Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2016
- 80 participants
- 118 discussions
Re: understanding the process of setting up eap-tls server/client certs
by Michael Martinez 20 Mar '16
by Michael Martinez 20 Mar '16
20 Mar '16
I got this working. I'll share what I did, maybe it will help someone
else down the line.
First thing I did is refresh myself on how digital certificates and
public key infrastructure works (asymmetric public/private keys). It
had been a long time since I had worked with any of it, but for radius
you need more than just "what is a basic private/public key pair." You
need to know what the certificates do and what they contain.
Next I ran the make ca.pem, make server.pem, make client.pem commands
found in the freeradius certs folder and I looked at the openssl
commands that these ran. Each make runs several openssl commands and
you need to understand what each of these is doing.
Next is to edit the ca.cnf, server.cnf and client.cnf files. A note
about the password fields in these files:
*for ca.cnf, the "output password" is used to encrypt the ca.key
private key that gets created
* for server.cnf, the "output password" is first used to encrypt the
server.key private key that gets created. It is also subsequently used
to encrypt the outputted private key when the p12 (pkcs12) file is
created, but this step does not create any new private keys, so it is
ignored at that point. the "input password" is used during the p12
creation to decrypt server.key, so therefore it needs to have the same
value as output password.
so: "input password" must equal "output password"
* for client.cnf, same thing. output password is used to encrypt
client.key, then later it is used as "input password" to decrypt it to
create the p12 file, so:
"input password" must equal "output password" here too.
For sanity checks, after you have run the three make commands, you can
look at passwords.mk file. And of course you should use a different
password for each of these three things.
After this, you can go into the etc/raddb/certs directory that is used
by freeradius, and you can nuke everything in there and then populate
it with four new files: dh, ca.pem, server.key and server.pem. Then go
into mods-enabled/eap and set the following:
private_key_password: this is the password for "server.key"
private_key_file: the server.key file
certificate file: server.pem
ca_file: ca.pem
server.key and server.pem are what freeradius uses to identify itself
and encrypt traffic, so this pair needs to be unique for each radius
server. In order to validate other certs (client certs), it needs the
ca.pem file.
now to use eapol_test for testing, you need several things:
* a configuration file
* the CA file
* the client certificate which includes its public key
* the client private key
the EAP-TLS client needs to be able to validate the radius server
certificate, therefore the client needs the CA file (ca.pem).
the client of course also needs its own certificate with
private/public key pair, in order to identify itself and encrypt
traffic
Now, if you look at the contents of client.pem, you will see it
contains both the client public key and private key. You can leave
these in one file, or you can split them apart and put them into two
separate .pem files. If you choose the first method, then a bare-bones
configuration file looks like this:
# WPA2-EAP/CCMP using EAP-TLS
ctrl_interface=/var/run/wpa_supplicant
network={
key_mgmt=WPA-EAP
identity="myusername"
proto=WPA2
eap=TLS
ca_cert="/tmp/clients/ca.pem
private_key="/tmp/clients/client.p12"
private_key_passwd="xxxxx"
}
Notice two things: first, eapol_test is smart enough to look at the
private key file and realize that it also contains the client
certificate, and is able to parse it out and deal with it correctly.
Secondly, notice that I'm using the p12 file instead of the pem file.
For some reason this doesn't work with the pem file, even though it
contains the same information, just in a different format.
If instead you want to split the client cert and private key, you can
use separate pem files as follows:
# WPA2-EAP/CCMP using EAP-TLS
ctrl_interface=/var/run/wpa_supplicantnetwork={
key_mgmt=WPA-EAP
identity="myusername"
proto=WPA2
eap=TLS
ca_cert="/tmp/clients/ca.pem"
client_cert="/tmp/clients/clientcertpem"
private_key="/tmp/clients/clientkey.pem"
# private_key="/tmp/clients/client.key"
private_key_passwd="xxxxx"
}
Or you can even use the "key" file as shown above. The "identity" is
required, but it can be any arbitrary string. This shows up as the
radius 'User-Name' attribute. At first I was thinking this would have
to match the commonName of the client certificate, but it turns out it
doesn't.
To test from any machine where you have eapol_test installed:
./eapol_test -c /tmp/conffile -a<radius server ip> -s<secret> -o
/tmp/eap_cert.out
Take a look at /tmp/eap_cert.out. It should contain both the CA cert
and the Radius server cert, which means your client successfully
downloaded these certs across the wire.
If you are issuing client certs yourself, you can use the above
procedure. Or if the client prefers to keep their private key private
then they can generate their own CSR, give the csr to you, you can use
"openssl ca" to generate and sign their cert and hand it back to them.
--
---
Michael Martinez
http://www.michael--martinez.com
1
0
Hi,
I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/)
I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE
I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX@XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX@XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl
My idea is wrong?
Regards,
2
5
Hello Everyone,
I'm a newbie in FreeRadius.
I have a FreeRadius 2.2.9 authentication in MySQL database, and my NAS
is a Mikrotik routerboard. My dhcp-pool is MySQL.
Everything is working fine, but I have a problem:
I made a mistake and set different passwords on the NAS and the
database. So when my client requested access the Radius Server provided
an IP that was not received by NAS. The NAS then requested another one
and thus my pool finish.
Is there a way (perhaps post-auth) to prevent this form happening? Maybe
it is checking whether the NAS received the response from the Radius Server?
Thanks
Aurélio
1
0
I've been migrating our RADIUS estate from 2.2.9 and 3.0.11 to 3.1.x,
built from git. Thanks to help from this list last week I've got eduroam
working successfully. I'm now struggling to get another SSID (machine
authentication for domain-joined Windows PCs) to work.
I can see that it is printing the warning:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! EAP session 0x2ab6bf0 did not finish! !!
!! See http://wiki.freeradius.org/guide/Certificate_Compatibility !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
however the same certificate works properly on 3.0.11. Has there been a
change of behaviour in the server?
Thanks,
Jonathan
FreeRADIUS Version 3.1.0
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including files in directory /etc/raddb/clients.d/
including configuration file /etc/raddb/clients.d/WISM7.conf
including configuration file /etc/raddb/clients.d/YEOVIL.conf
including configuration file /etc/raddb/clients.d/WISM8.conf
including configuration file /etc/raddb/clients.d/WISM2.conf
including configuration file /etc/raddb/clients.d/NHS-JA-GW.conf
including configuration file /etc/raddb/clients.d/WISM2-HA.conf
including configuration file /etc/raddb/clients.d/localhost.conf
including configuration file /etc/raddb/clients.d/WISM5-HA.conf
including configuration file /etc/raddb/clients.d/WISM6.conf
including configuration file /etc/raddb/clients.d/roaming2.ja.net.conf
including configuration file /etc/raddb/clients.d/WISM3.conf
including configuration file /etc/raddb/clients.d/WISM6-HA.conf
including configuration file /etc/raddb/clients.d/roaming1.ja.net-v6.conf
including configuration file /etc/raddb/clients.d/monitor.conf
including configuration file /etc/raddb/clients.d/roaming1.ja.net.conf
including configuration file /etc/raddb/clients.d/WISM4-HA.conf
including configuration file /etc/raddb/clients.d/ENGINE-SHED.conf
including configuration file /etc/raddb/clients.d/NBHT.conf
including configuration file /etc/raddb/clients.d/roaming0.ja.net.conf
including configuration file /etc/raddb/clients.d/WISM5.conf
including configuration file /etc/raddb/clients.d/BCC110.conf
including configuration file /etc/raddb/clients.d/WISM1-HA.conf
including configuration file /etc/raddb/clients.d/testswitch.conf
including configuration file /etc/raddb/clients.d/UBHT120.conf
including configuration file /etc/raddb/clients.d/WISM7-HA.conf
including configuration file /etc/raddb/clients.d/adminctrl.conf
including configuration file /etc/raddb/clients.d/monitor-dev.conf
including configuration file /etc/raddb/clients.d/WISM4.conf
including configuration file /etc/raddb/clients.d/UBHT169.conf
including configuration file /etc/raddb/clients.d/WISM1.conf
including configuration file /etc/raddb/clients.d/TAUNTON-NEW.conf
including configuration file /etc/raddb/clients.d/F5.conf
including configuration file /etc/raddb/clients.d/roaming2.ja.net-v6.conf
including configuration file /etc/raddb/clients.d/WISM3-HA.conf
including configuration file /etc/raddb/clients.d/WISM9.conf
including configuration file /etc/raddb/clients.d/roaming0.ja.net-v6.conf
including configuration file /etc/raddb/clients.d/WISM12.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/rainbowpreprocess
including configuration file /etc/raddb/mods-enabled/uobdetail
including configuration file /etc/raddb/mods-enabled/rainbowmschap
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/files-eduroam
including configuration file /etc/raddb/mods-enabled/linelog
/etc/raddb/mods-enabled/linelog[114]: Reference "${..pool}" not found
/etc/raddb/mods-enabled/linelog[127]: Reference "${..pool}" not found
including configuration file /etc/raddb/mods-enabled/vpimschap
including configuration file /etc/raddb/mods-enabled/rainbowlog
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/eduroameap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/eduroamvlan
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/uobldap
including configuration file /etc/raddb/mods-enabled/uobsql-write
including configuration file
/etc/raddb/mods-config/uobsql-write-queries.conf
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/eduroamlioneap
including configuration file /etc/raddb/mods-enabled/logtofile
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/rainbowfiles
including configuration file /etc/raddb/mods-enabled/logtosyslog
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/eduroammschap
including configuration file /etc/raddb/mods-enabled/uobsql
including configuration file /etc/raddb/mods-config/uobsql-queries.conf
including configuration file /etc/raddb/mods-enabled/eduroaminfo
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/vpieap
including configuration file /etc/raddb/mods-enabled/rainboweap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/templates.conf
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/policies
