c736265727279
(0) Message-Authenticator = 0xf92f238034e67c450f8ae544f95a1c15
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\\./)
(0) if (&User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before "\"
(0) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(0) ntdomain : No such realm "NULL"
(0) [ntdomain] = noop
(0) eap : Peer sent code Response (2) ID 168 length 14
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply 0x38b7b867381ea1e6
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=102, length=0
(0) EAP-Message = 0x01a900061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x38b7b867381ea1e69a6c9c1f62dac08f
Sending Access-Challenge Id 102 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01a900061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b867381ea1e69a6c9c1f62dac08f
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 103 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02a90006030d
State = 0x38b7b867381ea1e69a6c9c1f62dac08f
Message-Authenticator = 0xc53947fd81bdbd9218fb95ecdd62cf70
(1) Received Access-Request packet from host 10.10.2.164 port 50046, id=103, length=179
(1) User-Name = 'telsberry'
(1) NAS-IP-Address = 10.10.2.164
(1) NAS-Identifier = '24a43c08fe80'
(1) NAS-Port = 0
(1) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(1) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = 'CONNECT 0Mbps 802.11b'
(1) EAP-Message = 0x02a90006030d
(1) State = 0x38b7b867381ea1e69a6c9c1f62dac08f
(1) Message-Authenticator = 0xc53947fd81bdbd9218fb95ecdd62cf70
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\\./)
(1) if (&User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) ntdomain : Checking for prefix before "\"
(1) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(1) ntdomain : No such realm "NULL"
(1) [ntdomain] = noop
(1) eap : Peer sent code Response (2) ID 169 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(1) WARNING: pap : Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x38b7b867381ea1e6
(1) eap : Finished EAP session with state 0x38b7b867381ea1e6
(1) eap : Previous EAP request found for state 0x38b7b867381ea1e6, released from the list
(1) eap : Peer sent method NAK (3)
(1) eap : Found mutually acceptable type TLS (13)
(1) eap : Calling eap_tls to process EAP data
(1) eap_tls : Requiring client certificate
(1) eap_tls : Initiate
(1) eap_tls : Requiring client certificate
(1) eap_tls : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply 0x38b7b867391db5e6
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=103, length=0
(1) EAP-Message = 0x01aa00060d20
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x38b7b867391db5e69a6c9c1f62dac08f
Sending Access-Challenge Id 103 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01aa00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b867391db5e69a6c9c1f62dac08f
(1) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 104 from 10.10.2.164:50046 to 10.10.0.238:1812 length 300
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02aa007f0d800000007516030100700100006c0301581cbf0ca2d28cea68d276805042fd88c6e95061393ba9592634261687604d5500002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
State = 0x38b7b867391db5e69a6c9c1f62dac08f
Message-Authenticator = 0xa1e0bcb1d1b00775ebbc1ce4a245048b
(2) Received Access-Request packet from host 10.10.2.164 port 50046, id=104, length=300
(2) User-Name = 'telsberry'
(2) NAS-IP-Address = 10.10.2.164
(2) NAS-Identifier = '24a43c08fe80'
(2) NAS-Port = 0
(2) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(2) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = 'CONNECT 0Mbps 802.11b'
(2) EAP-Message = 0x02aa007f0d800000007516030100700100006c0301581cbf0ca2d28cea68d276805042fd88c6e95061393ba9592634261687604d5500002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
(2) State = 0x38b7b867391db5e69a6c9c1f62dac08f
(2) Message-Authenticator = 0xa1e0bcb1d1b00775ebbc1ce4a245048b
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (!&User-Name)
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\\./)
(2) if (&User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) ntdomain : Checking for prefix before "\"
(2) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(2) ntdomain : No such realm "NULL"
(2) [ntdomain] = noop
(2) eap : Peer sent code Response (2) ID 170 length 127
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x38b7b867391db5e6
(2) eap : Finished EAP session with state 0x38b7b867391db5e6
(2) eap : Previous EAP request found for state 0x38b7b867391db5e6, released from the list
(2) eap : Peer sent method TLS (13)
(2) eap : EAP TLS (13)
(2) eap : Calling eap_tls to process EAP data
(2) eap_tls : Authenticate
(2) eap_tls : processing EAP-TLS
TLS Length 117
(2) eap_tls : Length Included
(2) eap_tls : eaptls_verify returned 11
(2) eap_tls : (other): before/accept initialization
(2) eap_tls : TLS_accept: before/accept initialization
(2) eap_tls : <<< TLS 1.0 Handshake [length 0070], ClientHello
(2) eap_tls : TLS_accept: SSLv3 read client hello A
(2) eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_tls : TLS_accept: SSLv3 write server hello A
(2) eap_tls : >>> TLS 1.0 Handshake [length 085c], Certificate
(2) eap_tls : TLS_accept: SSLv3 write certificate A
(2) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_tls : TLS_accept: SSLv3 write key exchange A
(2) eap_tls : >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
(2) eap_tls : TLS_accept: SSLv3 write certificate request A
(2) eap_tls : TLS_accept: SSLv3 flush data
(2) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_tls : eaptls_process returned 13
(2) eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673a1cb5e6
(2) [eap] = handled
(2) } # authenticate = handled
(2) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=104, length=0
(2) EAP-Message = 0x01ab03ec0dc000000aba1603010059020000550301581cbf0c713c6d11a66cdaf995b78d1e16b7d6082961572ccef3d6d0d516ea042031b33b78ae02c8c96ff5b159bd6c35ede39fef7f157adcca7cdb804adedd0bc5c01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040b
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
Sending Access-Challenge Id 104 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01ab03ec0dc000000aba1603010059020000550301581cbf0c713c6d11a66cdaf995b78d1e16b7d6082961572ccef3d6d0d516ea042031b33b78ae02c8c96ff5b159bd6c35ede39fef7f157adcca7cdb804adedd0bc5c01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 105 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02ab00060d00
State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
Message-Authenticator = 0x9b16c07977b90cec214cdd76a5845ebd
(3) Received Access-Request packet from host 10.10.2.164 port 50046, id=105, length=179
(3) User-Name = 'telsberry'
(3) NAS-IP-Address = 10.10.2.164
(3) NAS-Identifier = '24a43c08fe80'
(3) NAS-Port = 0
(3) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(3) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = 'CONNECT 0Mbps 802.11b'
(3) EAP-Message = 0x02ab00060d00
(3) State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
(3) Message-Authenticator = 0x9b16c07977b90cec214cdd76a5845ebd
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (!&User-Name)
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /)
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ )
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ )
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\\.$/)
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\\./)
(3) if (&User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : Checking for suffix after "@"
(3) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) ntdomain : Checking for prefix before "\"
