Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
February 2016
- 87 participants
- 129 discussions
No, sorry.
There is no connection problem and radius server get the same connection string as with sqlplus :
rlm_sql (sql): Attempting to connect to database "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.22.97.147)(PORT=1533))(CONNECT_DATA=(SID=MEMAD)))"
rlm_sql (sql): Initialising connection pool
pool {
start = 4
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
If radius server really got no data, how do you want it accepts known users in my authcheck_table and rejects unknown users from my authcheck_table ?
Sql is my only authorization method :
authorize {
filter_username
preprocess
sql
if(ok) {
update control {
Auth-Type := Accept
}
} else {
update control {
Auth-Type := Reject
}
}
expiration
logintime
}
And here is the result in debug mode :
(0) sql: EXPAND SELECT distinct 1,NUM_SERIE,'Cleartext-Password',NUM_SERIE,':=' FROM E_MEMA_TPE WHERE NUM_SERIE = '%{User-Name}'
(0) sql: --> SELECT distinct 1,NUM_SERIE,'Cleartext-Password',NUM_SERIE,':=' FROM E_MEMA_TPE WHERE NUM_SERIE = 'FT10895748'
(0) sql: Executing select query: SELECT distinct 1,NUM_SERIE,'Cleartext-Password',NUM_SERIE,':=' FROM E_MEMA_TPE WHERE NUM_SERIE = 'FT10895748'
(0) sql: ERROR: Error fetching row
(0) sql: ERROR: rlm_sql_oracle: ORA-01403: no data found
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "FT10895748"
rlm_sql (sql): Released connection (4)
rlm_sql (sql): Need 2 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 31 pending slots used
(0) [sql] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # if (ok) = noop
(0) ... skipping else for request 0: Preceding "if" was taken
(0) [expiration] = noop
(0) [logintime] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
Anyway :
- this error appear whatever query I put in authorize_check_query, for example "SELECT 1,'FT10895748','User-Password','FT10895748',':=' FROM DUAL" that returns a fixed row
- even in the case where data is not found (unkown user), it is not normal that radius provokes this Oracle ORA-01403 error since it is not forbidden to retrieve no data from authorize_check_query. It may say "no data found" for information but not produce an error...
Cordialement,
Vincent.
De : Alan Buxey [mailto:A.L.M.Buxey@lboro.ac.uk] Envoyé : jeudi 11 février 2016 23:29 À : FreeRadius users mailing list; Vincent MARCEL Objet : RE: sql: ERROR: rlm_sql_oracle: ORA-01403: no data found
>>Your query doesn't return data from >>the database
>False : here is the query (debug mode) >for an accepted user :
No. Sorry. It's true. Look:
(1) sql: ERROR: Error fetching row
(1) sql: ERROR: rlm_sql_oracle: ORA-01403: no data found
See. Error fetching row and no data found. Ensure your sql config had suitable access user/pass and host has required access
alan
1
0
Hi,
I am trying to authorize a user through a authorize_check_query on Oracle database.
When I test, I get this error on my radius server :
(0) sql: Executing select query: SELECT 1,'FT10895748','User-Password','FT10895748',':=' FROM DUAL
(0) sql: ERROR: Error fetching row
(0) sql: ERROR: rlm_sql_oracle: ORA-01403: no data found
But this can't be true, this query always returns 1 row !
Below is the output of my server in debug mode, starting from database connection, ending to the authorize test :
# Instantiating module "sql" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/sql
rlm_sql (sql): Attempting to connect to database "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.22.97.147)(PORT=1533))(CONNECT_DATA=(SID=MEMAD)))"
rlm_sql (sql): Initialising connection pool
pool {
start = 4
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
# Instantiating module "linelog" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/linelog
# Instantiating module "attr_filter.post-proxy" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/attr_filter
reading pairlist file /USR/radiusrec/radius/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/attr_filter
reading pairlist file /USR/radiusrec/radius/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/attr_filter
reading pairlist file /USR/radiusrec/radius/etc/raddb/mods-config/attr_filter/access_reject
[/USR/radiusrec/radius/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/USR/radiusrec/radius/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/attr_filter
reading pairlist file /USR/radiusrec/radius/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/attr_filter
reading pairlist file /USR/radiusrec/radius/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "logintime" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/logintime
# Instantiating module "IPASS" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/realm
# Instantiating module "cache_eap" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "files" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/files
reading pairlist file /USR/radiusrec/radius/etc/raddb/mods-config/files/authorize
reading pairlist file /USR/radiusrec/radius/etc/raddb/mods-config/files/accounting
reading pairlist file /USR/radiusrec/radius/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "auth_log" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/detail.log
# Instantiating module "reject" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/always
# Instantiating module "pap" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/pap
# Instantiating module "expiration" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/expiration
# Instantiating module "etc_passwd" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "mschap" from file /USR/radiusrec/radius/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /USR/radiusrec/radius/etc/raddb/radiusd.conf
} # server
server default { # from file /USR/radiusrec/radius/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /USR/radiusrec/radius/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1912
limit {
max_connections = 1024
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1912 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 21 from 127.0.0.1:51714 to 127.0.0.1:1912 length 74
(0) User-Name = "FT10895748"
(0) User-Password = "FT10895748"
(0) NAS-IP-Address = 172.22.97.209
(0) NAS-Port = 0
(0) Message-Authenticator = 0x9d34c3f30a9e038d72f149648f828f45
(0) # Executing section authorize from file /USR/radiusrec/radius/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "FT10895748", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_sql (sql): Reserved connection (0)
(0) sql: EXPAND SELECT 1,'FT10895748','User-Password','FT10895748',':=' FROM DUAL
(0) sql: --> SELECT 1,'FT10895748','User-Password','FT10895748',':=' FROM DUAL
(0) sql: Executing select query: SELECT 1,'FT10895748','User-Password','FT10895748',':=' FROM DUAL
(0) sql: ERROR: Error fetching row
(0) sql: ERROR: rlm_sql_oracle: ORA-01403: no data found
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: User-Password := "FT10895748"
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 6 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(0) pap: WARNING: !!! Ignoring control:User-Password. Update your !!!