including configuration file /etc/raddb/policy.d/normalization
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/eduroam-realm-checks.conf
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/get-ssid
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/vendor
including configuration file /etc/raddb/policy.d/logchecker
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/rainbowmacauth
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam-partners
including configuration file /etc/raddb/sites-enabled/bristolresearchnet
including configuration file /etc/raddb/sites-enabled/rainbow-inner
including configuration file /etc/raddb/sites-enabled/uobconsoles
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/vpi-inner
including configuration file /etc/raddb/sites-enabled/rainbow
including configuration file /etc/raddb/sites-enabled/eduroamalien
including configuration file /etc/raddb/sites-enabled/vpi
including configuration file /etc/raddb/sites-enabled/status
including files in directory /etc/raddb/statusclients.d/
including configuration file /etc/raddb/statusclients.d/localhost.conf
including configuration file /etc/raddb/statusclients.d/monitor-devv6.conf
including configuration file /etc/raddb/statusclients.d/monitor.conf
including configuration file /etc/raddb/statusclients.d/monitorv6.conf
including configuration file /etc/raddb/statusclients.d/monitor-dev.conf
including configuration file /etc/raddb/sites-enabled/eduroamlocal-acct
including configuration file /etc/raddb/sites-enabled/eduroamlocal-auth
including configuration file /etc/raddb/sites-enabled/eduroamlion-inner
including configuration file /etc/raddb/sites-enabled/rainboweap-tls
including configuration file /etc/raddb/sites-enabled/eduroam-inner
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
continuation_timeout = 15
max_requests = 4096
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
radiusd: #### Loading Realms and Home Servers ####
home_server jrs0 {
ipaddr = 194.82.174.185
port = 1812
type = "auth+acct"
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server jrs0v6 {
ipv6addr = 2001:630:1:128::185
port = 1812
type = "auth+acct"
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server jrs1 {
ipaddr = 194.83.56.233
port = 1812
type = "auth+acct"
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server jrs1v6 {
ipv6addr = 2001:630:1:12a::233
port = 1812
type = "auth+acct"
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server jrs2 {
ipaddr = 194.83.56.249
port = 1812
type = "auth+acct"
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server jrs2v6 {
ipv6addr = 2001:630:1:129::249
port = 1812
type = "auth+acct"
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server radius-dev {
ipaddr = 137.222.7.119
port = 16006
type = "auth+acct"
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server radius-dev-v6 {
ipv6addr = 2001:630:e4:81:137:222:7:119
port = 16006
type = "auth+acct"
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm LOCAL {
}
realm bris.ac.uk {
}
realm bristol.ac.uk {
}
home_server_pool dev {
type = fail-over
home_server = radius-dev
home_server = radius-dev-v6
}
realm dev {
pool = dev
}
home_server_pool jrs {
type = fail-over
home_server = jrs1v6
home_server = jrs2v6
home_server = jrs1
home_server = jrs0v6
home_server = jrs2
home_server = jrs0
}
realm jrs {
pool = jrs
nostrip
}
realm lion.bristol.ac.uk {
}
realm my.bristol.ac.uk {
}
radiusd: #### Loading Clients ####
client WISM7 {
ipaddr = 172.17.107.207
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM7"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client YEOVIL {
ipaddr = 195.171.105.146
require_message_authenticator = no
secret = <<< secret >>>
shortname = "YEOVIL"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM8 {
ipaddr = 172.17.107.208
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM8"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM2 {
ipaddr = 172.17.107.202
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM2"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client NHS-JA-GW {
ipaddr = 194.176.105.96/28
require_message_authenticator = no
secret = <<< secret >>>
shortname = "NHS-JA-GW"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM2-HA {
ipaddr = 172.17.107.102
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM2-HA"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM5-HA {
ipaddr = 172.17.107.105
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM5-HA"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM6 {
ipaddr = 172.17.107.206
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM6"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client roaming2.ja.net {
ipaddr = 194.83.56.249
require_message_authenticator = no
secret = <<< secret >>>
shortname = "roaming2.ja.net"
virtual_server = "eduroamalien"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM3 {
ipaddr = 172.17.107.203
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM3"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM6-HA {
ipaddr = 172.17.107.106
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM6-HA"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client roaming1.ja.net-v6 {
ipv6addr = 2001:630:1:12a::233
require_message_authenticator = no
secret = <<< secret >>>
shortname = "roaming1.ja.net-v6"
virtual_server = "eduroamalien"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client monitor {
ipaddr = 137.222.7.147
require_message_authenticator = no
secret = <<< secret >>>
shortname = "monitor"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client roaming1.ja.net {
ipaddr = 194.83.56.233
require_message_authenticator = no
secret = <<< secret >>>
shortname = "roaming1.ja.net"
virtual_server = "eduroamalien"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM4-HA {
ipaddr = 172.17.107.104
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM4-HA"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client ENGINE-SHED {
ipaddr = 172.21.120.253
require_message_authenticator = no
secret = <<< secret >>>
shortname = "ENGINE-SHED"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client NBHT {
ipaddr = 82.33.242.34
require_message_authenticator = no
secret = <<< secret >>>
shortname = "NBHT"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client roaming0.ja.net {
ipaddr = 194.82.174.185
require_message_authenticator = no
secret = <<< secret >>>
shortname = "roaming0.ja.net"
virtual_server = "eduroamalien"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM5 {
ipaddr = 172.17.107.205
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM5"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client BCC110 {
ipaddr = 193.35.235.110
require_message_authenticator = no
secret = <<< secret >>>
shortname = "BCC110"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM1-HA {
ipaddr = 172.17.107.101
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM1-HA"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client testswitch {
ipaddr = 172.17.51.30
require_message_authenticator = no
secret = <<< secret >>>
shortname = "testswitch"
nas_type = "cisco"
virtual_server = "rainbow"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client UBHT120 {
ipaddr = 10.160.155.120
require_message_authenticator = no
secret = <<< secret >>>
shortname = "UBHT120"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM7-HA {
ipaddr = 172.17.107.107
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM7-HA"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client adminctrl {
ipaddr = 172.17.0.0/16
require_message_authenticator = no
secret = <<< secret >>>
shortname = "adminctrl"
nas_type = "cisco"
virtual_server = "rainbow"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client monitor-dev {
ipaddr = 137.222.8.103
require_message_authenticator = no
secret = <<< secret >>>
shortname = "monitor-dev"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM4 {
ipaddr = 172.17.107.204
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM4"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client UBHT169 {
ipaddr = 10.160.156.169
require_message_authenticator = no
secret = <<< secret >>>
shortname = "UBHT169"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM1 {
ipaddr = 172.17.107.201
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM1"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client TAUNTON-NEW {
ipaddr = 109.176.101.162
require_message_authenticator = no
secret = <<< secret >>>
shortname = "TAUNTON-NEW"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client F5 {
ipaddr = 137.222.250.0/24
require_message_authenticator = no
secret = <<< secret >>>
shortname = "F5"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client roaming2.ja.net-v6 {
ipv6addr = 2001:630:1:129::249
require_message_authenticator = no
secret = <<< secret >>>
shortname = "roaming2.ja.net-v6"
virtual_server = "eduroamalien"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM3-HA {
ipaddr = 172.17.107.103
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM3-HA"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM9 {
ipaddr = 172.17.107.209
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM9"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client roaming0.ja.net-v6 {
ipv6addr = 2001:630:1:128::185
require_message_authenticator = no
secret = <<< secret >>>
shortname = "roaming0.ja.net-v6"
virtual_server = "eduroamalien"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client WISM12 {
ipaddr = 172.17.107.212
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WISM12"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
thread pool {
start_servers = 5
max_servers = 256
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
WARNING: Ignoring "max_spare_servers = 10", forcing to
"max_spare_servers = 3"
listen {
type = "control"
listen {
socket = "/var/run/radiusd/control/radiusd.sock"
mode = "rw"
peercred = yes
}
}
listen {
type = "auth"
ipaddr = *
port = 1645
recv_buff = 0
}
listen {
type = "acct"
ipaddr = *
port = 1646
recv_buff = 0
}
listen {
type = "auth"
ipaddr = *
port = 16061
recv_buff = 0
}
listen {
type = "acct"
ipaddr = *
port = 16062
recv_buff = 0
}
listen {
type = "auth"
ipaddr = *
port = 16063
recv_buff = 0
}
listen {
type = "acct"
ipaddr = *
port = 16064
recv_buff = 0
}
# Creating Autz-Type = Status-Server
# Creating Auth-Type = eduroameap
# Creating Auth-Type = eduroamlioneap
# Creating Acct-Type = Status-Server
listen {
type = "auth"
ipaddr = *
port = 16014
recv_buff = 0
}
listen {
type = "acct"
ipaddr = *
port = 16015
recv_buff = 0
}
# Creating Auth-Type = PAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = rainboweap
listen {
type = "auth"
ipaddr = *
port = 16018
recv_buff = 0
}
# Creating Auth-Type = vpieap
listen {
type = "auth"
ipaddr = *
port = 16028
recv_buff = 0
}
listen {
type = "acct"
ipaddr = *
port = 16029
recv_buff = 0
}
listen {
type = "auth"
ipaddr = *
port = 1812
recv_buff = 0
}
listen {
type = "auth"
ipv6addr = ::
port = 1812
recv_buff = 0
}
listen {
type = "auth"
ipaddr = *
port = 16020
recv_buff = 0
}
listen {
type = "acct"
ipaddr = *
port = 16021
recv_buff = 0
}
listen {
