Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2016
- 58 participants
- 72 discussions
Dear all.
Should I configure DNS service on the FreeRadius host When I Use chap
authentication method from my router.. please advice.
Thanks,
Mohammed Ejaz
Asst. Operation Director of Systems.
Cyberia SAUDI ARABIA
P.O.Box: 301079, Riyadh 11372
Phone: (+966) 11 464 7114 Ext. 140
Mobile: (+966) 562311787
Fax: (+966) 11 465 4735
Website: http://www.cyberia.net.sa
2
1
Thanks to a supporter who wants to remain anonymous, we now have a new EAP type in the server: EAP-FAST.
Please see the v3.1.x branch for details. The sample configuration is in raddb/mods-available/eap. Look for "fast".
It's been tested to work with wpa_supplicant, and multiple versions of Cisco hardware.
Thanks to the people at inverse.ca, we've also put in a minor fix for EAP-MSCHAPv2 which makes Cisco NEAT work.
Please report any issues here.
Alan DeKok.
2
2
Hi,
I want know if is it possible to create some rules on Freeradius for
make a 'double' authentification.
In my case, I want authorize acces network only if Machine AND user auth
are Ok, actually my machine auth fail but my user succed and he can
acces to network. I search but i dont find tutorial for implement this
restriction access, so if u have some tutorials or other link for help
:D
And now, this is my error on Machine AUTH:
I have freeradius-server 3.0.11
LDAP openldap-2.4.31
and Ubuntu Ubuntu 14.04.5 LTS
When I start my Client Windows7, I have this error:
eap_mschapv2: Auth-Type MS-CHAP {
Fri Aug 5 10:41:57 2016 : Debug: (38) eap_mschapv2:
modsingle[authenticate]: calling mschap (rlm_mschap) for request 38
Fri Aug 5 10:41:57 2016 : Debug: (38) mschap: Found NT-Password
Fri Aug 5 10:41:57 2016 : Debug: (38) mschap: Creating challenge hash
with username: host/TESTPC-THOMAS
Fri Aug 5 10:41:57 2016 : Debug: (38) mschap: Client is using MS-CHAPv2
Fri Aug 5 10:41:57 2016 : ERROR: (38) mschap: MS-CHAP2-Response is
incorrect
Fri Aug 5 10:41:57 2016 : Debug: (38) modsingle[authenticate]:
returned from mschap (rlm_mschap) for request 38
Fri Aug 5 10:41:57 2016 : Debug: (38) [mschap] = reject
Fri Aug 5 10:41:57 2016 : Debug: (38) } # Auth-Type MS-CHAP = reject
Thanks for ur help
Regards,
Thomas
3
5
06 Aug '16
>Brian Julin wrote:
> > Wussler, Doug wrote:
> > But now I am trying to add TLS Session Cache, which looks like an
> > under-appreciated and very cool capability.
> I jotted some notes on how we got it working here. Not quite sure if
>there
> have been tweaks since then, but give this a whir:
>
>http://lists.freeradius.org/pipermail/freeradius-users/2016-January/081595
>.html
Brian -
I¹m grateful for the effort you put into your reply. Indeed, you did
provide
the clue I needed. In my case all I needed to add was the ³Post-Auth-Type
Challenge²
clause to my outer tunnel. Looks like we now have fast-reconnect working!
Should
have a large impact here.
Perhaps there is something else I don¹t understand but it does not look
like ³use_tunneled_reply² in the eap module is really deprecated. I can¹t
get anything to work without that.
In any case, thank you very much. I appreciate your help.
Doug Wussler
Florida State University
3
2
04 Aug '16
I have been working on this for a couple of weeks, scouring the doc and
mail list.
I have experimented with so many different configurations I feel like I¹m
now chasing my tail.
I clearly lack the understanding of how these attributes are shuttled
between the inner
and outer tunnels as well as from TLS session cache to session-state cache.
First thing to know, I have PEAP-MSCHAPv2 working just fine, for a couple
of years now.
I have upgraded to v3.0.11, rebuilt the configs and got everything working
just great again.
But now I am trying to add TLS Session Cache, which looks like an
under-appreciated and very
cool capability.