(0) pap: WARNING: !!! configuration so that the "known good" clear text !!!
(0) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!!
(0) pap: WARNING: !!! User-Password. !!!
(0) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /USR/radiusrec/radius/etc/raddb/sites-enabled/default
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 21 from 127.0.0.1:1912 to 127.0.0.1:51714 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 21 with timestamp +24
Ready to process requests
Any idea of what is wrong ?
Best regards,
Vincent MARCEL
4
7
I'm having some trouble with attribute filtering: we're preparing to
move from router assigned ip addressing to radius pool assignment. For
initial testing, I thought I'd just add a Pool-Name to the user check
items for a few test accounts. That doesn't work because the
Framed-IP-Address that tells the router to do the assignment is added in
the group reply items, which prevents sqlippool from doing an
assignment. It's probably possible to do a convoluted sql statement in
the group lookup, but that would be...convoluted. Our solution was to
just create separate groups for these cases, but I would like to figure
out how to do overrides like this.
What I looked for was an operator to remove an attribute, but that
doesn't seem to exist - you can only add them.
I noticed the attr_filter module, and tried that with:
mods-config/attr_filter/framed_ip_address:
if (&control:Pool-Nmae && &control:Pool-Name != "") {
Framed-IP-Address !* ANY
}
If I read that module right, it filters out anything that doesn't match
the given patterns, but that doesn't seem to do anything:
(2) Thu Feb 11 12:16:27 2016: Debug: attr_filter.framed_ip_address:
EXPAND %{Framed-IP-Address}
(2) Thu Feb 11 12:16:27 2016: Debug: attr_filter.framed_ip_address: -->
(2) Thu Feb 11 12:16:27 2016: Debug: [attr_filter.framed_ip_address]
= noop
was the debug output in all cases and Framed-IP-Address was left alone.
The only thing that did work was putting this in a perl module:
sub post_auth {
if (defined($RAD_CHECK{'Pool-Name'})) {
delete $RAD_REPLY{'Framed-IP-Address'};
}
return RLM_MODULE_OK;
}
but using perl seems heavy-handed for a simple task like this, so I'm
wondering what the "approved" mechanism for deleting an attribute is?
Thanks...
2
2
According to http://wiki.freeradius.org/config/Operators :
= Attribute = Value Not allowed as a check item for RADIUS protocol
attributes. It is allowed for server configuration attributes
(Auth-Type, etc), and sets the value of on attribute, only if there is
no other item of the same attribute.