type = "status"
ipaddr = *
port = 18120
recv_buff = 0
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client monitor-devv6 {
ipv6addr = 2001:630:e4:81:137:222:8:103
require_message_authenticator = no
secret = <<< secret >>>
shortname = "monitor-devv6"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client monitor {
ipaddr = 137.222.7.147
require_message_authenticator = no
secret = <<< secret >>>
shortname = "monitor"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client monitorv6 {
ipv6addr = 2001:630:e4:81:137:222:7:147
require_message_authenticator = no
secret = <<< secret >>>
shortname = "monitorv6"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client monitor-dev {
ipaddr = 137.222.8.103
require_message_authenticator = no
secret = <<< secret >>>
shortname = "monitor-dev"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
/etc/raddb/statusclients.d/localhost.conf[1]: Ignoring unknown
sub-section "client"
/etc/raddb/statusclients.d/monitor-devv6.conf[1]: Ignoring unknown
sub-section "client"
/etc/raddb/statusclients.d/monitor.conf[1]: Ignoring unknown sub-section
"client"
/etc/raddb/statusclients.d/monitorv6.conf[1]: Ignoring unknown
sub-section "client"
/etc/raddb/statusclients.d/monitor-dev.conf[1]: Ignoring unknown
sub-section "client"
listen {
type = "acct"
ipaddr = *
port = 16007
recv_buff = 0
}
listen {
type = "auth"
ipaddr = *
port = 16006
recv_buff = 0
}
# Creating Auth-Type = files-eduroam
radiusd: #### Loading modules ####
modules {
# Loaded module "rlm_detail"
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module "rlm_preprocess"
# Loading module "rainbowpreprocess" from file
/etc/raddb/mods-enabled/rainbowpreprocess
preprocess rainbowpreprocess {
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
with_alvarion_vsa_hack = no
}
# Loading module "uob_detail" from file /etc/raddb/mods-enabled/uobdetail
detail uob_detail {
filename =
"/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/detail.log"
header = "%t"
permissions = 416
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "uob_auth_log" from file
/etc/raddb/mods-enabled/uobdetail
detail uob_auth_log {
filename =
"/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = yes
}
# Loading module "uob_auth_log_password" from file
/etc/raddb/mods-enabled/uobdetail
detail uob_auth_log_password {
filename =
"/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "uob_reply_log" from file
/etc/raddb/mods-enabled/uobdetail
detail uob_reply_log {
filename =
"/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "uob_pre_proxy_log" from file
/etc/raddb/mods-enabled/uobdetail
detail uob_pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Virtual-Server}:-DEFAULT}/pre-proxy-detail.log"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "uob_post_proxy_log" from file
/etc/raddb/mods-enabled/uobdetail
detail uob_post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Virtual-Server}:-DEFAULT}/post-proxy-detail.log"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module "rlm_mschap"
# Loading module "rainbowmschap" from file
/etc/raddb/mods-enabled/rainbowmschap
mschap rainbowmschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{rainbowmschap:User-Name}}
--challenge=%{%{rainbowmschap:Challenge}:-00}
--nt-response=%{%{rainbowmschap:NT-Response}:-00}"
passchange {
}
allow_retry = yes
}
# Loading module "rainbowmachinemschap" from file
/etc/raddb/mods-enabled/rainbowmschap
mschap rainbowmachinemschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{rainbowmschap:User-Name}}
--challenge=%{%{rainbowmschap:Challenge}:-00}
--nt-response=%{%{rainbowmschap:NT-Response}:-00}
--require-membership-of=S-1-5-21-1117850145-1682116191-196506527-515"
passchange {
}
allow_retry = yes
}
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module "rlm_files"
# Loading module "files-eduroam" from file
/etc/raddb/mods-enabled/files-eduroam
files files-eduroam {
usersfile = "/etc/raddb/users.d/users-eduroam"
}
# Loaded module "rlm_linelog"
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
destination = "file"
delimiter = " "
file {
filename = "/var/log/radius/linelog"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
port = 514
timeout = 2.000000
}
udp {
port = 514
timeout = 2.000000
}
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
destination = "file"
delimiter = " "
file {
filename = "/var/log/radius/linelog-accounting"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loading module "vpimschap" from file /etc/raddb/mods-enabled/vpimschap
mschap vpimschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{vpimschap:User-Name}}
--challenge=%{vpimschap:Challenge}
--nt-response=%{vpimschap:NT-Response}
--require-membership-of=S-1-5-21-1117850145-1682116191-196506527-149178"
passchange {
}
allow_retry = yes
}
# Loading module "rainbowlogsyslog" from file
/etc/raddb/mods-enabled/rainbowlog
linelog rainbowlogsyslog {
destination = "syslog"
delimiter = " "
file {
permissions = 384
escape_filenames = no
}
syslog {
facility = "local5"
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loading module "rainbowlogfiles" from file
/etc/raddb/mods-enabled/rainbowlog
linelog rainbowlogfiles {
destination = "file"
delimiter = " "
file {
filename = "/var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loading module "rainbowacclog" from file
/etc/raddb/mods-enabled/rainbowlog
linelog rainbowacclog {
destination = "syslog"
delimiter = " "
file {
permissions = 384
escape_filenames = no
}
syslog {
facility = "local5"
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loaded module "rlm_replicate"
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module "rlm_eap"
# Loading module "eduroameap" from file
/etc/raddb/mods-enabled/eduroameap
eap eduroameap {
default_eap_type = "peap"
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
require_client_cert = yes
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk.key"
certificate_file =
"/etc/raddb/certs/eduroam.wireless.bris.ac.uk-cert.pem"
ca_file = "/etc/raddb/certs/uob-net-ca.pem"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT:!ADH:!SSLv2"
ecdh_curve = "prime256v1"
cache {
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner"
include_length = yes
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "eduroam-inner"
soh = no
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server
eduroam-inner. The server cannot proxy inner-tunnel EAP packets.
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module "rlm_chap"
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module "rlm_exec"
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module "rlm_realm"
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module "rlm_dynamic_clients"
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module "rlm_digest"
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module "rlm_expr"
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module "rlm_radutmp"
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module "rlm_cache"
# Loading module "eduroamvlan" from file
/etc/raddb/mods-enabled/eduroamvlan
cache eduroamvlan {
driver = "rlm_cache_rbtree"
ttl = 600
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module "rlm_dhcp"
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module "rlm_ldap"
# Loading module "uobldap" from file /etc/raddb/mods-enabled/uobldap
ldap uobldap {
server = "cse-lox.ads.bris.ac.uk"
port = 636
identity = "CN=iser-linauth,OU=ISER - Special Purpose
Accounts,OU=ISER,DC=ads,DC=bris,DC=ac,DC=uk"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "DC=ads,DC=bris,DC=ac,DC=uk"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
use_referral_credentials = no
rebind = yes
session_tracking = no
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
require_cert = "allow"
}
}
Creating attribute uobldap-LDAP-Group
# Loaded module "rlm_sql"
# Loading module "uobsql-write" from file
/etc/raddb/mods-enabled/uobsql-write
sql uobsql-write {
driver = "rlm_sql_mysql"
server = "db-write.nomadic-core.bris.ac.uk"
port = 3306
login = "radiusd"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
group_attribute = "uobsql-write-sql-Group"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{uobsql-write-sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{uobsql-write-sql-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime
= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime
= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress,
virtual_server, radius_server, vlan, strippedusername) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%S', '%S', NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}',
'%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
query = "UPDATE radacct SET acctstarttime = '%S', acctupdatetime
= '%S', connectinfo_start = '%{Connect-Info}' WHERE AcctUniqueId =
'%{Acct-Unique-Session-Id}'"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime =
(@acctupdatetime_old:=acctupdatetime), acctupdatetime = '%S',
acctinterval = %{integer:Event-Timestamp} -
UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress =
'%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL},
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}'
WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress,
virtual_server, radius_server, vlan, strippedusername) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} -
%{%{Acct-Session-Time}:-0}), '%S', NULL, %{%{Acct-Session-Time}:-NULL},
'%{Acct-Authentic}', '%{Connect-Info}', '',
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}',
'%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}',
SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
}
stop {
query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime
= %{%{Acct-Session-Time}:-NULL}, acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress,
virtual_server, radius_server, vlan, strippedusername) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} -
%{%{Acct-Session-Time}:-0}), '%S', '%S', %{%{Acct-Session-Time}:-NULL},
'%{Acct-Authentic}', '', '%{Connect-Info}',
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}',
'%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (uobsql-write) - Driver rlm_sql_mysql (module rlm_sql_mysql)
loaded and linked
Creating attribute uobsql-write-sql-Group
# Loaded module "rlm_expiration"
# Loading module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loading module "eduroamlioneap" from file
/etc/raddb/mods-enabled/eduroamlioneap
eap eduroamlioneap {
default_eap_type = "peap"
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
require_client_cert = yes
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk.key"
certificate_file =
"/etc/raddb/certs/eduroam.wireless.bris.ac.uk-cert.pem"
ca_file = "/etc/raddb/certs/uob-net-ca.pem"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT:!ADH:!SSLv2"
ecdh_curve = "prime256v1"
cache {
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroamlion-inner"
include_length = yes
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "eduroamlion-inner"
soh = no
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server
eduroamlion-inner. The server cannot proxy inner-tunnel EAP packets.