In my inner-tunnel post-auth I successfully do this:
# Submit attributes to TLS Session Cache from inner post-auth
update reply {
&User-Name := "%{reply:User-Name}"
&Cached-Session-Policy += "%{reply:Service-Type}"
&Cached-Session-Policy += "%{reply:Tunnel-Medium-Type}"
&Cached-Session-Policy += "%{reply:Tunnel-Type}"
&Cached-Session-Policy += "%{reply:My-Local-employeeStatus}"
&Cached-Session-Policy += "%{reply:Tunnel-Private-Group-ID}"
}
In the following packet exchange I see this:
(9) eap_peap: caching User-Name := "dw10j"
(9) eap_peap: caching Stripped-User-Name = "dw10j"
(9) eap_peap: caching Cached-Session-Policy += "Framed-User"
(9) eap_peap: caching Cached-Session-Policy += "IEEE-802"
(9) eap_peap: caching Cached-Session-Policy += "VLAN"
(9) eap_peap: caching Cached-Session-Policy += "Active"
(9) eap_peap: caching Cached-Session-Policy += "employee3a"
and an Access-Accept is sent in reply (9).
If I now roam to a nearby access point, the TLS Session is resumed and we
see this:
(12) eap_peap: Adding cached attributes from session
d312f4c83df5f5b153ebd94b01549795be582dcbfe421e961aa038b062699143
(12) eap_peap: reply:User-Name := "dw10j"
(12) eap_peap: reply:Stripped-User-Name = "dw10j"
(12) eap_peap: reply:Cached-Session-Policy += "Framed-User"
(12) eap_peap: reply:Cached-Session-Policy += "IEEE-802"
(12) eap_peap: reply:Cached-Session-Policy += "VLAN"
(12) eap_peap: reply:Cached-Session-Policy += "Active"
(12) eap_peap: reply:Cached-Session-Policy += "employee3a"
(12) eap_peap: [eaptls process] = success
(12) eap_peap: Session established. Decoding tunneled attributes
(12) eap_peap: PEAP state TUNNEL ESTABLISHED
(12) eap_peap: Skipping Phase2 because of session resumption
(12) eap_peap: SUCCESS
But post-auth does not get called at this point so I am unclear on how to
restore these to
session-state (if that¹s what I¹m supposed to do).
And in the following packet exchange, where I receive an Access-Accept but
with
empty attributes, we see this:
(13) session-state: No cached attributes
An abridged log follows and I would be happy to provide full debug log if
that
is desired. But hopefully I am overlooking one of those obvious things
that
will make me feel foolish.
Alternatively, if you are using TLS Session Cache and have a full and
detailed
example, I would appreciate it if you could share that with me.
Doug Wussler
850.645.4201
Application Developer/Designer Core Network Team
Information Technology Services
RK Shaw Building
644 W. Call Street
Tallahassee, FL 32304
Server was built with:
accounting : yes
authentication : yes
ascend-binary-attributes : yes
coa : yes
control-socket : yes
detail : yes
dhcp : yes
dynamic-clients : yes
osfc2 : no
proxy : yes
regex-pcre : yes
regex-posix : no
regex-posix-extended : no
session-management : yes
stats : yes
tcp : yes
threads : yes
tls : yes
unlang : yes
vmps : yes
developer : no
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 1.0.2h release
pcre : 8.32 2012-11-30
Endianness:
little
Compilation flags:
cppflags : -isystem /usr/local/include/openssl/
cflags : -I/downloads/freeradius-server-3.0.11
-I/downloads/freeradius-server-3.0.11/src -include
/downloads/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h
-include /downloads/freeradius-server-3.0.11/src/freeradius-devel/build.h
-include
/downloads/freeradius-server-3.0.11/src/freeradius-devel/features.h
-include
/downloads/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h
-fno-strict-aliasing -Werror -g -O2 -Wall -std=c99 -D_GNU_SOURCE
-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG
-DIS_MODULE=1
ldflags : -L/usr/local/lib64 -Wl,-rpath,/usr/local/lib64
libs : -lcrypto -lssl -ltalloc -lpcre -lcap -lnsl -lresolv -ldl
-lpthread -lreadline
.....