(3) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(3) ntdomain : No such realm "NULL"
(3) [ntdomain] = noop
(3) eap : Peer sent code Response (2) ID 171 length 6
(3) eap : No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x38b7b8673a1cb5e6
(3) eap : Finished EAP session with state 0x38b7b8673a1cb5e6
(3) eap : Previous EAP request found for state 0x38b7b8673a1cb5e6, released from the list
(3) eap : Peer sent method TLS (13)
(3) eap : EAP TLS (13)
(3) eap : Calling eap_tls to process EAP data
(3) eap_tls : Authenticate
(3) eap_tls : processing EAP-TLS
(3) eap_tls : Received TLS ACK
(3) eap_tls : Received TLS ACK
(3) eap_tls : ACK handshake fragment handler
(3) eap_tls : eaptls_verify returned 1
(3) eap_tls : eaptls_process returned 13
(3) eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673b1bb5e6
(3) [eap] = handled
(3) } # authenticate = handled
(3) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=105, length=0
(3) EAP-Message = 0x01ac03ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd82
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
Sending Access-Challenge Id 105 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01ac03ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
(3) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 106 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02ac00060d00
State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
Message-Authenticator = 0xa8b6c078c03a7583b4a4cc5628fe3e44
(4) Received Access-Request packet from host 10.10.2.164 port 50046, id=106, length=179
(4) User-Name = 'telsberry'
(4) NAS-IP-Address = 10.10.2.164
(4) NAS-Identifier = '24a43c08fe80'
(4) NAS-Port = 0
(4) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(4) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = 'CONNECT 0Mbps 802.11b'
(4) EAP-Message = 0x02ac00060d00
(4) State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
(4) Message-Authenticator = 0xa8b6c078c03a7583b4a4cc5628fe3e44
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (!&User-Name)
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /)
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ )
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ )
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\\.$/)
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\\./)
(4) if (&User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : Checking for suffix after "@"
(4) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) ntdomain : Checking for prefix before "\"
(4) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(4) ntdomain : No such realm "NULL"
(4) [ntdomain] = noop
(4) eap : Peer sent code Response (2) ID 172 length 6
(4) eap : No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x38b7b8673b1bb5e6
(4) eap : Finished EAP session with state 0x38b7b8673b1bb5e6
(4) eap : Previous EAP request found for state 0x38b7b8673b1bb5e6, released from the list
(4) eap : Peer sent method TLS (13)
(4) eap : EAP TLS (13)
(4) eap : Calling eap_tls to process EAP data
(4) eap_tls : Authenticate
(4) eap_tls : processing EAP-TLS
(4) eap_tls : Received TLS ACK
(4) eap_tls : Received TLS ACK
(4) eap_tls : ACK handshake fragment handler
(4) eap_tls : eaptls_verify returned 1
(4) eap_tls : eaptls_process returned 13
(4) eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673c1ab5e6
(4) [eap] = handled
(4) } # authenticate = handled
(4) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=106, length=0
(4) EAP-Message = 0x01ad03000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c0001470300174104b184fa4f5e15c47e7630f58784864684ffa82c705bcfcb18ad213d6717e9535cc5dcc6c88028ee1297ee239cdc3830363c77b0954d93bdf1cd22bf0811229a6601009edeaa4f60d6d84718ebedf5108c9135b0c0f0165eef4fd3de4bb036a4af81f8cf5348c71d87a43aa9ac9720690827bd408a149644be7c6dd89859fe65160ea309e5678bd60c03484a54436b27221ea45811938bf1cae5698f6e24d8d4ffbcae82da1d82a97978cd7eda7c590e55f7b1acd0146bcb515e719062b65564d8472ad74a5925524a89b978aa60b60c1e967a2c3ed6aa8d4f612d85209dbb346217108ea7
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
Sending Access-Challenge Id 106 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01ad03000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c0001470300174104b184fa4f5e15c47e7630f58784864684ffa82c705bcfcb18ad213d6717e9535cc5dcc6c88028ee1297ee239cdc3830363c77b0954d93bdf1cd22bf0811229a6601009edeaa4f60d6d84718ebedf5108c9135b0c0f0165eef4fd3de4bb036a4af81f8cf5348c71d87a43aa9ac9720690827bd408a149644be7c6dd89859fe65160ea309e5678bd60c03484a54436b27221ea45811938bf1cae5698f6e24d8d4ffbcae82da1d82a97978cd7eda7c590e55f7b1acd0146bcb515e719062b65564d8472ad74a5925524a89b978aa60b60c1e967a2c3ed6aa8d4f612d85209dbb346217108ea
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
(4) Finished request
Received Access-Request Id 107 from 10.10.2.164:50046 to 10.10.0.238:1812 length 190
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02ad00110d800000000715030100020100
State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
Message-Authenticator = 0xcf2e8ffdeba30f091aaace4d30d50867
(5) Received Access-Request packet from host 10.10.2.164 port 50046, id=107, length=190
(5) User-Name = 'telsberry'
(5) NAS-IP-Address = 10.10.2.164
(5) NAS-Identifier = '24a43c08fe80'
(5) NAS-Port = 0
(5) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(5) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = 'CONNECT 0Mbps 802.11b'
(5) EAP-Message = 0x02ad00110d800000000715030100020100
(5) State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
(5) Message-Authenticator = 0xcf2e8ffdeba30f091aaace4d30d50867
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (!&User-Name)
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /)
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ )
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ )
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\\.$/)
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\\./)
(5) if (&User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : Checking for suffix after "@"
(5) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) ntdomain : Checking for prefix before "\"
(5) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(5) ntdomain : No such realm "NULL"
(5) [ntdomain] = noop
(5) eap : Peer sent code Response (2) ID 173 length 17
(5) eap : No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x38b7b8673c1ab5e6
(5) eap : Finished EAP session with state 0x38b7b8673c1ab5e6
(5) eap : Previous EAP request found for state 0x38b7b8673c1ab5e6, released from the list
(5) eap : Peer sent method TLS (13)
(5) eap : EAP TLS (13)
(5) eap : Calling eap_tls to process EAP data
(5) eap_tls : Authenticate
(5) eap_tls : processing EAP-TLS
TLS Length 7
(5) eap_tls : Length Included
(5) eap_tls : eaptls_verify returned 11
(5) eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(5) ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(5) ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(5) eap_tls : eaptls_process returned 4
(5) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(5) eap : Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject : EXPAND %{User-Name}
(5) attr_filter.access_reject : --> telsberry
(5) attr_filter.access_reject : Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(5) [eap] = noop
(5) remove_reply_message_if_eap remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message)
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else else {
(5) [noop] = noop
(5) } # else else = noop
(5) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1 seconds
Waking up in 0.1 seconds.