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loading module "logtofile" from file /etc/raddb/mods-enabled/logtofile
linelog logtofile {
destination = "file"
delimiter = " "
file {
filename = "/var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loaded module "rlm_always"
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "rainbowfiles" from file
/etc/raddb/mods-enabled/rainbowfiles
files rainbowfiles {
usersfile = "/etc/raddb/users.d/users-rainbow"
}
# Loading module "logtosyslog" from file
/etc/raddb/mods-enabled/logtosyslog
linelog logtosyslog {
destination = "syslog"
delimiter = " "
file {
permissions = 384
escape_filenames = no
}
syslog {
facility = "local5"
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loaded module "rlm_attr_filter"
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
relaxed = no
}
# Loading module "filter.attrs.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.attrs.accounting_response {
filename =
"/etc/raddb/mods-config/attr_filter/attrs.accounting_response"
relaxed = no
}
# Loading module "filter.bristolresearchnet-a_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.bristolresearchnet-a_reject {
filename =
"/etc/raddb/mods-config/attr_filter/bristolresearchnet-a_reject"
relaxed = no
}
# Loading module "filter.eduroamalien-a_accept" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.eduroamalien-a_accept {
filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_accept"
relaxed = no
}
# Loading module "filter.eduroamalien-a_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.eduroamalien-a_challenge {
filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_challenge"
relaxed = no
}
# Loading module "filter.eduroamalien-a_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.eduroamalien-a_reject {
filename = "/etc/raddb/mods-config/attr_filter/eduroamalien-a_reject"
relaxed = no
}
# Loading module "filter.eduroamlocal-a_accept" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.eduroamlocal-a_accept {
filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_accept"
relaxed = no
}
# Loading module "filter.eduroamlocal-a_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.eduroamlocal-a_challenge {
filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_challenge"
relaxed = no
}
# Loading module "filter.eduroamlocal-a_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.eduroamlocal-a_reject {
filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_reject"
relaxed = no
}
# Loading module "filter.eduroamlocal-post_proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.eduroamlocal-post_proxy {
filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-post_proxy"
relaxed = no
}
# Loading module "filter.eduroamlocal-pre_proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.eduroamlocal-pre_proxy {
filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-pre_proxy"
relaxed = no
}
# Loading module "filter.vpi-a_accept" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.vpi-a_accept {
filename = "/etc/raddb/mods-config/attr_filter/vpi-a_accept"
relaxed = no
}
# Loading module "filter.vpi-a_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.vpi-a_challenge {
filename = "/etc/raddb/mods-config/attr_filter/vpi-a_challenge"
relaxed = no
}
# Loading module "filter.vpi-a_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter filter.vpi-a_reject {
filename = "/etc/raddb/mods-config/attr_filter/vpi-a_reject"
relaxed = no
}
# Loaded module "rlm_utf8"
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module "rlm_passwd"
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module "rlm_soh"
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module "rlm_unix"
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "eduroammschap" from file
/etc/raddb/mods-enabled/eduroammschap
mschap eduroammschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = no
retry_msg = "Verify username and re-enter your password"
}
# Loading module "uobsql" from file /etc/raddb/mods-enabled/uobsql
sql uobsql {
driver = "rlm_sql_mysql"
server = "db.nomadic-core.bris.ac.uk"
port = 3306
login = "radiusd"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
group_attribute = "uobsql-sql-Group"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{uobsql-sql-Group}'
ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{uobsql-sql-Group}'
ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid,
framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime
= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime
= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress,
virtual_server, radius_server, vlan, strippedusername) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', '%S', '%S', NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}',
'%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
query = "UPDATE radacct SET acctstarttime = '%S', acctupdatetime
= '%S', connectinfo_start = '%{Connect-Info}' WHERE AcctUniqueId =
'%{Acct-Unique-Session-Id}'"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime =
(@acctupdatetime_old:=acctupdatetime), acctupdatetime = '%S',
acctinterval = %{integer:Event-Timestamp} -
UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress =
'%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL},
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}'
WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress,
virtual_server, radius_server, vlan, strippedusername) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} -
%{%{Acct-Session-Time}:-0}), '%S', NULL, %{%{Acct-Session-Time}:-NULL},
'%{Acct-Authentic}', '%{Connect-Info}', '',
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}',
'%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}',
SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
}
stop {
query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime
= %{%{Acct-Session-Time}:-NULL}, acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol, framedipaddress,
virtual_server, radius_server, vlan, strippedusername) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp} -
%{%{Acct-Session-Time}:-0}), '%S', '%S', %{%{Acct-Session-Time}:-NULL},
'%{Acct-Authentic}', '', '%{Connect-Info}',
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}',
'%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (uobsql) - Driver rlm_sql_mysql (module rlm_sql_mysql) loaded
and linked
Creating attribute uobsql-sql-Group
# Loading module "eduroaminfo" from file
/etc/raddb/mods-enabled/eduroaminfo
linelog eduroaminfo {
destination = "syslog"
delimiter = " "
file {
permissions = 384
escape_filenames = no
}
syslog {
facility = "user"
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "vpieap" from file /etc/raddb/mods-enabled/vpieap
eap vpieap {
default_eap_type = "peap"
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
require_client_cert = yes
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/2016-vpi.wireless.bris.ac.uk.key"
certificate_file = "/etc/raddb/certs/2016-vpi.wireless.bris.ac.uk.pem"
ca_file = "/etc/raddb/certs/University-of-Bristol-Windows-CA.pem"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
disable_tlsv1_2 = yes
cache {
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "vpi-inner"
soh = no
require_client_cert = no
}
tls - Using cached TLS configuration from previous invocation
rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server
vpi-inner. The server cannot proxy inner-tunnel EAP packets.
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loading module "rainboweap" from file
/etc/raddb/mods-enabled/rainboweap
eap rainboweap {
default_eap_type = "peap"
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
# Linked to sub-module rlm_eap_tls
tls {
require_client_cert = yes
virtual_server = "rainboweap-tls"
}
TLS section "tls" missing, trying to use legacy configuration
tls {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/The-Rainbow-Edge.key"
certificate_file = "/etc/raddb/certs/The-Rainbow-Edge-cert.pem"
ca_file = "/etc/raddb/certs/uob-net-ca.pem"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
require_client_cert = yes
ecdh_curve = "prime256v1"
cache {
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "rainbow-inner"
include_length = yes
require_client_cert = no
}
TLS section "tls" missing, trying to use legacy configuration
tls - Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "rainbow-inner"
soh = no
require_client_cert = no
}
TLS section "tls" missing, trying to use legacy configuration
tls - Using cached TLS configuration from previous invocation
rlm_eap_peap - Failed to find 'Auth-Type eap' section in virtual server
rainbow-inner. The server cannot proxy inner-tunnel EAP packets.
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module "rlm_unpack"
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module "rlm_pap"
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module "rlm_logintime"
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
instantiate {
}
} # modules
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "rainbowpreprocess" from file
/etc/raddb/mods-enabled/rainbowpreprocess
# Instantiating module "uob_detail" from file
/etc/raddb/mods-enabled/uobdetail
rlm_detail (uob_detail) - 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "uob_auth_log" from file
/etc/raddb/mods-enabled/uobdetail
rlm_detail (uob_auth_log) - 'User-Password' suppressed, will not appear
in detail output
# Instantiating module "uob_auth_log_password" from file
/etc/raddb/mods-enabled/uobdetail
# Instantiating module "uob_reply_log" from file
/etc/raddb/mods-enabled/uobdetail
# Instantiating module "uob_pre_proxy_log" from file
/etc/raddb/mods-enabled/uobdetail
# Instantiating module "uob_post_proxy_log" from file
/etc/raddb/mods-enabled/uobdetail
# Instantiating module "rainbowmschap" from file
/etc/raddb/mods-enabled/rainbowmschap
rainbowmschap : authenticating by calling 'ntlm_auth'
# Instantiating module "rainbowmachinemschap" from file
/etc/raddb/mods-enabled/rainbowmschap
rainbowmachinemschap : authenticating by calling 'ntlm_auth'
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap: using internal authentication
# Instantiating module "files-eduroam" from file
/etc/raddb/mods-enabled/files-eduroam
reading file /etc/raddb/users.d/users-eduroam
# Instantiating module "linelog" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "vpimschap" from file
/etc/raddb/mods-enabled/vpimschap
vpimschap : authenticating by calling 'ntlm_auth'
# Instantiating module "rainbowlogsyslog" from file
/etc/raddb/mods-enabled/rainbowlog
# Instantiating module "rainbowlogfiles" from file
/etc/raddb/mods-enabled/rainbowlog
# Instantiating module "rainbowacclog" from file
/etc/raddb/mods-enabled/rainbowlog
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading file /etc/raddb/mods-config/files/authorize
reading file /etc/raddb/mods-config/files/accounting
reading file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "eduroamvlan" from file
/etc/raddb/mods-enabled/eduroamvlan
eduroamvlan - Driver rlm_cache_rbtree loaded and linked
# Instantiating module "uobldap" from file
/etc/raddb/mods-enabled/uobldap
rlm_ldap (uobldap) - libldap vendor: OpenLDAP, version: 20440
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (uobldap) - Initialising connection pool
pool {
start = 5
min = 3
max = 5
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_ldap (uobldap) - WARNING: Ignoring "spare = 10", forcing to "spare = 2"
rlm_ldap (uobldap) - Opening additional connection (0), 1 of 5 pending
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
rlm_ldap (uobldap) - Performing search in "" with filter
"(objectclass=*)", scope "base"
rlm_ldap (uobldap) - Waiting for search result...