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
Debugger not attached
# Creating Auth-Type = LDAP
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = FSU-PAP
# Creating Auth-Type = EAP
# Creating Autz-Type = Status-Server
# Loaded module rlm_eap
# Loading module "fsu-eap" from file
/usr/local/etc/raddb/mods-enabled/fsu-eap
eap fsu-eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
# Instantiating module "fsu-eap" from file
/usr/local/etc/raddb/mods-enabled/fsu-eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh_2048.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "HIGH +SHA !aNULL !eNULL !LOW !3DES !SSLv2 !MD5 !EXP
!DSS !PSK !SRP !CAMELLIA"
ecdh_curve = "prime256v1"
disable_tlsv1_2 = no
cache {
enable = yes
lifetime = 4
max_entries = 8000
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "fsu-peap-inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
identity = "Auth0_eap_mschapv2"
}
...
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server fsu-peap-1814 { # from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server fsu-peap-1814
server fsu-peap-inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server fsu-peap-inner-tunnel
listen {
type = "auth"
ipv4addr = *
port = 1814
}
listen {
type = "acct"
ipv4addr = *
port = 1815
}
Listening on auth address * port 1814 bound to server fsu-peap-1814
Listening on acct address * port 1815 bound to server fsu-peap-1814
...
Ready to process requests
(0) Received Access-Request Id 34 from 128.186.255.238:42749 to
128.186.255.220:1814 length 217
(0) User-Name = "dw10j"
(0) NAS-IP-Address = 128.186.255.200
(0) NAS-Port = 0
(0) NAS-Identifier = "128.186.255.238"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "B8E856A8659B"
(0) Called-Station-Id = "001A1E0083D8"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1100
(0) EAP-Message = 0x0201000a01647731306a
(0) Aruba-Essid-Name = "FSUCorex"
(0) Aruba-Location-Id = "wg-a105-132-rm.rsb.wireless.fsu.edu"
(0) Aruba-AP-Group = "Shaw"
(0) Aruba-Device-Type = "iPhone"
(0) Message-Authenticator = 0x30af9933cb00e5d441604b11b36b0f0a
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(0) authorize {
(0) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(0) EXPAND %{request:User-Name}
(0) --> dw10j
(0) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(0) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(0) EXPAND %{request:User-Name}
(0) --> dw10j
(0) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(0) [ntdomain] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(0) suffix: Found realm "NULL"
(0) suffix: Adding Stripped-User-Name = "dw10j"
(0) suffix: Adding Realm = "NULL"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 10
(0) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0) [fsu-eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = fsu-eap
(0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(0) Auth-Type fsu-eap {
(0) fsu-eap: Peer sent packet with method EAP Identity (1)
(0) fsu-eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(0) fsu-eap: EAP session adding &reply:State = 0x860fee2e860df726
(0) [fsu-eap] = handled
(0) } # Auth-Type fsu-eap = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(0) Sent Access-Challenge Id 34 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(0) EAP-Message = 0x010200061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x860fee2e860df726c6e8c1b1cbfeb884
(0) Finished request
Waking up in 1.9 seconds.
...
Waking up in 1.8 seconds.
(8) Received Access-Request Id 42 from 128.186.255.238:42749 to
128.186.255.220:1814 length 268
(8) Found Auth-Type = fsu-eap
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) Auth-Type fsu-eap {
(8) fsu-eap: Expiring EAP session with state 0x84bad54285b3cfdb
(8) fsu-eap: Finished EAP session with state 0x84bad54285b3cfdb
(8) fsu-eap: Previous EAP request found for state 0x84bad54285b3cfdb,
released from the list
(8) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) fsu-eap: Calling submodule eap_mschapv2 to process data
(8) fsu-eap: Sending EAP Success (code 3) ID 9 length 4
(8) fsu-eap: Freeing handler
(8) [fsu-eap] = ok
(8) } # Auth-Type fsu-eap = ok
(8) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) post-auth {
(8) update {
(8) &outer.session-state:User-Name += &reply:User-Name[*] ->
'dw10j'
(8) &outer.session-state:Service-Type += &reply:Service-Type[*] ->
Framed-User
(8) &outer.session-state:Tunnel-Medium-Type +=
&reply:Tunnel-Medium-Type[*] -> IEEE-802
(8) &outer.session-state:Tunnel-Type += &reply:Tunnel-Type[*] ->
VLAN
(8) &outer.session-state:My-Local-employeeStatus +=
&reply:My-Local-employeeStatus[*] -> 'Active'
(8) &outer.session-state:Tunnel-Private-Group-Id +=
&reply:Tunnel-Private-Group-Id[*] -> 'employee3a'
(8) &outer.session-state:My-Local-ntPassword +=
&reply:My-Local-ntPassword[*] -> 'ACC1E2ED4455527965628BF7A008B062'