It specifically says Auth-Type (which does seem to be working), and
Pool-Name is another control attribute:
mysql> select * from radgroupcheck where groupname = 'test_pool';
+----+-----------+-----------+----+-----------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-----------+
| 41 | TEST_POOL | Auth-Type | = | PAP |
| 42 | TEST_POOL | Pool-Name | = | test_pool |
+----+-----------+-----------+----+-----------+
2 rows in set (0.00 sec)
however with things set this way (I have a perl module defined to dump
the various lists for debugging), Pool-Name does not get set:
> (0) Wed Feb 10 15:47:11 2016: Debug: # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/peak
> (0) Wed Feb 10 15:47:11 2016: Debug: post-auth {
> (0) Wed Feb 10 15:47:11 2016: Debug: update {
> (0) Wed Feb 10 15:47:11 2016: Debug: No attributes updated
> (0) Wed Feb 10 15:47:11 2016: Debug: } # update = noop
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: EXPAND .query
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: --> .query
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: Using query template 'query'
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: EXPAND %{User-Name}
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: --> radtest-pool
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: SQL-User-Name set to 'radtest-pool'
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{Cleartext-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'radtest-pool', '', 'Access-Accept', '2016-02-10 15:47:11')
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'radtest-pool', '', 'Access-Accept', '2016-02-10 15:47:11')
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: SQL query returned: success
> (0) Wed Feb 10 15:47:11 2016: Debug: sql: 1 record(s) updated
> (0) Wed Feb 10 15:47:11 2016: Debug: [sql] = ok
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'radtest-pool'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'password'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '69.59.217.117'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '15762707'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'Framed-Protocol'} = &request:Framed-Protocol -> 'PPP'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '12:34:56:78:90:03'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'plo-cr1'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Feb 10 2016 15:47:11 PST'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'ether3.1900'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'PAP'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> 'password'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'PAP'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: $RAD_CONFIG{'Cleartext-Password'} = &control:Cleartext-Password -> 'password'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '12:34:56:78:90:03'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:Framed-Protocol = $RAD_REQUEST{'Framed-Protocol'} -> 'PPP'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'radtest-pool'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Feb 10 2016 15:47:11 PST'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'password'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'plo-cr1'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '69.59.217.117'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '15762707'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'ether3.1900'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &control:Cleartext-Password = $RAD_CHECK{'Cleartext-Password'} -> 'password'
> (0) Wed Feb 10 15:47:11 2016: Debug: perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'PAP'
> (0) Wed Feb 10 15:47:11 2016: Debug: [perl] = ok
> (0) Wed Feb 10 15:47:11 2016: Debug: sqlippool: No Pool-Name defined
> (0) Wed Feb 10 15:47:11 2016: Debug: sqlippool: EXPAND No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})
> (0) Wed Feb 10 15:47:11 2016: Debug: sqlippool: --> No Pool-Name defined (did cli 12:34:56:78:90:03 port 15762707 user radtest-pool)
> (0) Wed Feb 10 15:47:11 2016: Debug: [sqlippool] = noop
> (0) Wed Feb 10 15:47:11 2016: Debug: } # post-auth = ok
If I change the operator to ":=" (the "set it dammit no matter what"
operator), it does the right thing:
mysql> select * from radgroupcheck where groupname = 'test_pool';
+----+-----------+-----------+----+-----------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-----------+
| 41 | TEST_POOL | Auth-Type | := | PAP |
| 42 | TEST_POOL | Pool-Name | := | test_pool |
+----+-----------+-----------+----+-----------+
2 rows in set (0.00 sec)
> (0) Wed Feb 10 16:13:29 2016: Debug: post-auth {
> (0) Wed Feb 10 16:13:29 2016: Debug: update {
> (0) Wed Feb 10 16:13:29 2016: Debug: No attributes updated
> (0) Wed Feb 10 16:13:29 2016: Debug: } # update = noop
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: EXPAND .query
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: --> .query
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: Using query template 'query'
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: EXPAND %{User-Name}
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: --> radtest-pool
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: SQL-User-Name set to 'radtest-pool'
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{Cleartext-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'radtest-pool', '', 'Access-Accept', '2016-02-10 16:13:29')
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'radtest-pool', '', 'Access-Accept', '2016-02-10 16:13:29')
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: SQL query returned: success
> (0) Wed Feb 10 16:13:29 2016: Debug: sql: 1 record(s) updated
> (0) Wed Feb 10 16:13:29 2016: Debug: [sql] = ok