rlm_ldap (uobldap) - Directory type: Active Directory
rlm_ldap (uobldap) - Opening additional connection (1), 1 of 4 pending
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
rlm_ldap (uobldap) - Opening additional connection (2), 1 of 3 pending
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
rlm_ldap (uobldap) - Opening additional connection (3), 1 of 2 pending
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
rlm_ldap (uobldap) - Opening additional connection (4), 1 of 1 pending
slots used
rlm_ldap (uobldap) - Connecting to ldap://cse-lox.ads.bris.ac.uk:636
rlm_ldap (uobldap) - Waiting for bind result...
rlm_ldap (uobldap) - Bind successful
# Instantiating module "uobsql-write" from file
/etc/raddb/mods-enabled/uobsql-write
rlm_sql_mysql - libmysql version: 5.5.44-MariaDB
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (uobsql-write) - Attempting to connect to database "radius"
rlm_sql (uobsql-write) - Initialising connection pool
pool {
start = 1
min = 1
max = 2
spare = 1
uses = 10000
lifetime = 300
cleanup_interval = 30
idle_timeout = 60
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 2
spread = no
}
rlm_sql (uobsql-write) - Opening additional connection (0), 1 of 2
pending slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on
db-write.nomadic-core.bris.ac.uk via TCP/IP, server version
5.5.48-MariaDB-wsrep, protocol version 10
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "logtofile" from file
/etc/raddb/mods-enabled/logtofile
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file
/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file
/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "rainbowfiles" from file
/etc/raddb/mods-enabled/rainbowfiles
reading file /etc/raddb/users.d/users-rainbow
# Instantiating module "logtosyslog" from file
/etc/raddb/mods-enabled/logtosyslog
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "filter.attrs.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading file
/etc/raddb/mods-config/attr_filter/attrs.accounting_response
# Instantiating module "filter.bristolresearchnet-a_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading file
/etc/raddb/mods-config/attr_filter/bristolresearchnet-a_reject
# Instantiating module "filter.eduroamalien-a_accept" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/eduroamalien-a_accept
# Instantiating module "filter.eduroamalien-a_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading file
/etc/raddb/mods-config/attr_filter/eduroamalien-a_challenge
# Instantiating module "filter.eduroamalien-a_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/eduroamalien-a_reject
# Instantiating module "filter.eduroamlocal-a_accept" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_accept
# Instantiating module "filter.eduroamlocal-a_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading file
/etc/raddb/mods-config/attr_filter/eduroamlocal-a_challenge
# Instantiating module "filter.eduroamlocal-a_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_reject
# Instantiating module "filter.eduroamlocal-post_proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading file
/etc/raddb/mods-config/attr_filter/eduroamlocal-post_proxy
# Instantiating module "filter.eduroamlocal-pre_proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading file
/etc/raddb/mods-config/attr_filter/eduroamlocal-pre_proxy
# Instantiating module "filter.vpi-a_accept" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/vpi-a_accept
# Instantiating module "filter.vpi-a_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/vpi-a_challenge
# Instantiating module "filter.vpi-a_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading file /etc/raddb/mods-config/attr_filter/vpi-a_reject
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache_eap - Driver rlm_cache_rbtree loaded and linked
# Instantiating module "eduroammschap" from file
/etc/raddb/mods-enabled/eduroammschap
rlm_mschap (eduroammschap) - Initialising connection pool
pool {
start = 5
min = 3
max = 256
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_mschap (eduroammschap) - Opening additional connection (0), 1 of 256
pending slots used
rlm_mschap (eduroammschap) - Opening additional connection (1), 1 of 255
pending slots used
rlm_mschap (eduroammschap) - Opening additional connection (2), 1 of 254
pending slots used
rlm_mschap (eduroammschap) - Opening additional connection (3), 1 of 253
pending slots used
rlm_mschap (eduroammschap) - Opening additional connection (4), 1 of 252
pending slots used
eduroammschap : authenticating directly to winbind
# Instantiating module "uobsql" from file /etc/raddb/mods-enabled/uobsql
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (uobsql) - Attempting to connect to database "radius"
rlm_sql (uobsql) - Initialising connection pool
pool {
start = 1
min = 1
max = 8
spare = 1
uses = 10000
lifetime = 300
cleanup_interval = 30
idle_timeout = 60
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 2
spread = no
}
rlm_sql (uobsql) - Opening additional connection (0), 1 of 8 pending
slots used
rlm_sql_mysql - Starting connect to MySQL server
rlm_sql_mysql - Connected to database 'radius' on
db.nomadic-core.bris.ac.uk via TCP/IP, server version
5.5.48-MariaDB-wsrep, protocol version 10
# Instantiating module "eduroaminfo" from file
/etc/raddb/mods-enabled/eduroaminfo
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading file /etc/raddb/mods-config/preprocess/huntgroups
reading file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
radiusd: #### Loading Virtual Servers ####
server eduroam-partners { # from file
/etc/raddb/sites-enabled/eduroam-partners
} # server eduroam-partners
server bristolresearchnet { # from file
/etc/raddb/sites-enabled/bristolresearchnet
} # server bristolresearchnet
server rainbow-inner { # from file /etc/raddb/sites-enabled/rainbow-inner
} # server rainbow-inner
server uobconsoles { # from file /etc/raddb/sites-enabled/uobconsoles
} # server uobconsoles
server vpi-inner { # from file /etc/raddb/sites-enabled/vpi-inner
} # server vpi-inner
server rainbow { # from file /etc/raddb/sites-enabled/rainbow
} # server rainbow
server eduroamalien { # from file /etc/raddb/sites-enabled/eduroamalien
} # server eduroamalien
server vpi { # from file /etc/raddb/sites-enabled/vpi
} # server vpi
server status { # from file /etc/raddb/sites-enabled/status
} # server status
server eduroamlocal-acct { # from file
/etc/raddb/sites-enabled/eduroamlocal-acct
} # server eduroamlocal-acct
server eduroamlocal-auth { # from file
/etc/raddb/sites-enabled/eduroamlocal-auth
} # server eduroamlocal-auth
server eduroamlion-inner { # from file
/etc/raddb/sites-enabled/eduroamlion-inner
} # server eduroamlion-inner
server rainboweap-tls { # from file /etc/raddb/sites-enabled/rainboweap-tls
} # server rainboweap-tls
server eduroam-inner { # from file /etc/raddb/sites-enabled/eduroam-inner
} # server eduroam-inner
radiusd: #### Opening IP addresses and Ports ####
Listening on command file /var/run/radiusd/control/radiusd.sock
Listening on auth address * port 1645 bound to server eduroam-partners
Listening on acct address * port 1646 bound to server eduroam-partners
Listening on auth address * port 16061 bound to server eduroam-partners
Listening on acct address * port 16062 bound to server eduroam-partners
Listening on auth address * port 16063 bound to server eduroam-partners
Listening on acct address * port 16064 bound to server eduroam-partners
Listening on auth address * port 16014 bound to server bristolresearchnet
Listening on acct address * port 16015 bound to server bristolresearchnet
Listening on auth address * port 16018 bound to server uobconsoles
Listening on auth address * port 16028 bound to server rainbow
Listening on acct address * port 16029 bound to server rainbow
Listening on auth address * port 1812 bound to server eduroamalien
Listening on auth address :: port 1812 bound to server eduroamalien
Listening on auth address * port 16020 bound to server vpi
Listening on acct address * port 16021 bound to server vpi
Listening on status address * port 18120 bound to server status
Listening on acct address * port 16007 bound to server eduroamlocal-acct
Listening on auth address * port 16006 bound to server eduroamlocal-auth
Listening on proxy address * port 48159
Listening on proxy address :: port 46124
Ready to process requests
(0) Received Access-Request Id 156 from 172.17.107.208:32770 to
137.222.8.134:16020 via ens192 length 322
(0) User-Name = "host/IT051252.users.bris.ac.uk"
(0) Chargeable-User-Identity = 0x00
(0) Location-Capable = Civix-Location
(0) Calling-Station-Id = "c4:85:08:a9:05:24"
(0) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(0) NAS-Port = 13
(0) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(0) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(0) NAS-IP-Address = 172.17.107.208
(0) NAS-Identifier = "wism8"
(0) Airespace-Wlan-Id = 3
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Private-Group-Id:0 = "547"
(0) EAP-Message =
0x0202002301686f73742f49543035313235322e75736572732e627269732e61632e756b
(0) Message-Authenticator = 0x210eb8a98c17341f7b1831b8224f1ca9
(0) Running section authorize from file /etc/raddb/sites-enabled/vpi
(0) authorize {
(0) wism-checks {
(0) if (Service-Type == "NAS-Prompt-User") {
(0) ...
(0) }
(0) } # wism-checks (notfound)
(0) preprocess (ok)
(0) uob_auth_log - EXPAND
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(0) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(0) uob_auth_log -
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
expands to /var/log/radius/radacct/vpi/auth-detail.log
(0) uob_auth_log - EXPAND %t
(0) uob_auth_log - --> Tue Mar 15 14:59:02 2016
(0) uob_auth_log (ok)
(0) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(0) ...