(8) &outer.session-state:MS-MPPE-Encryption-Policy +=
&reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed
(8) &outer.session-state:MS-MPPE-Encryption-Types +=
&reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed
(8) &outer.session-state:MS-MPPE-Send-Key +=
&reply:MS-MPPE-Send-Key[*] -> 0xf2f40d2c99a86338ec77abd87f6bc004
(8) &outer.session-state:MS-MPPE-Recv-Key +=
&reply:MS-MPPE-Recv-Key[*] -> 0xd0c82e1f94537f44e3290ed225405e8c
(8) &outer.session-state:EAP-Message += &reply:EAP-Message[*] ->
0x03090004
(8) &outer.session-state:Message-Authenticator +=
&reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000
(8) } # update = noop
(8) update outer.session-state {
(8) MS-MPPE-Encryption-Policy !* ANY
(8) MS-MPPE-Encryption-Types !* ANY
(8) MS-MPPE-Send-Key !* ANY
(8) MS-MPPE-Recv-Key !* ANY
(8) Message-Authenticator !* ANY
(8) EAP-Message !* ANY
(8) Proxy-State !* ANY
(8) } # update outer.session-state = noop
(8) update reply {
(8) EXPAND %{reply:User-Name}
(8) --> dw10j
(8) &User-Name := dw10j
(8) EXPAND %{reply:Service-Type}
(8) --> Framed-User
(8) &Cached-Session-Policy += Framed-User
(8) EXPAND %{reply:Tunnel-Medium-Type}
(8) --> IEEE-802
(8) &Cached-Session-Policy += IEEE-802
(8) EXPAND %{reply:Tunnel-Type}
(8) --> VLAN
(8) &Cached-Session-Policy += VLAN
(8) EXPAND %{reply:My-Local-employeeStatus}
(8) --> Active
(8) &Cached-Session-Policy += Active
(8) EXPAND %{reply:Tunnel-Private-Group-ID}
(8) --> employee3a
(8) &Cached-Session-Policy += employee3a
(8) } # update reply = noop
(8) if ( reply:My-Local-fsuEduWINStatus ) {
(8) if ( reply:My-Local-fsuEduWINStatus ) -> FALSE
(8) } # post-auth = noop
(8) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group}
%{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus}
(8) -->
(8) Login OK: [dw10j] (from client CamL8 port 0 via TLS tunnel)
(8) } # server fsu-peap-inner-tunnel
(8) Virtual server sending reply
(8) User-Name := "dw10j"
(8) Service-Type = Framed-User
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Type = VLAN
(8) My-Local-employeeStatus = "Active"
(8) Tunnel-Private-Group-Id = "employee3a"
(8) My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062"
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004
(8) MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c
(8) EAP-Message = 0x03090004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) Cached-Session-Policy += "Framed-User"
(8) Cached-Session-Policy += "IEEE-802"
(8) Cached-Session-Policy += "VLAN"
(8) Cached-Session-Policy += "Active"
(8) Cached-Session-Policy += "employee3a"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: User-Name := "dw10j"
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: My-Local-employeeStatus = "Active"
(8) eap_peap: Tunnel-Private-Group-Id = "employee3a"
(8) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004
(8) eap_peap: MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c
(8) eap_peap: EAP-Message = 0x03090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Cached-Session-Policy += "Framed-User"
(8) eap_peap: Cached-Session-Policy += "IEEE-802"
(8) eap_peap: Cached-Session-Policy += "VLAN"
(8) eap_peap: Cached-Session-Policy += "Active"
(8) eap_peap: Cached-Session-Policy += "employee3a"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: User-Name := "dw10j"
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: My-Local-employeeStatus = "Active"
(8) eap_peap: Tunnel-Private-Group-Id = "employee3a"
(8) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004
(8) eap_peap: MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c
(8) eap_peap: EAP-Message = 0x03090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Cached-Session-Policy += "Framed-User"
(8) eap_peap: Cached-Session-Policy += "IEEE-802"
(8) eap_peap: Cached-Session-Policy += "VLAN"
(8) eap_peap: Cached-Session-Policy += "Active"
(8) eap_peap: Cached-Session-Policy += "employee3a"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) fsu-eap: Sending EAP Request (code 1) ID 10 length 43
(8) fsu-eap: EAP session adding &reply:State = 0x860fee2e8e05f726
(8) [fsu-eap] = handled
(8) } # Auth-Type fsu-eap = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(8) session-state: Saving cached attributes
(8) User-Name += "dw10j"
(8) Service-Type += Framed-User
(8) Tunnel-Medium-Type += IEEE-802
(8) Tunnel-Type += VLAN
(8) My-Local-employeeStatus += "Active"
(8) Tunnel-Private-Group-Id += "employee3a"
(8) My-Local-ntPassword += "ACC1E2ED4455527965628BF7A008B062"
(8) Sent Access-Challenge Id 42 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(8) EAP-Message =
0x010a002b19001703010020fcb7e3cf0b673c79ef41a11a56c8da40ab1ca7cfc3a07914a18
31032d774a6dd
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x860fee2e8e05f726c6e8c1b1cbfeb884
(8) Finished request
Waking up in 1.8 seconds.