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'radtest-pool'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'password'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '69.59.217.117'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '15762707'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'Framed-Protocol'} = &request:Framed-Protocol -> 'PPP'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '12:34:56:78:90:03'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'plo-cr1'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Feb 10 2016 16:13:29 PST'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'ether3.1900'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REPLY{'Service-Type'} = &reply:Service-Type -> 'Framed-User'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REPLY{'Framed-Protocol'} = &reply:Framed-Protocol -> 'PPP'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REPLY{'Framed-IP-Netmask'} = &reply:Framed-IP-Netmask -> '255.255.255.255'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REPLY{'Framed-MTU'} = &reply:Framed-MTU -> '1500'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REPLY{'Framed-Compression'} = &reply:Framed-Compression -> 'None'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_REPLY{'Mikrotik-Rate-Limit'} = &reply:Mikrotik-Rate-Limit -> '20M/10M'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'PAP'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_CHECK{'Pool-Name'} = &control:Pool-Name -> 'test_pool'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> 'password'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'PAP'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_CONFIG{'Pool-Name'} = &control:Pool-Name -> 'test_pool'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: $RAD_CONFIG{'Cleartext-Password'} = &control:Cleartext-Password -> 'password'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '12:34:56:78:90:03'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:Framed-Protocol = $RAD_REQUEST{'Framed-Protocol'} -> 'PPP'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'radtest-pool'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Feb 10 2016 16:13:29 PST'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'password'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'plo-cr1'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '69.59.217.117'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '15762707'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'ether3.1900'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &reply:Framed-Protocol = $RAD_REPLY{'Framed-Protocol'} -> 'PPP'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &reply:Service-Type = $RAD_REPLY{'Service-Type'} -> 'Framed-User'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &reply:Mikrotik-Rate-Limit = $RAD_REPLY{'Mikrotik-Rate-Limit'} -> '20M/10M'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &reply:Framed-Compression = $RAD_REPLY{'Framed-Compression'} -> 'None'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &reply:Framed-IP-Netmask = $RAD_REPLY{'Framed-IP-Netmask'} -> '255.255.255.255'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &reply:Framed-MTU = $RAD_REPLY{'Framed-MTU'} -> '1500'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &control:Cleartext-Password = $RAD_CHECK{'Cleartext-Password'} -> 'password'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'PAP'
> (0) Wed Feb 10 16:13:29 2016: Debug: perl: &control:Pool-Name = $RAD_CHECK{'Pool-Name'} -> 'test_pool'
> (0) Wed Feb 10 16:13:29 2016: Debug: [perl] = ok
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: EXPAND %{User-Name}
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: --> radtest-pool
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: SQL-User-Name set to 'radtest-pool'
> (0) Wed Feb 10 16:13:29 2016: ERROR: sqlippool: Clear stale connections
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: EXPAND START TRANSACTION
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: --> START TRANSACTION
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: Executing query: START TRANSACTION
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: EXPAND COMMIT
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: --> COMMIT
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: Executing query: COMMIT
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: EXPAND START TRANSACTION
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: --> START TRANSACTION
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: Executing query: START TRANSACTION
> (0) Wed Feb 10 16:13:29 2016: ERROR: sqlippool: allocate_find
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: EXPAND SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < NOW() OR expiry_time IS NULL or expiry_time = 0) ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: --> SELECT framedipaddress FROM radippool WHERE pool_name = 'test_pool' AND (expiry_time < NOW() OR expiry_time IS NULL or expiry_time = 0) ORDER BY (username <> 'radtest-pool'), (callingstationid <> '12:34:56:78:90:03'), expiry_time LIMIT 1 FOR UPDATE
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: Executing select query: SELECT framedipaddress FROM radippool WHERE pool_name = 'test_pool' AND (expiry_time < NOW() OR expiry_time IS NULL or expiry_time = 0) ORDER BY (username <> 'radtest-pool'), (callingstationid <> '12:34:56:78:90:03'), expiry_time LIMIT 1 FOR UPDATE
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: Allocated IP 10.98.0.4
> (0) Wed Feb 10 16:13:29 2016: ERROR: sqlippool: allocate_update
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: EXPAND UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{Calling-Station-Id}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.98.0.4'
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: --> UPDATE radippool SET nasipaddress = '69.59.217.117', pool_key = '12:34:56:78:90:03', callingstationid = '12:34:56:78:90:03', username = 'radtest-pool', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.98.0.4'
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: Executing query: UPDATE radippool SET nasipaddress = '69.59.217.117', pool_key = '12:34:56:78:90:03', callingstationid = '12:34:56:78:90:03', username = 'radtest-pool', expiry_time = NOW() + INTERVAL 3600 SECOND WHERE framedipaddress = '10.98.0.4'
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: EXPAND COMMIT
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: --> COMMIT
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: Executing query: COMMIT
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: EXPAND Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})
> (0) Wed Feb 10 16:13:29 2016: Debug: sqlippool: --> Allocated IP: 10.98.0.4 from test_pool (did cli 12:34:56:78:90:03 port 15762707 user radtest-pool)
> (0) Wed Feb 10 16:13:29 2016: Debug: [sqlippool] = ok
> (0) Wed Feb 10 16:13:29 2016: Debug: } # post-auth = ok
2
2
We are running FreeRADIUS Version 3.0.11 with rlm_python. We followed all
instructions installing the module. python is in the config and the module
is configured to call the script. We just want all requests to pass to the
python script for approval.
The test user bob works fine with his password. Any other user fails as if
the python module is not being called. How can I get it to call the module
for all users? Any tips on debugging this?
It worked four years ago but I had help with the configuration then and do
not have access to the old configuration. I am desperate as I need this
working tomorrow. I will be eternally greatfull for any assistance.
The example.py should pass everyone I think.