(0) }
(0) vpieap - Peer sent EAP Response (code 2) ID 2 length 35
(0) vpieap - Peer sent EAP-Identity. Returning 'ok' so we can
short-circuit the rest of authorize
(0) vpieap (ok)
(0) } # authorize (ok)
(0) Using 'Auth-Type = vpieap' for authenticate {...}
(0) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(0) authenticate {
(0) vpieap - Peer sent packet with EAP method Identity (1)
(0) vpieap - Calling submodule eap_peap to process data
(0) eap_peap - Initiating new EAP-TLS session
(0) vpieap - Sending EAP Request (code 1) ID 3 length 6
(0) vpieap (handled)
(0) } # authenticate (handled)
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(0) Sent Access-Challenge Id 156 from 137.222.8.134:16020 to
172.17.107.208:32770 via ens192 length 0
(0) EAP-Message = 0x010300061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x01016e00b7ba0f346d696f996ec2a586
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 157 from 172.17.107.208:32770 to
137.222.8.134:16020 via ens192 length 412
(1) User-Name = "host/IT051252.users.bris.ac.uk"
(1) Chargeable-User-Identity = 0x00
(1) Location-Capable = Civix-Location
(1) Calling-Station-Id = "c4:85:08:a9:05:24"
(1) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(1) NAS-Port = 13
(1) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(1) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(1) NAS-IP-Address = 172.17.107.208
(1) NAS-Identifier = "wism8"
(1) Airespace-Wlan-Id = 3
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) Tunnel-Type:0 = VLAN
(1) Tunnel-Medium-Type:0 = IEEE-802
(1) Tunnel-Private-Group-Id:0 = "547"
(1) EAP-Message =
0x0203006b198000000061160301005c01000058030156e82335df750bf907213b69795c99dd0e5a0fd9cafa4e22e72034f7067ec9cb000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
(1) State = 0x01016e00b7ba0f346d696f996ec2a586
(1) Message-Authenticator = 0x8ce96eef1c29f0f8b418aa5516a813f4
(1) Running section authorize from file /etc/raddb/sites-enabled/vpi
(1) authorize {
(1) wism-checks {
(1) if (Service-Type == "NAS-Prompt-User") {
(1) ...
(1) }
(1) } # wism-checks (notfound)
(1) preprocess (ok)
(1) uob_auth_log - EXPAND
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(1) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(1) uob_auth_log -
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
expands to /var/log/radius/radacct/vpi/auth-detail.log
(1) uob_auth_log - EXPAND %t
(1) uob_auth_log - --> Tue Mar 15 14:59:02 2016
(1) uob_auth_log (ok)
(1) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(1) ...
(1) }
(1) vpieap - Peer sent EAP Response (code 2) ID 3 length 107
(1) vpieap - Continuing tunnel setup
(1) vpieap (ok)
(1) } # authorize (ok)
(1) Using 'Auth-Type = vpieap' for authenticate {...}
(1) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(1) authenticate {
(1) vpieap - Peer sent packet with EAP method PEAP (25)
(1) vpieap - Calling submodule eap_peap to process data
(1) eap_peap - Continuing EAP-TLS
(1) eap_peap - Peer indicated complete TLS record size will be 97 bytes
(1) eap_peap - Got complete TLS record, with length field (97 bytes)
(1) eap_peap - [eap-tls verify] = ok
(1) eap_peap - before/accept initialization
(1) eap_peap - TLS Accept: before/accept initialization
(1) eap_peap - <<< recv handshake [length 92], client_hello
(1) eap_peap - TLS Accept: SSLv3 read client hello A
(1) eap_peap - >>> send handshake [length 57], server_hello
(1) eap_peap - TLS Accept: SSLv3 write server hello A
(1) eap_peap - >>> send handshake [length 1833], certificate
(1) eap_peap - TLS Accept: SSLv3 write certificate A
(1) eap_peap - >>> send handshake [length 331], server_key_exchange
(1) eap_peap - TLS Accept: SSLv3 write key exchange A
(1) eap_peap - >>> send handshake [length 4], server_hello_done
(1) eap_peap - TLS Accept: SSLv3 write server done A
(1) eap_peap - TLS Accept: SSLv3 flush data
(1) eap_peap - TLS Accept: Need to read more data: SSLv3 read
client certificate A
(1) eap_peap - TLS Accept: Need to read more data: SSLv3 read
client certificate A
(1) eap_peap - In TLS handshake phase
(1) eap_peap - In TLS accept mode
(1) eap_peap - Complete TLS record (2245 bytes) larger than MTU
(1000 bytes), will fragment
(1) eap_peap - Sending first TLS record fragment (1000 bytes), 1245
bytes remaining
(1) eap_peap - [eap-tls process] = handled
(1) vpieap - Sending EAP Request (code 1) ID 4 length 1010
(1) vpieap (handled)
(1) } # authenticate (handled)
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(1) Sent Access-Challenge Id 157 from 137.222.8.134:16020 to
172.17.107.208:32770 via ens192 length 0
(1) EAP-Message =
0x010403f219c0000008c5160301003902000035030156e823361b5cba1ccb77c8d1c2d294e5648fa5293f6acb6c7e0b210e9899de6e00c01400000dff01000100000b00040300010216030107290b0007250007220002dc308202d830820282020410456227300d06092a864886f70d01010b05003081bf
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x02036e003ffa67036d696f996ec2a586
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 158 from 172.17.107.208:32770 to
137.222.8.134:16020 via ens192 length 311
(2) User-Name = "host/IT051252.users.bris.ac.uk"
(2) Chargeable-User-Identity = 0x00
(2) Location-Capable = Civix-Location
(2) Calling-Station-Id = "c4:85:08:a9:05:24"
(2) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(2) NAS-Port = 13
(2) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(2) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(2) NAS-IP-Address = 172.17.107.208
(2) NAS-Identifier = "wism8"
(2) Airespace-Wlan-Id = 3
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) Tunnel-Type:0 = VLAN
(2) Tunnel-Medium-Type:0 = IEEE-802
(2) Tunnel-Private-Group-Id:0 = "547"
(2) EAP-Message = 0x020400061900
(2) State = 0x02036e003ffa67036d696f996ec2a586
(2) Message-Authenticator = 0x2973017c64efccc5305299b5fdd47e3d
(2) Running section authorize from file /etc/raddb/sites-enabled/vpi
(2) authorize {
(2) wism-checks {
(2) if (Service-Type == "NAS-Prompt-User") {
(2) ...
(2) }
(2) } # wism-checks (notfound)
(2) preprocess (ok)
(2) uob_auth_log - EXPAND
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(2) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(2) uob_auth_log -
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
expands to /var/log/radius/radacct/vpi/auth-detail.log
(2) uob_auth_log - EXPAND %t
(2) uob_auth_log - --> Tue Mar 15 14:59:02 2016
(2) uob_auth_log (ok)
(2) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(2) ...
(2) }
(2) vpieap - Peer sent EAP Response (code 2) ID 4 length 6
(2) vpieap - Continuing tunnel setup
(2) vpieap (ok)
(2) } # authorize (ok)
(2) Using 'Auth-Type = vpieap' for authenticate {...}
(2) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(2) authenticate {
(2) vpieap - Peer sent packet with EAP method PEAP (25)
(2) vpieap - Calling submodule eap_peap to process data
(2) eap_peap - Continuing EAP-TLS
(2) eap_peap - Peer ACKed our handshake fragment
(2) eap_peap - [eap-tls verify] = request
(2) eap_peap - Sending additional TLS record fragment (1004 bytes),
241 bytes remaining
(2) eap_peap - [eap-tls process] = handled
(2) vpieap - Sending EAP Request (code 1) ID 5 length 1010
(2) vpieap (handled)
(2) } # authenticate (handled)
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(2) Sent Access-Challenge Id 158 from 137.222.8.134:16020 to
172.17.107.208:32770 via ens192 length 0
(2) EAP-Message =
0x010503f219402053657276696365733129302706035504031320556e6976657273697479206f662042726973746f6c2057696e646f7773204341301e170d3033303131303130323733375a170d3233303131303130333531315a3081bf3125302306092a864886f70d010901161663612d61646d696e40
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x03016e00b7ba0f346d696f996ec2a586
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 159 from 172.17.107.208:32770 to
137.222.8.134:16020 via ens192 length 311
(3) User-Name = "host/IT051252.users.bris.ac.uk"
(3) Chargeable-User-Identity = 0x00
(3) Location-Capable = Civix-Location
(3) Calling-Station-Id = "c4:85:08:a9:05:24"
(3) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(3) NAS-Port = 13
(3) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(3) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(3) NAS-IP-Address = 172.17.107.208
(3) NAS-Identifier = "wism8"
(3) Airespace-Wlan-Id = 3
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) Tunnel-Type:0 = VLAN
(3) Tunnel-Medium-Type:0 = IEEE-802
(3) Tunnel-Private-Group-Id:0 = "547"
(3) EAP-Message = 0x020500061900
(3) State = 0x03016e00b7ba0f346d696f996ec2a586
(3) Message-Authenticator = 0x98cabe8901eb9b85dccb9e16a30658c2
(3) Running section authorize from file /etc/raddb/sites-enabled/vpi
(3) authorize {
(3) wism-checks {
(3) if (Service-Type == "NAS-Prompt-User") {
(3) ...