(9) Received Access-Request Id 43 from 128.186.255.238:42749 to
128.186.255.220:1814 length 268
(9) User-Name = "dw10j"
(9) NAS-IP-Address = 128.186.255.200
(9) NAS-Port = 0
(9) NAS-Identifier = "128.186.255.238"
(9) NAS-Port-Type = Wireless-802.11
(9) Calling-Station-Id = "B8E856A8659B"
(9) Called-Station-Id = "001A1E0083D8"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1100
(9) EAP-Message =
0x020a002b1900170301002086df2a56026c1d4d64621307316b04234d9a15d5fdab11424c3
edfb9f41f5e7c
(9) State = 0x860fee2e8e05f726c6e8c1b1cbfeb884
(9) Aruba-Essid-Name = "FSUCorex"
(9) Aruba-Location-Id = "wg-a105-132-rm.rsb.wireless.fsu.edu"
(9) Aruba-AP-Group = "Shaw"
(9) Aruba-Device-Type = "iPhone"
(9) Message-Authenticator = 0x6329c315d037919dc588d0b2ead70f15
(9) Restoring &session-state
(9) &session-state:User-Name += "dw10j"
(9) &session-state:Service-Type += Framed-User
(9) &session-state:Tunnel-Medium-Type += IEEE-802
(9) &session-state:Tunnel-Type += VLAN
(9) &session-state:My-Local-employeeStatus += "Active"
(9) &session-state:Tunnel-Private-Group-Id += "employee3a"
(9) &session-state:My-Local-ntPassword +=
"ACC1E2ED4455527965628BF7A008B062"
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(9) authorize {
(9) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(9) EXPAND %{request:User-Name}
(9) --> dw10j
(9) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(9) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(9) EXPAND %{request:User-Name}
(9) --> dw10j
(9) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(9) [ntdomain] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "dw10j"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) fsu-eap: Peer sent EAP Response (code 2) ID 10 length 43
(9) fsu-eap: Continuing tunnel setup
(9) [fsu-eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = fsu-eap
(9) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(9) Auth-Type fsu-eap {
(9) fsu-eap: Expiring EAP session with state 0x860fee2e8e05f726
(9) fsu-eap: Finished EAP session with state 0x860fee2e8e05f726
(9) fsu-eap: Previous EAP request found for state 0x860fee2e8e05f726,
released from the list
(9) fsu-eap: Peer sent packet with method EAP PEAP (25)
(9) fsu-eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap: User-Name := "dw10j"
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: Tunnel-Medium-Type = IEEE-802
(9) eap_peap: Tunnel-Type = VLAN
(9) eap_peap: My-Local-employeeStatus = "Active"
(9) eap_peap: Tunnel-Private-Group-Id = "employee3a"
(9) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062"
(9) eap_peap: Cached-Session-Policy += "Framed-User"
(9) eap_peap: Cached-Session-Policy += "IEEE-802"
(9) eap_peap: Cached-Session-Policy += "VLAN"
(9) eap_peap: Cached-Session-Policy += "Active"
(9) eap_peap: Cached-Session-Policy += "employee3a"
(9) eap_peap: caching User-Name := "dw10j"
(9) eap_peap: caching Stripped-User-Name = "dw10j"
(9) eap_peap: caching Cached-Session-Policy += "Framed-User"
(9) eap_peap: caching Cached-Session-Policy += "IEEE-802"
(9) eap_peap: caching Cached-Session-Policy += "VLAN"
(9) eap_peap: caching Cached-Session-Policy += "Active"
(9) eap_peap: caching Cached-Session-Policy += "employee3a"
(9) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session
will not be cached on disk.