#! /usr/bin/env python
#
# Python module example file
# Miguel A.L. Paraz <mparaz(a)mparaz.com>
#
# $Id: dd5b0b88243ea2919634d1ae519f5825f0560c93 $
import radiusd
def instantiate(p):
print "*** instantiate ***"
print p
def authorize(p):
print "*** authorize ***"
print
radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
print
print p
return radiusd.RLM_MODULE_OK
def preacct(p):
print "*** preacct ***"
print p
return radiusd.RLM_MODULE_OK
def accounting(p):
print "*** accounting ***"
radiusd.radlog(radiusd.L_INFO, '*** radlog call in accounting (0) ***')
print
print p
return radiusd.RLM_MODULE_OK
def pre_proxy(p):
print "*** pre_proxy ***"
print p
return radiusd.RLM_MODULE_OK
def post_proxy(p):
print "*** post_proxy ***"
print p
return radiusd.RLM_MODULE_OK
def post_auth(p):
print "*** post_auth ***"
print p
return radiusd.RLM_MODULE_OK
def recv_coa(p):
print "*** recv_coa ***"
print p
return radiusd.RLM_MODULE_OK
def send_coa(p):
print "*** send_coa ***"
print p
return radiusd.RLM_MODULE_OK
def detach():
print "*** goodbye from example.py ***"
return radiusd.RLM_MODULE_OK
Sent Access-Request Id 200 from 0.0.0.0:44895 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "hello"
NAS-IP-Address = 10.34.1.18
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "hello"
Received Access-Accept Id 200 from 127.0.0.1:1812 to 0.0.0.0:0 length 32
Reply-Message = "Hello, bob"
root@abs-radius1-san3-qa:/usr/local/etc/raddb# radtest -x jim hello
127.0.0.1 0 testing123
Sent Access-Request Id 91 from 0.0.0.0:34005 to 127.0.0.1:1812 length 73
User-Name = "jim"
User-Password = "hello"
NAS-IP-Address = 10.34.1.18
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "hello"
Received Access-Reject Id 91 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
server log
(1) Received Access-Request Id 91 from 127.0.0.1:34005 to 127.0.0.1:1812
length 73
(1) User-Name = "jim"
(1) User-Password = "hello"
(1) NAS-IP-Address = 10.34.1.18
(1) NAS-Port = 0
(1) Message-Authenticator = 0xb4ac20cbafab1dcf538ee25e1c505725
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
*** authorize ***
*** radlog call in authorize ***
(('User-Name', '"jim"'), ('User-Password', '"hello"'), ('NAS-IP-Address',
'10.34.1.18'), ('NAS-Port', '0'), ('Message-Authenticator',
'0xb4ac20cbafab1dcf538ee25e1c505725'), ('Event-Timestamp', '"Feb 10 2016
00:21:12 UTC"'))
(1) [python] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "jim", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = ok
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> jim
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 91 from 127.0.0.1:1812 to 127.0.0.1:34005 length
20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 91 with timestamp +61
Ready to process requests
Thanks in advance,
Jim
6
19
Hi,
this here is shown on startup:
"raddb/clients/staff[232]: The item 'staff_type' is defined, but is
unused by the configuration"
But it's not correct... yes, I set a custom attribute staff_type inside
a client {} there, but I *do* use it in configuration, in statements
like this:
update request {
&RESTENA-Service-Type = "Staff-%{client:staff_type}"
}
or:
if ( "%{client:staff_type}" == "Nagios-Login" [...]
Could the warnings be made more clever? It is sure useful to be warned
about unused things for cleanup of configs, but only if the things are
*really* unused.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
4
3
ِDear Members,
We need a AAA platform based on Freeradius, like Daloradius but not using
for internet traffic. We have a SMS GW and AAA platform(based on web
services) that supports sending two-way SMS from web. We want to upgrade
our system with freeradius to provide different rating and discount plans
for our customers.I mean a platform to calculate the number of bulk SMS or
SMS-packages that we sell to our costumers that are service providers. I
would appreciate any suggestion about this issue.
Please feel free to contact me.
Best regards
Elnaz
1
0
Hi,
We are using java BASE64Encoder to encrypt passwords. Which attribute I
have to give in the radcheck table for this?
I have tried MD5-Password. But it gives the following log
Tue Feb 9 18:19:50 2016 : Info: [pap] login attempt with password
"password"
Tue Feb 9 18:19:50 2016 : Info: [pap] Using MD5 encryption.
Tue Feb 9 18:19:50 2016 : Info: [pap] Configured MD5 password has
incorrect length
Tue Feb 9 18:19:50 2016 : Info: [pap] Passwords don't match
Please advice.
--
Randeep
Mob: +919447831699[kerala]
Mob: +919880050349[B'lore]
http://twitter.com/Randeeppr
http://in.linkedin.com/in/randeeppr
[image: --]
Randeep Raman
[image: http://]about.me/Randeeppr
<http://about.me/Randeeppr>
3
5
freeRADIUS 3.0.4, NetworkManager 1.0.6-27.el7, and wpa_supplicant v2.0 client side cert issues?
by John Teasley 10 Feb '16
by John Teasley 10 Feb '16
10 Feb '16
Hello,
I wanted to post what I had to do in order to get NetworkManager EAP-TLS
connections to work. I am hoping that someone can tell me if I am wrong or,
if the issue is NetworkManager.
1. eapol_test works fine.
2. Direct wpa_supplicant config works fine.
3. Unless importing the radiusd CA into the client, a unknown CA error is
thrown. Now, I dont like the idea of doing the below; however, it was the
only way on fc22 with the versions stated above to get connected via
NetworkManager.