Waking up in 0.6 seconds.
Received Access-Request Id 108 from 10.10.2.164:50046 to 10.10.0.238:1812 length 169
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b3000e0174656c736265727279
Message-Authenticator = 0xf5f62dd56d143761a4e9a7897c7a981a
(6) Received Access-Request packet from host 10.10.2.164 port 50046, id=108, length=169
(6) User-Name = 'telsberry'
(6) NAS-IP-Address = 10.10.2.164
(6) NAS-Identifier = '24a43c08fe80'
(6) NAS-Port = 0
(6) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(6) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = 'CONNECT 0Mbps 802.11b'
(6) EAP-Message = 0x02b3000e0174656c736265727279
(6) Message-Authenticator = 0xf5f62dd56d143761a4e9a7897c7a981a
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (!&User-Name)
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\\./)
(6) if (&User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) ntdomain : Checking for prefix before "\"
(6) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(6) ntdomain : No such realm "NULL"
(6) [ntdomain] = noop
(6) eap : Peer sent code Response (2) ID 179 length 14
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Peer sent method Identity (1)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : Initiate
(6) eap_peap : Start returned 1
(6) eap : New EAP session, adding 'State' attribute to reply 0x496f1c9349db05d0
(6) [eap] = handled
(6) } # authenticate = handled
(6) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=108, length=0
(6) EAP-Message = 0x01b400061920
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x496f1c9349db05d0cb25530063a54d60
Sending Access-Challenge Id 108 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c9349db05d0cb25530063a54d60
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 109 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b40006030d
State = 0x496f1c9349db05d0cb25530063a54d60
Message-Authenticator = 0x8765dc04efcb9e3eecd759231b4e5766
(7) Received Access-Request packet from host 10.10.2.164 port 50046, id=109, length=179
(7) User-Name = 'telsberry'
(7) NAS-IP-Address = 10.10.2.164
(7) NAS-Identifier = '24a43c08fe80'
(7) NAS-Port = 0
(7) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(7) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = 'CONNECT 0Mbps 802.11b'
(7) EAP-Message = 0x02b40006030d
(7) State = 0x496f1c9349db05d0cb25530063a54d60
(7) Message-Authenticator = 0x8765dc04efcb9e3eecd759231b4e5766
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (!&User-Name)
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\\./)
(7) if (&User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) ntdomain : Checking for prefix before "\"
(7) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(7) ntdomain : No such realm "NULL"
(7) [ntdomain] = noop
(7) eap : Peer sent code Response (2) ID 180 length 6
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(7) WARNING: pap : Authentication will fail unless a "known good" password is available
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x496f1c9349db05d0
(7) eap : Finished EAP session with state 0x496f1c9349db05d0
(7) eap : Previous EAP request found for state 0x496f1c9349db05d0, released from the list
(7) eap : Peer sent method NAK (3)
(7) eap : Found mutually acceptable type TLS (13)
(7) eap : Calling eap_tls to process EAP data
(7) eap_tls : Requiring client certificate
(7) eap_tls : Initiate
(7) eap_tls : Requiring client certificate
(7) eap_tls : Start returned 1
(7) eap : New EAP session, adding 'State' attribute to reply 0x496f1c9348da11d0
(7) [eap] = handled
(7) } # authenticate = handled
(7) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=109, length=0
(7) EAP-Message = 0x01b500060d20
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x496f1c9348da11d0cb25530063a54d60
Sending Access-Challenge Id 109 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b500060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c9348da11d0cb25530063a54d60
(7) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 110 from 10.10.2.164:50046 to 10.10.0.238:1812 length 300
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b5007f0d800000007516030100700100006c0301581cbf0d7c0a3ef4383e83be2721cea5e727c278e92dc39373b4a32067950d6700002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
State = 0x496f1c9348da11d0cb25530063a54d60
Message-Authenticator = 0x43af2747bf3cf6edd237f2ab70dae62a
(8) Received Access-Request packet from host 10.10.2.164 port 50046, id=110, length=300
(8) User-Name = 'telsberry'
(8) NAS-IP-Address = 10.10.2.164
(8) NAS-Identifier = '24a43c08fe80'
(8) NAS-Port = 0
(8) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(8) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = 'CONNECT 0Mbps 802.11b'
(8) EAP-Message = 0x02b5007f0d800000007516030100700100006c0301581cbf0d7c0a3ef4383e83be2721cea5e727c278e92dc39373b4a32067950d6700002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
(8) State = 0x496f1c9348da11d0cb25530063a54d60
(8) Message-Authenticator = 0x43af2747bf3cf6edd237f2ab70dae62a
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (!&User-Name)
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\\.$/)
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\\./)
(8) if (&User-Name =~ /(a)\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) ntdomain : Checking for prefix before "\"
(8) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(8) ntdomain : No such realm "NULL"
(8) [ntdomain] = noop
(8) eap : Peer sent code Response (2) ID 181 length 127
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0x496f1c9348da11d0
(8) eap : Finished EAP session with state 0x496f1c9348da11d0
(8) eap : Previous EAP request found for state 0x496f1c9348da11d0, released from the list
(8) eap : Peer sent method TLS (13)
(8) eap : EAP TLS (13)
(8) eap : Calling eap_tls to process EAP data
(8) eap_tls : Authenticate
(8) eap_tls : processing EAP-TLS
TLS Length 117
(8) eap_tls : Length Included
(8) eap_tls : eaptls_verify returned 11