(9) fsu-eap: Sending EAP Success (code 3) ID 10 length 4
(9) fsu-eap: Freeing handler
(9) [fsu-eap] = ok
(9) } # Auth-Type fsu-eap = ok
(9) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(9) post-auth {
(9) if ( session-state: ) {
(9) if ( session-state: ) -> TRUE
(9) if ( session-state: ) {
(9) update {
(9) &reply::User-Name += &session-state:User-Name[*] -> 'dw10j'
(9) &reply::Service-Type += &session-state:Service-Type[*] ->
Framed-User
(9) &reply::Tunnel-Medium-Type +=
&session-state:Tunnel-Medium-Type[*] -> IEEE-802
(9) &reply::Tunnel-Type += &session-state:Tunnel-Type[*] -> VLAN
(9) &reply::My-Local-employeeStatus +=
&session-state:My-Local-employeeStatus[*] -> 'Active'
(9) &reply::Tunnel-Private-Group-Id +=
&session-state:Tunnel-Private-Group-Id[*] -> 'employee3a'
(9) &reply::My-Local-ntPassword +=
&session-state:My-Local-ntPassword[*] -> 'ACC1E2ED4455527965628BF7A008B062'
(9) } # update = noop
(9) } # if ( session-state: ) = noop
(9) ... skipping else for request 9: Preceding "if" was taken
(9) } # post-auth = noop
(9) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group}
%{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus}
(9) --> FSUCorex wg-a105-132-rm.rsb.wireless.fsu.edu Shaw iPhone
(9) Login OK: [dw10j] (from client CamL8 port 0 cli B8E856A8659B) FSUCorex
wg-a105-132-rm.rsb.wireless.fsu.edu Shaw iPhone
(9) Sent Access-Accept Id 43 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(9) User-Name := "dw10j"
(9) Service-Type = Framed-User
(9) Tunnel-Medium-Type = IEEE-802
(9) Tunnel-Type = VLAN
(9) Tunnel-Private-Group-Id = "employee3a"
(9) MS-MPPE-Recv-Key =
0xa5f4fcb1629a45eac5bd6b0f3679985c288a81021062c7a903807ebfb65d2d9f
(9) MS-MPPE-Send-Key =
0xee4e988ac836c3cd0df97edf5aa006c77b98328e12e93f325f36c1ef3957f500
(9) EAP-Message = 0x030a0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name += "dw10j"
(9) Service-Type += Framed-User
(9) Tunnel-Medium-Type += IEEE-802
(9) Tunnel-Type += VLAN
(9) Tunnel-Private-Group-Id += "employee3a"
(9) Finished request
Waking up in 1.8 seconds.
(0) Cleaning up request packet ID 34 with timestamp +18
(1) Cleaning up request packet ID 35 with timestamp +18
(2) Cleaning up request packet ID 36 with timestamp +18
(3) Cleaning up request packet ID 37 with timestamp +19
(4) Cleaning up request packet ID 38 with timestamp +19
(5) Cleaning up request packet ID 39 with timestamp +19
(6) Cleaning up request packet ID 40 with timestamp +19
(7) Cleaning up request packet ID 41 with timestamp +19
(8) Cleaning up request packet ID 42 with timestamp +19
(9) Cleaning up request packet ID 43 with timestamp +19
Ready to process requests
(10) Received Access-Request Id 44 from 128.186.255.238:42749 to
128.186.255.220:1814 length 218
(10) User-Name = "dw10j"
(10) NAS-IP-Address = 128.186.255.200
(10) NAS-Port = 0
(10) NAS-Identifier = "128.186.255.238"
(10) NAS-Port-Type = Wireless-802.11
(10) Calling-Station-Id = "B8E856A8659B"
(10) Called-Station-Id = "001A1E0083D8"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1100
(10) EAP-Message = 0x0201000a01647731306a
(10) Aruba-Essid-Name = "FSUCorex"
(10) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu"
(10) Aruba-AP-Group = "Shaw"
(10) Aruba-Device-Type = "iPhone"
(10) Message-Authenticator = 0xf08aac88e0af79de1be8bebee816ab7f
(10) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(10) authorize {
(10) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(10) EXPAND %{request:User-Name}
(10) --> dw10j
(10) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(10) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(10) EXPAND %{request:User-Name}
(10) --> dw10j
(10) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(10) [ntdomain] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(10) suffix: Found realm "NULL"
(10) suffix: Adding Stripped-User-Name = "dw10j"
(10) suffix: Adding Realm = "NULL"
(10) suffix: Authentication realm is LOCAL
(10) [suffix] = ok
(10) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 10
(10) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(10) [fsu-eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = fsu-eap
(10) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(10) Auth-Type fsu-eap {
(10) fsu-eap: Peer sent packet with method EAP Identity (1)
(10) fsu-eap: Calling submodule eap_peap to process data
(10) eap_peap: Initiating new EAP-TLS session
(10) eap_peap: [eaptls start] = request