AS root :
> cp /home/user/CERTS/radius_ca.pem /etc/pki/ca-trust/source/anchors/
>update-ca-trust
5. Connections to EAP-TLS via NetworkManager now work.
6. PROBLEM, I don't want a private CA set globally. A vpn connection does
not do this when using
private CA. Also, wpa_supplicant works with out the CA being imported
into the global store.
7. I REALLY DONT LIKE THE SELF SIGNED / PRIVATE CA GLOBALLY.
Does anyone see any obvious mistakes in what a described above?
Ollie Teasley
Linux Administrator
ISMELL.SHOES, LLC
4
7
I'm new to freeradius. I have a simple setup on ubuntu 14.04. I don't
have SQL and simply have a user configured in the users file. The user is
me - dougberman. I also have a ubiquiti access point which I've configured
as a client to the radius server. What's frustrating is sometimes I'm able
to use 802.1x EAP/PEAP just fine on my MAC and other times, it fails. I've
looked through the radius debug and I can't find anything that stands out
that calls my attention. Snipits for the file "users" and "clients.conf"
and the debug is below. Any help would be greatly appreciated.
users:
dougberman Cleartext-Password := "foo123"
clients.conf
client 192.168.1.29 {
secret = network
shortname = routergw
nastype = other
}
Please let me know if you have any additional questions.
doug@db-dell:~$ sudo freeradius -X
[sudo] password for doug:
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26
2015 at 14:47:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/passwd
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.1.29 {
require_message_authenticator = no
secret = "network"
shortname = "routergw"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 51461
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=93,
length=182
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x0286000f01646f75676265726d616e
Message-Authenticator = 0x1b7db57089969456fcff7f264214ac71
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 134 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry dougberman at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 93 to 192.168.1.29 port 56313
EAP-Message = 0x018700160410a6e7f7cc1f9ae919f16aac7710972bd9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b925ac86dd5e2158f0b41dda7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=94,
length=193
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x028700080319152b
State = 0x92ddcc5b925ac86dd5e2158f0b41dda7
Message-Authenticator = 0x3d6957c95c9c9ba03aa0574e37d2019c
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 135 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry dougberman at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 94 to 192.168.1.29 port 56313
EAP-Message = 0x018800061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b9355d56dd5e2158f0b41dda7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=95,
length=316
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message =
0x02880083198000000079160301007401000070030156ba68815990fdf76fe5ebc053ed7757fbde10eeeedd069c792855e3fc6abc2f00002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
State = 0x92ddcc5b9355d56dd5e2158f0b41dda7
Message-Authenticator = 0x40f21a53503b308c46cb0d395acff087
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 136 length 131
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 121
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0074], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 02c2], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 95 to 192.168.1.29 port 56313
EAP-Message =
0x0189040019c00000045e16030100390200003503013ebf7047410d7a1859b5bbbf2a9d9888ce6e37c03ba9f1614c3bb95e24f1484d00c01400000dff01000100000b00040300010216030102c20b0002be0002bb0002b8308202b43082019ca003020102020900b793aee3ac33bc49300d06092a864886f70d01010b050030123110300e0603550403130764622d64656c6c301e170d3136303230323136353033355a170d3236303133303136353033355a30123110300e0603550403130764622d64656c6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100a3869b5f162e1e131968dc8d564b1d234e592c42f841
EAP-Message =
0xa1241e96afe0db33d6d261b72bc407b2644f64812dba426bbbb6b3231f94a6cddbd263def9ce4e1a43f2a6c264cb9d1b3b4d9f2eace7afc4c2cf1e4c55e307e888b87e55003c404005a0c1a8b58fb034a59d7588206f9b280f5b0174dd53b9d5b8f8227936f640d73af94d8bf255316ba21199b9a01a45b33639cfa1c1f5145fc139819c84376523c6959ae1d6eccad8aa74a7fef8550fca94758e9f6e1a822b93439edcc4655baef7d39725f7378a4d8456581a45628523a8310467e66fb7cde362cabb555c9ef8807421e87adf51b3fb850ee59e23dc0d15fa956ed25af53b6bd8a3b703c431601aad0203010001a30d300b30090603551d13040230
EAP-Message =
0x00300d06092a864886f70d01010b050003820101006dbcd92c80fb31226b1e11ba78acdbfe58ef27a40611e499d4e6bbe5b1bda08cadd47e713fa241ca04627c7b7e4d47704f57af194b910b99d72202d070e26e1cb36107b6d92615758f8c0202fb8a77c92e3654299280c99f26c4dc0216849ffce1062fe9a346d91a04489642f9172d6fcb10bae6f2616bccebb43a00e72d3dbbd519cd0c0a4028eb7a316be8a2777459784bdc6085c3ca16aa635c04e0af7f73060016ce702081b5633f2d3204f0c3ddc35afb0159d6658ac5446a970fa89a090983e361df96e61d39550455483d1514b861ec58e826e508944aea60afb69463aabcce9787295042