(8) eap_tls : (other): before/accept initialization
(8) eap_tls : TLS_accept: before/accept initialization
(8) eap_tls : <<< TLS 1.0 Handshake [length 0070], ClientHello
(8) eap_tls : TLS_accept: SSLv3 read client hello A
(8) eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(8) eap_tls : TLS_accept: SSLv3 write server hello A
(8) eap_tls : >>> TLS 1.0 Handshake [length 085c], Certificate
(8) eap_tls : TLS_accept: SSLv3 write certificate A
(8) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(8) eap_tls : TLS_accept: SSLv3 write key exchange A
(8) eap_tls : >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
(8) eap_tls : TLS_accept: SSLv3 write certificate request A
(8) eap_tls : TLS_accept: SSLv3 flush data
(8) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(8) eap_tls : eaptls_process returned 13
(8) eap : New EAP session, adding 'State' attribute to reply 0x496f1c934bd911d0
(8) [eap] = handled
(8) } # authenticate = handled
(8) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=110, length=0
(8) EAP-Message = 0x01b603ec0dc000000aba1603010059020000550301581cbf0d57eb94540f06eeb5ca253a8c46ed8a0268ae406f100b51543d43862e205d7bfdb9f03c2696da98fe2978c7284475f07f7a9b886e24124d2f87efffdf0cc01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040b
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x496f1c934bd911d0cb25530063a54d60
Sending Access-Challenge Id 110 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b603ec0dc000000aba1603010059020000550301581cbf0d57eb94540f06eeb5ca253a8c46ed8a0268ae406f100b51543d43862e205d7bfdb9f03c2696da98fe2978c7284475f07f7a9b886e24124d2f87efffdf0cc01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c934bd911d0cb25530063a54d60
(8) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 111 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b600060d00
State = 0x496f1c934bd911d0cb25530063a54d60
Message-Authenticator = 0x145d45b6eaa3bb1fbdfccbd08721ef5a
(9) Received Access-Request packet from host 10.10.2.164 port 50046, id=111, length=179
(9) User-Name = 'telsberry'
(9) NAS-IP-Address = 10.10.2.164
(9) NAS-Identifier = '24a43c08fe80'
(9) NAS-Port = 0
(9) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(9) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = 'CONNECT 0Mbps 802.11b'
(9) EAP-Message = 0x02b600060d00
(9) State = 0x496f1c934bd911d0cb25530063a54d60
(9) Message-Authenticator = 0x145d45b6eaa3bb1fbdfccbd08721ef5a
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (!&User-Name)
(9) if (!&User-Name) -> FALSE
(9) if (&User-Name =~ / /)
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ )
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ )
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\\.$/)
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\\./)
(9) if (&User-Name =~ /(a)\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(9) suffix : No such realm "NULL"
(9) [suffix] = noop
(9) ntdomain : Checking for prefix before "\"
(9) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(9) ntdomain : No such realm "NULL"
(9) [ntdomain] = noop
(9) eap : Peer sent code Response (2) ID 182 length 6
(9) eap : No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [files] = noop
(9) [expiration] = noop
(9) [logintime] = noop
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0x496f1c934bd911d0
(9) eap : Finished EAP session with state 0x496f1c934bd911d0
(9) eap : Previous EAP request found for state 0x496f1c934bd911d0, released from the list
(9) eap : Peer sent method TLS (13)
(9) eap : EAP TLS (13)
(9) eap : Calling eap_tls to process EAP data
(9) eap_tls : Authenticate
(9) eap_tls : processing EAP-TLS
(9) eap_tls : Received TLS ACK
(9) eap_tls : Received TLS ACK
(9) eap_tls : ACK handshake fragment handler
(9) eap_tls : eaptls_verify returned 1
(9) eap_tls : eaptls_process returned 13
(9) eap : New EAP session, adding 'State' attribute to reply 0x496f1c934ad811d0
(9) [eap] = handled
(9) } # authenticate = handled
(9) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=111, length=0
(9) EAP-Message = 0x01b703ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd82
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x496f1c934ad811d0cb25530063a54d60
Sending Access-Challenge Id 111 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b703ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c934ad811d0cb25530063a54d60
(9) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 112 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b700060d00
State = 0x496f1c934ad811d0cb25530063a54d60
Message-Authenticator = 0xafbed7e2c8772e0c8c2b6969bcee3283
(10) Received Access-Request packet from host 10.10.2.164 port 50046, id=112, length=179
(10) User-Name = 'telsberry'
(10) NAS-IP-Address = 10.10.2.164
(10) NAS-Identifier = '24a43c08fe80'
(10) NAS-Port = 0
(10) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(10) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Connect-Info = 'CONNECT 0Mbps 802.11b'
(10) EAP-Message = 0x02b700060d00
(10) State = 0x496f1c934ad811d0cb25530063a54d60
(10) Message-Authenticator = 0xafbed7e2c8772e0c8c2b6969bcee3283
(10) # Executing section authorize from file /etc/raddb/sites-enabled/default
(10) authorize {
(10) filter_username filter_username {
(10) if (!&User-Name)
(10) if (!&User-Name) -> FALSE
(10) if (&User-Name =~ / /)
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@.*@/ )
(10) if (&User-Name =~ /@.*@/ ) -> FALSE
(10) if (&User-Name =~ /\\.\\./ )
(10) if (&User-Name =~ /\\.\\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\\.$/)
(10) if (&User-Name =~ /\\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\\./)
(10) if (&User-Name =~ /(a)\\./) -> FALSE
(10) } # filter_username filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(10) suffix : No such realm "NULL"
(10) [suffix] = noop
(10) ntdomain : Checking for prefix before "\"
(10) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(10) ntdomain : No such realm "NULL"
(10) [ntdomain] = noop