(3) }
(3) } # wism-checks (notfound)
(3) preprocess (ok)
(3) uob_auth_log - EXPAND
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(3) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(3) uob_auth_log -
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
expands to /var/log/radius/radacct/vpi/auth-detail.log
(3) uob_auth_log - EXPAND %t
(3) uob_auth_log - --> Tue Mar 15 14:59:02 2016
(3) uob_auth_log (ok)
(3) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(3) ...
(3) }
(3) vpieap - Peer sent EAP Response (code 2) ID 5 length 6
(3) vpieap - Continuing tunnel setup
(3) vpieap (ok)
(3) } # authorize (ok)
(3) Using 'Auth-Type = vpieap' for authenticate {...}
(3) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(3) authenticate {
(3) vpieap - Peer sent packet with EAP method PEAP (25)
(3) vpieap - Calling submodule eap_peap to process data
(3) eap_peap - Continuing EAP-TLS
(3) eap_peap - Peer ACKed our handshake fragment
(3) eap_peap - [eap-tls verify] = request
(3) eap_peap - Sending final TLS record fragment (241 bytes)
(3) eap_peap - [eap-tls process] = handled
(3) vpieap - Sending EAP Request (code 1) ID 6 length 247
(3) vpieap (handled)
(3) } # authenticate (handled)
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(3) Sent Access-Challenge Id 159 from 137.222.8.134:16020 to
172.17.107.208:32770 via ens192 length 0
(3) EAP-Message =
0x010600f71900ebe0344cb4e5d4ac912e10789408d80c66f81fd27cddd89c4c4a4dc3ae440f0cc86f59ca46e8ff75376eb7910a0af3153626fe0cf81027c02f568b1e56e2656a4191c98103f0da0f1ff061a21c81756cc2aec65066916bda86078229a217c291a4cb982853454ddb46b5e54200d5fd06d4
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x04076e003ffa67036d696f996ec2a586
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 160 from 172.17.107.208:32770 to
137.222.8.134:16020 via ens192 length 449
(4) User-Name = "host/IT051252.users.bris.ac.uk"
(4) Chargeable-User-Identity = 0x00
(4) Location-Capable = Civix-Location
(4) Calling-Station-Id = "c4:85:08:a9:05:24"
(4) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(4) NAS-Port = 13
(4) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(4) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(4) NAS-IP-Address = 172.17.107.208
(4) NAS-Identifier = "wism8"
(4) Airespace-Wlan-Id = 3
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) Tunnel-Type:0 = VLAN
(4) Tunnel-Medium-Type:0 = IEEE-802
(4) Tunnel-Private-Group-Id:0 = "547"
(4) EAP-Message =
0x020600901980000000861603010046100000424104647ecb7be9097a5ded8a15cad2f20782f73ac6dc656b780709999a57827e73a8fe8e6a1b0e84a16922438dc84d05ae35ea7a5ea9a0dde79187142978e52f2b8a14030100010116030100306891fee4d9c9dc571d75c0f76b02e5725a63f2d65a9a70
(4) State = 0x04076e003ffa67036d696f996ec2a586
(4) Message-Authenticator = 0x88fc7f16291a306da34adbcad2b075d8
(4) Running section authorize from file /etc/raddb/sites-enabled/vpi
(4) authorize {
(4) wism-checks {
(4) if (Service-Type == "NAS-Prompt-User") {
(4) ...
(4) }
(4) } # wism-checks (notfound)
(4) preprocess (ok)
(4) uob_auth_log - EXPAND
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(4) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(4) uob_auth_log -
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
expands to /var/log/radius/radacct/vpi/auth-detail.log
(4) uob_auth_log - EXPAND %t
(4) uob_auth_log - --> Tue Mar 15 14:59:02 2016
(4) uob_auth_log (ok)
(4) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(4) ...
(4) }
(4) vpieap - Peer sent EAP Response (code 2) ID 6 length 144
(4) vpieap - Continuing tunnel setup
(4) vpieap (ok)
(4) } # authorize (ok)
(4) Using 'Auth-Type = vpieap' for authenticate {...}
(4) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(4) authenticate {
(4) vpieap - Peer sent packet with EAP method PEAP (25)
(4) vpieap - Calling submodule eap_peap to process data
(4) eap_peap - Continuing EAP-TLS
(4) eap_peap - Peer indicated complete TLS record size will be 134
bytes
(4) eap_peap - Got complete TLS record, with length field (134 bytes)
(4) eap_peap - [eap-tls verify] = ok
(4) eap_peap - <<< recv handshake [length 70], client_key_exchange
(4) eap_peap - TLS Accept: SSLv3 read client key exchange A
(4) eap_peap - <<< recv change_cipher_spec [length 1]
(4) eap_peap - <<< recv handshake [length 16], finished
(4) eap_peap - TLS Accept: SSLv3 read finished A
(4) eap_peap - >>> send change_cipher_spec [length 1]
(4) eap_peap - TLS Accept: SSLv3 write change cipher spec A
(4) eap_peap - >>> send handshake [length 16], finished
(4) eap_peap - TLS Accept: SSLv3 write finished A
(4) eap_peap - TLS Accept: SSLv3 flush data
(4) eap_peap - SSL negotiation finished successfully
(4) eap_peap - TLS established with cipher suite:
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
(4) eap_peap - Sending complete TLS record (59 bytes)
(4) eap_peap - [eap-tls process] = handled
(4) vpieap - Sending EAP Request (code 1) ID 7 length 69
(4) vpieap (handled)
(4) } # authenticate (handled)
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(4) Sent Access-Challenge Id 160 from 137.222.8.134:16020 to
172.17.107.208:32770 via ens192 length 0
(4) EAP-Message =
0x0107004519800000003b14030100010116030100306fdc388f829843e06f869eeae13afdf94ba2efe759a91d60b7a147cb1663ee604ab474b08aaf072259723668fe0c447b
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x05016e00b7ba0f346d696f996ec2a586
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 161 from 172.17.107.208:32770 to
137.222.8.134:16020 via ens192 length 311
(5) User-Name = "host/IT051252.users.bris.ac.uk"
(5) Chargeable-User-Identity = 0x00
(5) Location-Capable = Civix-Location
(5) Calling-Station-Id = "c4:85:08:a9:05:24"
(5) Called-Station-Id = "88:f0:31:b2:be:70:Bristol-ManagedPCs"
(5) NAS-Port = 13
(5) Cisco-AVPair = "audit-session-id=ac116bd000015f4456e81e35"
(5) Acct-Session-Id = "56e81e35/c4:85:08:a9:05:24/87627"
(5) NAS-IP-Address = 172.17.107.208
(5) NAS-Identifier = "wism8"
(5) Airespace-Wlan-Id = 3
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) Tunnel-Type:0 = VLAN
(5) Tunnel-Medium-Type:0 = IEEE-802
(5) Tunnel-Private-Group-Id:0 = "547"
(5) EAP-Message = 0x020700061900
(5) State = 0x05016e00b7ba0f346d696f996ec2a586
(5) Message-Authenticator = 0x96dc59cdbca6df009be0b9cbd5443481
(5) Running section authorize from file /etc/raddb/sites-enabled/vpi
(5) authorize {
(5) wism-checks {
(5) if (Service-Type == "NAS-Prompt-User") {
(5) ...
(5) }
(5) } # wism-checks (notfound)
(5) preprocess (ok)
(5) uob_auth_log - EXPAND
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
(5) uob_auth_log - --> /var/log/radius/radacct/vpi/auth-detail.log
(5) uob_auth_log -
/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
expands to /var/log/radius/radacct/vpi/auth-detail.log
(5) uob_auth_log - EXPAND %t
(5) uob_auth_log - --> Tue Mar 15 14:59:02 2016
(5) uob_auth_log (ok)
(5) if (User-Name !~ /^host\/.+\.bris(tol)?\.ac\.uk$/i) {
(5) ...
(5) }
(5) vpieap - Peer sent EAP Response (code 2) ID 7 length 6
(5) vpieap - Continuing tunnel setup
(5) vpieap (ok)
(5) } # authorize (ok)
(5) Using 'Auth-Type = vpieap' for authenticate {...}
(5) Running Auth-Type vpieap from file /etc/raddb/sites-enabled/vpi
(5) authenticate {
(5) vpieap - Peer sent packet with EAP method PEAP (25)
(5) vpieap - Calling submodule eap_peap to process data
(5) eap_peap - Continuing EAP-TLS
(5) eap_peap - Peer ACKed our handshake fragment. handshake is
finished
(5) eap_peap - [eap-tls verify] = success
(5) eap_peap - [eap-tls process] = success
(5) eap_peap - Session established. Decoding tunneled data
(5) eap_peap - PEAP state TUNNEL ESTABLISHED
(5) eap_peap - Sending complete TLS record (37 bytes)
(5) vpieap - Sending EAP Request (code 1) ID 8 length 47
(5) vpieap (handled)
(5) } # authenticate (handled)
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Running Post-Auth-Type Challenge from file /etc/raddb/sites-enabled/vpi
(5) Sent Access-Challenge Id 161 from 137.222.8.134:16020 to
172.17.107.208:32770 via ens192 length 0
(5) EAP-Message =
0x0108002f19800000002517030100205f34f3a684a6f8a6c27272a92b19c76ee8552b4ea7b442e2ff9d4c5027a36f41
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x06036e003ffa67036d696f996ec2a586
(5) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 156 with timestamp +3
(1) Cleaning up request packet ID 157 with timestamp +3
(2) Cleaning up request packet ID 158 with timestamp +3
(3) Cleaning up request packet ID 159 with timestamp +3
(4) Cleaning up request packet ID 160 with timestamp +3
(5) Cleaning up request packet ID 161 with timestamp +3
Ready to process requests
Ready to process requests
Signalled to terminate
Exiting normally
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! EAP session 0x2ab6bf0 did not finish! !!