EAP-Message =
0xd8b7e3f8a0d0318c55eee88732d1368ef2e6bc69c6ce6351160301014b0c00014703001741040884dfbcda7aeb9916409f3bec34b77584692af6d8d300907b4b79520e0bc4f8c97ad01ceea451d317bc57f48c22cb559c9aa94ddb890830c7355b5dd52dcb9b01002e7f7507025b5ab68f95c1f13cb6a007148404af7c5b9ead6cf1ef3548ebc99f69cd53b61590fbfd42f89369a909680c394c5a40bf756975d1f6d653190435dc34dee4b29704293006d600fb7c67015129e05deab4796a06100aea38c739152b9b8c5dabf734ce8f474cdeabfe63e42032f0ac74fbe2d8a09c17ad55b14b7cd2d9ed043ee42f26ae7e5b28fb5869e6d576ddb54d94
EAP-Message = 0x2260d3c985a4fbc2debb2686
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b9054d56dd5e2158f0b41dda7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=96,
length=191
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x028900061900
State = 0x92ddcc5b9054d56dd5e2158f0b41dda7
Message-Authenticator = 0x27b924da3c4bc62298b84cf45ee60d4d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 137 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 96 to 192.168.1.29 port 56313
EAP-Message =
0x018a006e1900d0186aabc9c735e04049ca34da2fa6662cc526354aced54cb41bf031aad5d36a846a299ab806fd96afabaa98d38cb74d2e6a91d979835114259e01d9ec687b5baec3220193694db1cdab30bf92501b4d349ad8a1310d81abf63b3b4b1857c016030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b9157d56dd5e2158f0b41dda7
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=97,
length=329
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message =
0x028a00901980000000861603010046100000424104ed317958262830a28c7e9283edbaf1f7c7439d456d2c06cb00a5e5301e69df241e3fa5282eec3182f7e1c1e962b2f0ac489e5828674581cedf4c07ed5ac68995140301000101160301003076d6347b1cbf07357530ccbb54e9b4c471868ff69a5139386b13eb2eb9dcb07eea053e1cfb0b7fbb62bfcebf33a9a72d
State = 0x92ddcc5b9157d56dd5e2158f0b41dda7
Message-Authenticator = 0xccec4c85154a5cfbc7b753f7d4f6f5c4
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 138 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 97 to 192.168.1.29 port 56313
EAP-Message =
0x018b00411900140301000101160301003051771428cfdf26c2c47df977b644bbc43c768bfd7c7edeea3e42b9c3befb5e8ad128a499452858b8052b39a413b6e959
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b9656d56dd5e2158f0b41dda7
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=98,
length=191
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x028b00061900
State = 0x92ddcc5b9656d56dd5e2158f0b41dda7
Message-Authenticator = 0x11d4a4db9060a2cdfc52cb51bd1d7a9c
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 139 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 98 to 192.168.1.29 port 56313
EAP-Message =
0x018c002b19001703010020a923eee39f2cc0b51d1cf16ffa14f000d5698841775ce1d5c2bc8a4f9fbc2885
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b9751d56dd5e2158f0b41dda7
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=99,
length=228
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message =
0x028c002b19001703010020cb258867342bee4a0d40637b5f7b1ecb8816b573d24a41522e0a1cfd83d6d36b
State = 0x92ddcc5b9751d56dd5e2158f0b41dda7
Message-Authenticator = 0xa819497f034aff31cd5bc5f7a2c4dba5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 140 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - dougberman
[peap] Got inner identity 'dougberman'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x028c000f01646f75676265726d616e
server {
[peap] Setting User-Name to dougberman
Sending tunneled request
EAP-Message = 0x028c000f01646f75676265726d616e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dougberman"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 140 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry dougberman at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x018d00241a018d001f10cf006efe556c46c968d25f3f74e42c4c646f75676265726d616e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d67d9ca5deac34260158bcb9468438e
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x018d00241a018d001f10cf006efe556c46c968d25f3f74e42c4c646f75676265726d616e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d67d9ca5deac34260158bcb9468438e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 99 to 192.168.1.29 port 56313
EAP-Message =
0x018d004b190017030100403e35c354c1073da27a14fa74c477928588301022d6aa6729b79c2c51db2b89c586ccf0c9150c592bfb9baf3193a83b1ffcb36c7c5ba5cc229517777d3f55aaea
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b9450d56dd5e2158f0b41dda7
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=100,
length=292
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message =
0x028d006b19001703010060b70fa486d6bf4f875fa9d7a8eff48b27b87641cb505b84508bee2669019dbbd0922ac4bc2d51e1328401f694e79d98cdf6281c38477138810e2746ab8b4329ded060d04b7629f3cb6f6e9457e4b58aac2428f9bccd602dd3530269fd6b03f42a
State = 0x92ddcc5b9450d56dd5e2158f0b41dda7
Message-Authenticator = 0xdc449b545b1129a38bfcb7608bae4c17