(10) eap : Peer sent code Response (2) ID 183 length 6
(10) eap : No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [files] = noop
(10) [expiration] = noop
(10) [logintime] = noop
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap : Expiring EAP session with state 0x496f1c934ad811d0
(10) eap : Finished EAP session with state 0x496f1c934ad811d0
(10) eap : Previous EAP request found for state 0x496f1c934ad811d0, released from the list
(10) eap : Peer sent method TLS (13)
(10) eap : EAP TLS (13)
(10) eap : Calling eap_tls to process EAP data
(10) eap_tls : Authenticate
(10) eap_tls : processing EAP-TLS
(10) eap_tls : Received TLS ACK
(10) eap_tls : Received TLS ACK
(10) eap_tls : ACK handshake fragment handler
(10) eap_tls : eaptls_verify returned 1
(10) eap_tls : eaptls_process returned 13
(10) eap : New EAP session, adding 'State' attribute to reply 0x496f1c934dd711d0
(10) [eap] = handled
(10) } # authenticate = handled
(10) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=112, length=0
(10) EAP-Message = 0x01b803000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c000147030017410477eb6ee541e20125c5bf56e361d9d976353033a965436e6a02c7a30a428f83d53751abadebe6e3e7479a08568b4d5eabef8e9bd8453eafdf1d1d4ed6f4333b2601005ffd822d10df944a4af656d9df0c52e96838cc722aa8856847b1bc815bf9f0db28925b2c4cd290084f31665cf88fdbb01917d8e6e06647a2b32ee3c3cb3dd359b857478a2b4e8cfb703e3b3b4cbb6c8357c42addca951a2dd6df116ef891f2b309fb83b68f47c96076cb8231767904099477fbb17801902b578ccf0b6090572436e9f6a201bd66a7780bc627192f9e82b74353fc158a635c20d9913e3ef512c4b3c5
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x496f1c934dd711d0cb25530063a54d60
Sending Access-Challenge Id 112 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b803000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c000147030017410477eb6ee541e20125c5bf56e361d9d976353033a965436e6a02c7a30a428f83d53751abadebe6e3e7479a08568b4d5eabef8e9bd8453eafdf1d1d4ed6f4333b2601005ffd822d10df944a4af656d9df0c52e96838cc722aa8856847b1bc815bf9f0db28925b2c4cd290084f31665cf88fdbb01917d8e6e06647a2b32ee3c3cb3dd359b857478a2b4e8cfb703e3b3b4cbb6c8357c42addca951a2dd6df116ef891f2b309fb83b68f47c96076cb8231767904099477fbb17801902b578ccf0b6090572436e9f6a201bd66a7780bc627192f9e82b74353fc158a635c20d9913e3ef512c4b3c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c934dd711d0cb25530063a54d60
(10) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 113 from 10.10.2.164:50046 to 10.10.0.238:1812 length 190
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b800110d800000000715030100020100
State = 0x496f1c934dd711d0cb25530063a54d60
Message-Authenticator = 0x876249358ed2813eb58000dda097472f
(11) Received Access-Request packet from host 10.10.2.164 port 50046, id=113, length=190
(11) User-Name = 'telsberry'
(11) NAS-IP-Address = 10.10.2.164
(11) NAS-Identifier = '24a43c08fe80'
(11) NAS-Port = 0
(11) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(11) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(11) Framed-MTU = 1400
(11) NAS-Port-Type = Wireless-802.11
(11) Connect-Info = 'CONNECT 0Mbps 802.11b'
(11) EAP-Message = 0x02b800110d800000000715030100020100
(11) State = 0x496f1c934dd711d0cb25530063a54d60
(11) Message-Authenticator = 0x876249358ed2813eb58000dda097472f
(11) # Executing section authorize from file /etc/raddb/sites-enabled/default
(11) authorize {
(11) filter_username filter_username {
(11) if (!&User-Name)
(11) if (!&User-Name) -> FALSE
(11) if (&User-Name =~ / /)
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@.*@/ )
(11) if (&User-Name =~ /@.*@/ ) -> FALSE
(11) if (&User-Name =~ /\\.\\./ )
(11) if (&User-Name =~ /\\.\\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\\.$/)
(11) if (&User-Name =~ /\\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\\./)
(11) if (&User-Name =~ /(a)\\./) -> FALSE
(11) } # filter_username filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix : Checking for suffix after "@"
(11) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(11) suffix : No such realm "NULL"
(11) [suffix] = noop
(11) ntdomain : Checking for prefix before "\"
(11) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(11) ntdomain : No such realm "NULL"
(11) [ntdomain] = noop
(11) eap : Peer sent code Response (2) ID 184 length 17
(11) eap : No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) [files] = noop
(11) [expiration] = noop
(11) [logintime] = noop
(11) [pap] = noop
(11) } # authorize = updated
(11) Found Auth-Type = EAP
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap : Expiring EAP session with state 0x496f1c934dd711d0
(11) eap : Finished EAP session with state 0x496f1c934dd711d0
(11) eap : Previous EAP request found for state 0x496f1c934dd711d0, released from the list
(11) eap : Peer sent method TLS (13)
(11) eap : EAP TLS (13)
(11) eap : Calling eap_tls to process EAP data
(11) eap_tls : Authenticate
(11) eap_tls : processing EAP-TLS
TLS Length 7
(11) eap_tls : Length Included
(11) eap_tls : eaptls_verify returned 11
(11) eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(11) ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(11) ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(11) eap_tls : eaptls_process returned 4
(11) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(11) eap : Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Post-Auth-Type REJECT {
(11) attr_filter.access_reject : EXPAND %{User-Name}
(11) attr_filter.access_reject : --> telsberry
(11) attr_filter.access_reject : Matched entry DEFAULT at line 11
(11) [attr_filter.access_reject] = updated
(11) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(11) [eap] = noop
(11) remove_reply_message_if_eap remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message)
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else else {
(11) [noop] = noop
(11) } # else else = noop
(11) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(11) } # Post-Auth-Type REJECT = updated
(11) Delaying response for 1 seconds
Waking up in 0.1 seconds.