!! See http://wiki.freeradius.org/guide/Certificate_Compatibility !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_sql (uobsql) - Removing connection pool
rlm_sql (uobsql) - Closing connection (0)
rlm_sql_mysql - Socket destructor called, closing socket
rlm_mschap (eduroammschap) - Removing connection pool
rlm_mschap (eduroammschap) - Closing connection (4)
rlm_mschap (eduroammschap) - Closing connection (3)
rlm_mschap (eduroammschap) - Closing connection (2)
rlm_mschap (eduroammschap) - Closing connection (1)
rlm_mschap (eduroammschap) - Closing connection (0)
rlm_sql (uobsql-write) - Removing connection pool
rlm_sql (uobsql-write) - Closing connection (0)
rlm_sql_mysql - Socket destructor called, closing socket
rlm_ldap (uobldap) - Removing connection pool
rlm_ldap (uobldap) - Closing connection (4)
rlm_ldap (uobldap) - Closing connection (3)
rlm_ldap (uobldap) - Closing connection (2)
rlm_ldap (uobldap) - Closing connection (1)
rlm_ldap (uobldap) - Closing connection (0)
--
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol
8
21
18 Mar '16
I am using nlm_python plugin to trigger an out-of-band authentication and
get a result typically completed in about 20 seconds but should not time
out for two minutes.
When I run radtest and a duplicate request comes in I get
(0) Ignoring duplicate packet from client localhost port 32940 - ID: 2 due
to unfinished request in component authenticate module python
in the log. However, in an actual login attempt from a 3rd party system
configured to use this radius instance I often see a second authentication
attempt almost immediately started while the first is still in progress.
How can I prevent this?
I set idle timeouts in clients.conf and sites-available/default to 120.
What else is needed?
Thanks,
Jim
3
4
18 Mar '16
I'm working on setting up EAP-TLS so that the client (iPad) can be
issued a client cert and use it to authenticate with Radius. I need
some clarity on the process, particularly the roles of some of the
different files generated and how to use them.
1. in order to generate the root ca, first I edit ca.cnf.
It's straightforward except I don't understand the role of the "input"
password. The "output" password I understand is for the private key -
ca.key.
1.a. after editing ca.cnf, then i run make ca.pem. This uses openssl
to run req to generate a self-signed root ca. Four files are
generated:
--
---
Michael Martinez
http://www.michael--martinez.com
2
3
Hi,
I've been phasing in FR 3.0.11 on an Ubuntu 14.04 system with the default
version of samba (4.1.6) as one of our outward facing (ORPS) servers. The
intention is to migrate all of our 2.2.9 systems over to 3.0.11.
Up till now this servers main task has been to proxy eduroam visitor auths
to home institutions, but we do have a couple of monitoring systems
performing EAP based health checks against the server which authenticates
against our AD service using Samba. All this has been working fine.
Yesterday, after running a few more auth tests from inside and outside our
network using eapol_test, I reconfigured our inbound eduroam traffic (for
York users visiting external sites) to use this server instead of one of
our other 2.2.9 systems.
While most auths "just worked" what we also saw were a flurry of
The Samba 'panic action' script, /usr/share/samba/panic-action,
was called for PID 22827 (/usr/sbin/winbindd).
with corresponding auth failure messages within FR of the form
Thu Mar 17 09:03:40 2016 : Auth: (66912) Login OK: [gw791(a)york.ac.uk]
(from client roaming2.ja.net port 13 cli 54-E4-3A-1F-C7-8A via TLS tunnel)
Thu Mar 17 09:03:41 2016 : Auth: (66916) Login OK: [gw791(a)york.ac.uk] (from
client roaming2.ja.net port 13 cli 54-E4-3A-1F-C7-8A)
Thu Mar 17 09:03:41 2016 : ERROR: (66920) mschap: ERROR: Program returned
code (1) and output 'Account disabled (0xc0000072)'
Thu Mar 17 09:03:41 2016 : Auth: (66920) Login incorrect (mschap: No
NT-Domain was found in the User-Name): [erf504(a)york.ac.uk] (from client
roaming2.ja.net port 13 cli 00-26-B0-04-2B-8A via TLS tunnel)
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap: The users session was
previously rejected: returning reject (again.)
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap: This means you need to
read the PREVIOUS messages in the debug output
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap: to find out the reason
why the user was rejected
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap: Look for "reject" or
"fail". Those earlier messages will tell you
Thu Mar 17 09:03:42 2016 : Info: (66923) eap_peap: what went wrong, and
how to fix the problem
Thu Mar 17 09:03:42 2016 : Auth: (66923) Login incorrect (eap: Failed
continuing EAP PEAP (25) session. EAP sub-module failed): [
erf504(a)york.ac.uk] (from client roaming2.ja.net port 13 cli
00-26-B0-04-2B-8A)
Thu Mar 17 09:03:43 2016 : ERROR: (66928) mschap: ERROR: Program returned
code (1) and output 'Logon failure (0xc000006d)'
Thu Mar 17 09:03:43 2016 : Auth: (66928) Login incorrect (mschap: No
NT-Domain was found in the User-Name): [clh553(a)york.ac.uk] (from client
roaming2.ja.net port 13 cli A8-5B-78-74-D8-C9 via TLS tunnel)
As shown above, we do have successful york realm auths happening as well.
Before I start looking at this in more detail (additional samba logging) I
was wondering if anyone has seen these (samba) messages before. Haven't
touched the samba config, its whatever the default settings are.
Rgds
Alex
3
3
Hello,
I have freeradius authenticating users with a ldap backend. In my ldap
configuration I have:
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'sambaNTPassword'
control:LM-Password := 'sambaLMPassword'
...
}
in the site configuration I have:
authorize {
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
}
With this configuration, I think that all authentications are done
using the password in windows format (the one I have in sambaNTPassword
and sambaLMPassword ldap attributes) instead of the "standard" unix
password stored in the userPassword attribute.
Is there any way to force the use the password in the userPassword
attribute instead of NT/LM one?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337
3
5
hi list
my freeradius version is 3.0.4
i have enabled ldap modules and the radius profile feature of it .
and i need to check the user is in the speacific Ldap-Group, and assign
the User-Profile which contain all radius Reply-Items in it .
so when my NAS try to authenticate , i can only see radius -X
responding :
(0) Sending Access-Accept packet to host 10.1.1.13 port 1812, id=96,
length=0
(0) User-Profile :=
'cn=Device_Superior,ou=Admin,ou=Group,dc=gd,dc=abc,dc=com'
it was not going to print out what reply item the User-Profile contained.
and actually, i define the reply item as
Huawei-Exec-Privilege := "15"
it will give the highest admin right to the user belong to Group
Device_Superior to Operate the Device .
how can i debug the User-Profile?
1
4
Re: understanding the process of setting up eap-tls server/client certs
by Michael Martinez 17 Mar '16
by Michael Martinez 17 Mar '16
17 Mar '16
I'm working on setting up EAP-TLS so that the client (iPad) can be
issued a client cert and use it to authenticate with Radius. I need
some clarity on the process, particularly the roles of some of the
different files generated and how to use them.
1. in order to generate the root ca, first I edit ca.cnf.
It's straightforward except I don't understand the role of the "input"
password. The "output" password I understand is for the private key -
ca.key.
1.a. after editing ca.cnf, then i run make ca.pem. This uses openssl
to run req to generate a self-signed root ca. Four files are
generated:
* index: it's empty. I don't know what it's for
* serial.
*.ca.pem: the root ca
* ca.key: the private key for the root ca
1.b. in mods-enabled/eap, designate the location of the ca.pem file in
the "ca_file = " field
2. make the server certs.
2.a. edit server.cnf. Again, I don't know what the "input" password is
for. The output password I assume is the password for the private key.
2.b. make server.pem generates a bunch of files. I'm assuming the ones
we need are server.pem and server.key
2.c. in mods-enabled/eap do the following:
* private key password = <the "output password I set in server.cnf">
* "private key file = " the location of the newly generated server.key
* "certificate file = " <the location of the newly generated server.pem>
2.d. questions about the files generated by "make server.pem":
* what's server.crt? what's server.pem? when do I use one versus the other?
* 01.pem is identical to server.crt. why and where would I use
01.pem instead of server.crt?
3. Now make a client cert signed by the server cert.
3.a. edit client.cnf. Set "input" and "output" passwords to something
unique to the client? Or does one or both of these need to match the
password from the server cert??
3.b. make client.pem. This generates a bunch of files I'm assuming the
one we need to install the client is client.key (and client.pem?)
4. Now for the client. The README says we need to install ca.crt on
the client. I assume also the client.key needs to be put on the
client.
5. I'm using jradius to try to test this. In the "Keys" tab:
* Client Certificate file: I need to put client.key here
* Client Certificate password: the password that the private key
was encrypted with
* Root CA chain file: ca.crt
* Root CA chain password: the "output password" from ca.cnf
I'm sure I am bungling some of this. Any help is appreciated.
--
---
Michael Martinez
http://www.michael--martinez.com
1
0