(10) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(10) fsu-eap: EAP session adding &reply:State = 0xc30d1631c30f0f80
(10) [fsu-eap] = handled
(10) } # Auth-Type fsu-eap = handled
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(10) Sent Access-Challenge Id 44 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(10) EAP-Message = 0x010200061920
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xc30d1631c30f0f80b3424d0b1e3d666b
(10) Finished request
Waking up in 1.9 seconds.
(11) Received Access-Request Id 45 from 128.186.255.238:42749 to
128.186.255.220:1814 length 389
(11) User-Name = "dw10j"
(11) NAS-IP-Address = 128.186.255.200
(11) NAS-Port = 0
(11) NAS-Identifier = "128.186.255.238"
(11) NAS-Port-Type = Wireless-802.11
(11) Calling-Station-Id = "B8E856A8659B"
(11) Called-Station-Id = "001A1E0083D8"
(11) Service-Type = Framed-User
(11) Framed-MTU = 1100
(11) EAP-Message =
0x020200a3198000000099160301009401000090030157a39502c59a38ab42d28fa5c8b5861
fdcbe1af0ccc1e17f9675b4a1ef41e00020d312f4c83df5f5b153ebd94b01549795be582dcb
fe421e961aa038b062699143002800ffc024c023c00ac009c008c028c027c014c013c012003
d003c0035002f00
(11) State = 0xc30d1631c30f0f80b3424d0b1e3d666b
(11) Aruba-Essid-Name = "FSUCorex"
(11) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu"
(11) Aruba-AP-Group = "Shaw"
(11) Aruba-Device-Type = "iPhone"
(11) Message-Authenticator = 0x4d3755f8101bb6b8f55764f42c817b4f
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(11) authorize {
(11) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(11) EXPAND %{request:User-Name}
(11) --> dw10j
(11) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(11) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(11) EXPAND %{request:User-Name}
(11) --> dw10j
(11) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(11) ntdomain: Checking for prefix before "\"
(11) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(11) [ntdomain] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(11) suffix: Found realm "NULL"
(11) suffix: Adding Stripped-User-Name = "dw10j"
(11) suffix: Adding Realm = "NULL"
(11) suffix: Authentication realm is LOCAL
(11) [suffix] = ok
(11) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 163
(11) fsu-eap: Continuing tunnel setup
(11) [fsu-eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = fsu-eap
(11) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(11) Auth-Type fsu-eap {
(11) fsu-eap: Expiring EAP session with state 0xc30d1631c30f0f80
(11) fsu-eap: Finished EAP session with state 0xc30d1631c30f0f80
(11) fsu-eap: Previous EAP request found for state 0xc30d1631c30f0f80,
released from the list
(11) fsu-eap: Peer sent packet with method EAP PEAP (25)
(11) fsu-eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(11) eap_peap: Got complete TLS record (153 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: (other): before/accept initialization
(11) eap_peap: TLS_accept: before/accept initialization
(11) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(11) eap_peap: TLS_accept: SSLv3 read client hello A
(11) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(11) eap_peap: TLS_accept: SSLv3 write server hello A
(11) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(11) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(11) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(11) eap_peap: TLS_accept: SSLv3 write finished A
(11) eap_peap: TLS_accept: SSLv3 flush data
(11) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(11) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(11) eap_peap: In SSL Handshake Phase
(11) eap_peap: In SSL Accept mode
(11) eap_peap: [eaptls process] = handled
(11) fsu-eap: Sending EAP Request (code 1) ID 3 length 159
(11) fsu-eap: EAP session adding &reply:State = 0xc30d1631c20e0f80
(11) [fsu-eap] = handled
(11) } # Auth-Type fsu-eap = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(11) Sent Access-Challenge Id 45 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(11) EAP-Message =
0x0103009f1900160301005902000055030129bbd8008ef3e12c96959f1bcddc130398122f5
f2b02f6b72aaaff3583113a4820d312f4c83df5f5b153ebd94b01549795be582dcbfe421e96
1aa038b062699143c01400000dff01000100000b00040300010214030100010116030100307
238d01320b761c4
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0xc30d1631c20e0f80b3424d0b1e3d666b
(11) Finished request
Waking up in 1.9 seconds.