(5) Sending delayed response
(5) Sending Access-Reject packet to host 10.10.2.164 port 50046, id=107, length=0
(5) EAP-Message = 0x04ad0004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 107 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x04ad0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.6 seconds.
(11) Sending delayed response
(11) Sending Access-Reject packet to host 10.10.2.164 port 50046, id=113, length=0
(11) EAP-Message = 0x04b80004
(11) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 113 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x04b80004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.8 seconds.
(0) Cleaning up request packet ID 102 with timestamp +10
(1) Cleaning up request packet ID 103 with timestamp +10
(2) Cleaning up request packet ID 104 with timestamp +10
(3) Cleaning up request packet ID 105 with timestamp +10
(4) Cleaning up request packet ID 106 with timestamp +10
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 107 with timestamp +10
Waking up in 0.4 seconds.
(6) Cleaning up request packet ID 108 with timestamp +11
Waking up in 0.1 seconds.
(7) Cleaning up request packet ID 109 with timestamp +11
(8) Cleaning up request packet ID 110 with timestamp +11
(9) Cleaning up request packet ID 111 with timestamp +11
(10) Cleaning up request packet ID 112 with timestamp +11
(11) Cleaning up request packet ID 113 with timestamp +11
Ready to process requests
2
1
RE: EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level
by tj2718@aol.com 04 Nov '16
by tj2718@aol.com 04 Nov '16
04 Nov '16
> On Tue, Oct 25, 2016 at 08:15:11PM -0400, Travis via Freeradius-Users wrote:
> > > I was bitten by that too. Try changing it to:
>
> Personally (and what I do here) I would use the check-eap-tls virtual server
> so you can check the actual contents of the certificate with LDAP, rather than
> relying on the contents of the User-Name attribute. Which a clients could
> easily spoof, but they can't spoof the certificate subject.
Many thanks Matthew! I didn't know there even was a check-eap-tls virtual
server that I could use. Once I created a soft link and configured that I started getting
more of what I was expecting to see.
>
> For plain users, just call "ldap" in the inner tunnel as usual.
> Possibly wrapped around with a if EAP-Type == PEAP so it doesn't get called
> for hosts (check-eap-tls won't get called for PEAP as there is no client
> certificate, so you don't need that the other way around).
>
> But essentially - look at the LDAP lookups that FreeRADIUS is doing, and then
> go update the configuration so it does the right lookups with the data it has
> available.
I had to do some minor tweaks to my sites-enabled\default config with some
if statements:
if (&User-Name == "host/%{TLS-Client-Cert-Common-Name}") {
noop
}
elsif (!(&Ldap-Group == "CN=WiFi,OU=RSD Groups,DC=rsdtc,DC=com")) {
reject
}
but now all the tablets with certificates are working along with users in a LDAP-Group.
Thank you to everyone who responded with their insight and guidance.
Now on to my next post regarding iPhones with certificates doing EAP-TLS failing.
Travis
1
0
Hi,
Sometimes I do some networking downtimes and during these periods I'm
getting pretty much stale sessions in radwho output. I understand why it
happens, but all I want to do is to clear them automatically, when user
logs in.
So what I've done is added this line:
*exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
to this part of checkrad code for mikrotik sub.
#lets return something
if ($username_seen > 0) {
return 1;
} else {
exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");
return 0;
}
}
If I understand it right, this code works like:
if there is a username logged in on NAS, then we return 1, which means
error, I guess?
if there are none, we return 0, which is OK I guess? So I just want to
clear (if there any) the stale session for user, if he's not logged in on
NAS, but for some reason has stale session on freeradius server (visible in
radwho)
But.. nothing happens. If I execute the command from the shell, it works..
So as I'm not a programmer, I think, that I must be added this line to the
wrong place of radcheck script. Any help?
--
Best regards,
Roman.
4
13
Is it possible to jump out of a policy.d function, without exiting the
whole request?
For example, suppose I have policy.d/foo which contains
foo {
if (..some complex condition..) {
...
if (..another condition..) {
...
ok
/* I WANT TO RETURN FROM HERE */
}
...
... more logic
...
reject
}
}
At the place given, I want to finish processing the 'foo' policy and
continue.
However if I use "return", it terminates the whole enclosing authorize
section:
authorize {
...
foo
bar # "bar" is not executed if "foo" says "return"
}
I can possibly write the policy I want entirely as carefully written if
... elsif ... elsif ... sections, but it would give me some more options
for writing it clearly if there were a way for the policy to return. I
just haven't been able to work out how to do that.
Thanks,
Brian.
2
1
Hi experts,
I'm running a Radius 3.0.10, the config it's working fine, I just ask for advice to do one step in a faster way.
I've declared multiple LDAP instances "vlan1,vlan2....vlanN" in /etc/raddb/mods-enabled/ldap .
Each one queries just the ldap subtree assigned to a particular vlan.
Each vlan subtree contains it's allowed mac's (uid=mac)
Each mac (uid) has all needed radius attributes for the radius accept packet, that are populated from ldap.
Actually, all ldap instancies are asked for every "uid=mac" in order sequence, so if there's a match, the attributes are updated from the ldap.
Unfortunately , If one "mac" matches two ldap instances (ex: vlan1 & vlan2), the last matched instance(vlan2) overwrites the previous populated attributes(vlan1).
My goal is somehow to stop ldap executing the next instances(vlan2,vlan3...N) if the actual one(vlan 1) got the jackpot, to avoid so many ldap queries.
Right now I'm forced to use a inverse priority ( the last match got the jackpot), that is not the right solution.
Any clues, or advice?
/etc/raddb/sites-available/default
(...)
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
#ldap instance asking for mac in vlan1
vlan1 {
ok = return
#noop = return
}
#ldap instance asking for mac in vlan2
vlan2 {
ok = return
}
(...)
#ldap instance asking for mac in vlanN
vlanN {
ok = return
}
files
expiration
logintime
}
(....)