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 141 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x028d00451a028d00403146434a04998e36ab37fc7799f66fb3bd000000000000000066b96f66e2fd852a854bdf7c7f3b83c5d01a4429eded44eb00646f75676265726d616e
server {
[peap] Setting User-Name to dougberman
Sending tunneled request
EAP-Message =
0x028d00451a028d00403146434a04998e36ab37fc7799f66fb3bd000000000000000066b96f66e2fd852a854bdf7c7f3b83c5d01a4429eded44eb00646f75676265726d616e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dougberman"
State = 0x5d67d9ca5deac34260158bcb9468438e
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 141 length 69
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry dougberman at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: dougberman
[mschap] Told to do MS-CHAPv2 for dougberman with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x018e00331a038d002e533d45333641323545464241433739303646333430343941463330393332363636384445374332443933
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d67d9ca5ce9c34260158bcb9468438e
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x018e00331a038d002e533d45333641323545464241433739303646333430343941463330393332363636384445374332443933
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d67d9ca5ce9c34260158bcb9468438e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 100 to 192.168.1.29 port 56313
EAP-Message =
0x018e005b1900170301005030ee1789504ddef9c1333bbbc515a4784b2406050e883f87944bfd86e9914bc042b515b70f6cffecc16ae6e5fa393b8aeafc75a806b671e879445bf989d593d173e0fdb136426e1b31adc231b40ddb5d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b9553d56dd5e2158f0b41dda7
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=101,
length=228
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message =
0x028e002b190017030100201be8fd3e17dc6f89b2d40e30b05f30f1f77d27a450388d2c1198ef568e1d8505
State = 0x92ddcc5b9553d56dd5e2158f0b41dda7
Message-Authenticator = 0x46a8247ff6dca44292a4bd7086ebef15
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 142 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x028e00061a03
server {
[peap] Setting User-Name to dougberman
Sending tunneled request
EAP-Message = 0x028e00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dougberman"
State = 0x5d67d9ca5ce9c34260158bcb9468438e
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 142 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry dougberman at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [dougberman/<via Auth-Type = EAP>] (from client routergw port 0
via TLS tunnel)
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xab8f333e7b1793f215315676d210a3f5
MS-MPPE-Recv-Key = 0xacc1ef31ff24cb71cf9aaf469356983b
EAP-Message = 0x038e0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "dougberman"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xab8f333e7b1793f215315676d210a3f5
MS-MPPE-Recv-Key = 0xacc1ef31ff24cb71cf9aaf469356983b
EAP-Message = 0x038e0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "dougberman"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 101 to 192.168.1.29 port 56313
EAP-Message =
0x018f002b19001703010020ab867b4420a3e8381d1fb52ab0437b2b5e0d6ecafe8b94ff523ab58c67518e61
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92ddcc5b9a52d56dd5e2158f0b41dda7
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.29 port 56313, id=102,
length=228
User-Name = "dougberman"
NAS-IP-Address = 192.168.1.29
NAS-Identifier = "0418d69afea9"
NAS-Port = 0
Called-Station-Id = "0E-18-D6-9B-FE-A9:labouche-secure"
Calling-Station-Id = "AC-BC-32-86-B0-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message =
0x028f002b1900170301002098ec17e74b4b916aacfd9f48e67e31dbc65f7338ad6075a4925b3a6f08651023
State = 0x92ddcc5b9a52d56dd5e2158f0b41dda7
Message-Authenticator = 0xd8837e97e73a64990b77c80afc0e216b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dougberman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 143 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
Login OK: [dougberman/<via Auth-Type = EAP>] (from client routergw port 0
cli AC-BC-32-86-B0-73)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 102 to 192.168.1.29 port 56313
MS-MPPE-Recv-Key =
0xda5ed9ef3092b9a8fb76b36b44aa72c53d6b80932c372a17f6019f83ceb9119e
MS-MPPE-Send-Key =
0x67917a24c63ab8ed67f9308f77f21b44fff8686a1ccb03f22baf8b29acb9b2cc
EAP-Message = 0x038f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "dougberman"
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 93 with timestamp +9
Cleaning up request 1 ID 94 with timestamp +9
Cleaning up request 2 ID 95 with timestamp +9
Cleaning up request 3 ID 96 with timestamp +9
Waking up in 0.1 seconds.
Cleaning up request 4 ID 97 with timestamp +9
Cleaning up request 5 ID 98 with timestamp +9
Cleaning up request 6 ID 99 with timestamp +9
Cleaning up request 7 ID 100 with timestamp +9
Cleaning up request 8 ID 101 with timestamp +9
Cleaning up request 9 ID 102 with timestamp +9
Ready to process requests.
3
4