2
6
Hi,
for a SSID wireless network I'm trying, without success, to proxy EAP-TLS
auth (based on certificate's CN) to specific Windows RADIUS that are
members of two domain on AD.
For example what I want to obtain is that:
- EAP-TLS of client A, member of domain X, is proxied by Freeradius to
RADIUS/AD of that domain
- EAP-TLS of client B, member of domain Y, is proxied by Freeradius to
RADIUS/AD of that domain
- EAP-TLS of client C, member of any domain, is managed by file user
I've obtained a similar setup for EAP-TTLS using this configuration in
inner-tunnel authorize section:
if ("%{Called-Station-Id}" =~ /:SSID_S$/ ) {
if ("%{User-Name}" =~ /(a)domainx.com$/ || "%{User-Name}" =~ /\.
domainx.com$/ || "%{User-Name}" =~ /^DOMAINX\\\\/ ) {
update control {
Proxy-To-Realm := 'AD_DOMAINX'
}
}
}
Is it possible to obtain this setup with EAP-TLS? How?
Thanks
--
Davide Belloni
http://about.me/davidebelloni
http://www.linkedin.com/in/davidebelloni
3
4
Any idea why the + symbol is being transformed in the ldap filter? Should I be using a different syntax for the attribute substitution?
(12813372) Tue Oct 18 10:08:33 2016: Debug: suffix: Checking for suffix after "@"
(12813372) Tue Oct 18 10:08:33 2016: Debug: suffix: Looking up realm "vt.edu" for User-Name = "adp+ipad(a)vt.edu"
(12813372) Tue Oct 18 10:08:33 2016: Debug: suffix: Found realm "~vt.edu$"
(12813372) Tue Oct 18 10:08:33 2016: Debug: suffix: Adding Stripped-User-Name = "adp+ipad"
(12813372) Tue Oct 18 10:08:33 2016: Debug: suffix: Adding Realm = "vt.edu"
(12813372) Tue Oct 18 10:08:33 2016: Debug: suffix: Authentication realm is LOCAL
(12813372) Tue Oct 18 10:08:33 2016: Debug: [suffix] = ok
(12813372) Tue Oct 18 10:08:33 2016: Debug: update control {
(12813372) Tue Oct 18 10:08:33 2016: Debug: } # update control = noop
(12813372) Tue Oct 18 10:08:33 2016: Debug: eap: Peer sent EAP Response (code 2) ID 12 length 74
(12813372) Tue Oct 18 10:08:33 2016: Debug: eap: No EAP Start, assuming it's an on-going EAP conversation
(12813372) Tue Oct 18 10:08:33 2016: Debug: [eap] = updated
(12813372) Tue Oct 18 10:08:33 2016: Debug: [files] = noop
(12813372) Tue Oct 18 10:08:33 2016: Debug: ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(12813372) Tue Oct 18 10:08:33 2016: Debug: ldap: --> (uid=adp\5c2bipad)
(12813372) Tue Oct 18 10:08:33 2016: Debug: ldap: Performing search in "ou=People,ou=NIS,o=vt" with filter "(uid=adp\5c2bipad)", scope "sub"
(12813372) Tue Oct 18 10:08:33 2016: Debug: ldap: Waiting for search result...
(12813372) Tue Oct 18 10:08:33 2016: Debug: ldap: Search returned no results
(12813372) Tue Oct 18 10:08:33 2016: Debug: [ldap] = notfound
<http://aka.ms/weboutlook>
3
9
Hello,
I have a new radius instance running. Unfortunatelly users with MacOS
cannot be authenticated.
It seems like the password does not come through.
Do you have any idea?
/etc/freeradius.testing# freeradius -X -d /etc/freeradius.testing
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu,
built on Oct 24 2014 at 02:05:28
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius.testing/radiusd.conf
including configuration file /etc/freeradius.testing/proxy.conf
including configuration file /etc/freeradius.testing/clients.conf
including configuration file /etc/freeradius.testing/wlan_clients.conf
including files in directory /etc/freeradius.testing/modules/
including configuration file /etc/freeradius.testing/modules/sql_log
including configuration file /etc/freeradius.testing/modules/perl
including configuration file /etc/freeradius.testing/modules/attr_filter
including configuration file /etc/freeradius.testing/modules/echo
including configuration file /etc/freeradius.testing/modules/rediswho
including configuration file /etc/freeradius.testing/modules/digest
including configuration file /etc/freeradius.testing/modules/pap
including configuration file /etc/freeradius.testing/modules/etc_group
including configuration file /etc/freeradius.testing/modules/policy
including configuration file /etc/freeradius.testing/modules/mac2ip
including configuration file /etc/freeradius.testing/modules/logintime
including configuration file /etc/freeradius.testing/modules/cui
including configuration file
/etc/freeradius.testing/modules/dhcp_sqlippool
including configuration file /etc/freeradius.testing/modules/replicate
including configuration file /etc/freeradius.testing/modules/radrelay
including configuration file /etc/freeradius.testing/modules/ldap
including configuration file /etc/freeradius.testing/modules/expr
including configuration file /etc/freeradius.testing/modules/counter
including configuration file /etc/freeradius.testing/modules/ippool
including configuration file
/etc/freeradius.testing/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius.testing/modules/cache
including configuration file /etc/freeradius.testing/modules/inner-eap
including configuration file /etc/freeradius.testing/modules/soh
including configuration file /etc/freeradius.testing/modules/checkval
including configuration file /etc/freeradius.testing/modules/radutmp
including configuration file
/etc/freeradius.testing/modules/dynamic_clients
including configuration file /etc/freeradius.testing/modules/files
including configuration file /etc/freeradius.testing/modules/realm
including configuration file /etc/freeradius.testing/modules/unix
including configuration file /etc/freeradius.testing/modules/detail.log
including configuration file /etc/freeradius.testing/modules/sradutmp
including configuration file /etc/freeradius.testing/modules/mac2vlan
including configuration file /etc/freeradius.testing/modules/passwd
including configuration file /etc/freeradius.testing/modules/acct_unique
including configuration file
/etc/freeradius.testing/modules/detail.example.com
including configuration file /etc/freeradius.testing/modules/linelog
including configuration file /etc/freeradius.testing/modules/mschap
including configuration file /etc/freeradius.testing/modules/expiration
including configuration file /etc/freeradius.testing/modules/chap
including configuration file
/etc/freeradius.testing/modules/opendirectory
including configuration file /etc/freeradius.testing/modules/exec
including configuration file /etc/freeradius.testing/modules/pam
including configuration file /etc/freeradius.testing/modules/smsotp
including configuration file /etc/freeradius.testing/modules/detail
including configuration file /etc/freeradius.testing/modules/krb5
including configuration file
/etc/freeradius.testing/modules/attr_rewrite
including configuration file /etc/freeradius.testing/modules/always
including configuration file /etc/freeradius.testing/modules/redis
including configuration file /etc/freeradius.testing/modules/preprocess
including configuration file /etc/freeradius.testing/eap.conf
including configuration file /etc/freeradius.testing/policy.conf
including files in directory /etc/freeradius.testing/sites-enabled/
including configuration file
/etc/freeradius.testing/sites-enabled/eduroam-inner-tunnel
including configuration file
/etc/freeradius.testing/sites-enabled/eduroam
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius.testing/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius-eduroam"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius-eduroam/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client local {
ipaddr = 192.168.11.50
require_message_authenticator = no
nastype = "other"
}
client 192.168.11.246 {
require_message_authenticator = no
nastype = "other"
virtual_server = "eduroam"
}
client 172.16.1.18 {
require_message_authenticator = no
nastype = "other"
virtual_server = "eduroam"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
nastype = "other"
virtual_server = "eduroam"
}
client 172.16.1.30 {
require_message_authenticator = no
virtual_server = "eduroam"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/etc/freeradius.testing/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/etc/freeradius.testing/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius.testing/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius.testing/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file ?
modules {
} # modules
} # server
server eduroam-inner-tunnel { # from file
/etc/freeradius.testing/sites-enabled/eduroam-inner-tunnel
modules {
Module: Creating Auth-Type = Perl
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/etc/freeradius.testing/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius.testing/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file
/etc/freeradius.testing/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 3
CA_path = "/etc/freeradius.testing/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius.testing/certs/server.key"
certificate_file = "/etc/freeradius.testing/certs/server.pem"
CA_file = "/etc/freeradius.testing/certs/ca.pem"
dh_file = "/etc/freeradius.testing/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
ecdh_curve = "prime256v1"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "eduroam-inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file
/etc/freeradius.testing/modules/perl
perl {
module = "/etc/freeradius.testing/auth.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
"my" variable $index_path masks earlier declaration in same scope at
/etc/freeradius.testing/auth.pl line 254.
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius.testing/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius.testing/huntgroups"
hints = "/etc/freeradius.testing/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius.testing/huntgroups
reading pairlist file /etc/freeradius.testing/hints
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file
/etc/freeradius.testing/modules/detail.log
detail auth_log {
detailfile =
"/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius.testing/modules/files
files {
usersfile = "/etc/freeradius.testing/users"
acctusersfile = "/etc/freeradius.testing/acct_users"
preproxy_usersfile = "/etc/freeradius.testing/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius.testing/users
reading pairlist file /etc/freeradius.testing/acct_users
reading pairlist file /etc/freeradius.testing/preproxy_users
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file
/etc/freeradius.testing/modules/detail
detail {
detailfile =
"/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file
/etc/freeradius.testing/modules/detail.log
detail reply_log {
detailfile =
"/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
} # modules
} # server
server eduroam { # from file
/etc/freeradius.testing/sites-enabled/eduroam
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius.testing/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius.testing/modules/attr_filter
attr_filter attr_filter.pre-proxy {
attrsfile = "/etc/freeradius.testing/attrs.pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius.testing/attrs.pre-proxy
Module: Instantiating module "pre_proxy_log" from file
/etc/freeradius.testing/modules/detail.log
detail pre_proxy_log {
detailfile =
"/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "post_proxy_log" from file
/etc/freeradius.testing/modules/detail.log
detail post_proxy_log {
detailfile =
"/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius.testing/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/etc/freeradius.testing/attrs"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/freeradius.testing/attrs
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1820
}
listen {
type = "acct"
ipaddr = *
port = 1821
}
... adding new socket proxy address * port 40565
Listening on authentication address * port 1820
Listening on accounting address * port 1821
Listening on proxy address * port 1822
Ready to process requests.
With kind regards,
Marlen Caemmerer
--
************************************************
Alice Salomon Hochschule
Computerzentrum
Marlen Caemmerer
Alice-Salomon-Platz 5
12627 Berlin
Email: caemmerer(a)ash-berlin.eu
************************************************
6
17
Can anyone offer some configuration advice?
Our wireless deployment automatically assigns users to any one of around
20 client VLANS. We have a very small number of MAC addresses (currently
2) that for one reason or another need a static IP. We use RADIUS to
make sure they are put on one specific VLAN. This is currently done with
a MySQL table of MAC addresses and the following section in the post auth:
# Return a static vlan for those in the static IP group
if ("%{sql:SELECT COUNT(*) FROM eduroam_static WHERE
mac='%{Calling-Station-Id}'}" != 0) {
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-ID := 641
}
}
While this works quite nicely, I have two concerns. One is the
efficiency overhead. It is performing a SQL lookup on every auth just to
make sure 2 MAC addresses are put in the correct VLAN. The other is that
we do not have a resilient database server, so when that reboots for
patching my FreeRADIUS servers fall over.
Build a better database infrastructure is one solution, but I was
wondering if there is a better way of doing this?
Being such a small dataset, is it possible to maintain an array or list,
then use a function to say something like 'if (%{Calling-Station-Id} is
in list) {.....'?
I could make that if statement a big list of 'this mac or this mac
or...', but it could get messy. I would also like to keep the list of
special MAC addresses in its own file. This would allow us to deploy the
list via puppet.
My googling has not turned up anything like what I want, apart from the
mac2vlan file used by VPMS. Running a VPMS server seems like overkill too.
Any suggestions appreciated.
Yours
Dave Hartburn
4
8