(12) Received Access-Request Id 46 from 128.186.255.238:42749 to
128.186.255.220:1814 length 295
(12) User-Name = "dw10j"
(12) NAS-IP-Address = 128.186.255.200
(12) NAS-Port = 0
(12) NAS-Identifier = "128.186.255.238"
(12) NAS-Port-Type = Wireless-802.11
(12) Calling-Station-Id = "B8E856A8659B"
(12) Called-Station-Id = "001A1E0083D8"
(12) Service-Type = Framed-User
(12) Framed-MTU = 1100
(12) EAP-Message =
0x0203004519800000003b140301000101160301003078e68035b28baddc37a4ae1ad3fcbac
78d41648d3e1b500df0e77a08857d914def1313c303457658d9ddfbe32b37eca9
(12) State = 0xc30d1631c20e0f80b3424d0b1e3d666b
(12) Aruba-Essid-Name = "FSUCorex"
(12) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu"
(12) Aruba-AP-Group = "Shaw"
(12) Aruba-Device-Type = "iPhone"
(12) Message-Authenticator = 0xd9f5fa6fcd2d1e9ca612adc0a40aafae
(12) session-state: No cached attributes
(12) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(12) authorize {
(12) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(12) EXPAND %{request:User-Name}
(12) --> dw10j
(12) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(12) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(12) EXPAND %{request:User-Name}
(12) --> dw10j
(12) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(12) ntdomain: Checking for prefix before "\"
(12) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(12) [ntdomain] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(12) suffix: Found realm "NULL"
(12) suffix: Adding Stripped-User-Name = "dw10j"
(12) suffix: Adding Realm = "NULL"
(12) suffix: Authentication realm is LOCAL
(12) [suffix] = ok
(12) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 69
(12) fsu-eap: Continuing tunnel setup
(12) [fsu-eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = fsu-eap
(12) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(12) Auth-Type fsu-eap {
(12) fsu-eap: Expiring EAP session with state 0xc30d1631c20e0f80
(12) fsu-eap: Finished EAP session with state 0xc30d1631c20e0f80
(12) fsu-eap: Previous EAP request found for state 0xc30d1631c20e0f80,
released from the list
(12) fsu-eap: Peer sent packet with method EAP PEAP (25)
(12) fsu-eap: Calling submodule eap_peap to process data
(12) eap_peap: Continuing EAP-TLS
(12) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(12) eap_peap: Got complete TLS record (59 bytes)
(12) eap_peap: [eaptls verify] = length included
(12) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(12) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(12) eap_peap: TLS_accept: SSLv3 read finished A
(12) eap_peap: (other): SSL negotiation finished successfully
(12) eap_peap: SSL Connection Established
(12) eap_peap: SSL Application Data
(12) eap_peap: Adding cached attributes from session
d312f4c83df5f5b153ebd94b01549795be582dcbfe421e961aa038b062699143
(12) eap_peap: reply:User-Name := "dw10j"
(12) eap_peap: reply:Stripped-User-Name = "dw10j"
(12) eap_peap: reply:Cached-Session-Policy += "Framed-User"
(12) eap_peap: reply:Cached-Session-Policy += "IEEE-802"
(12) eap_peap: reply:Cached-Session-Policy += "VLAN"
(12) eap_peap: reply:Cached-Session-Policy += "Active"
(12) eap_peap: reply:Cached-Session-Policy += "employee3a"
(12) eap_peap: [eaptls process] = success
(12) eap_peap: Session established. Decoding tunneled attributes
(12) eap_peap: PEAP state TUNNEL ESTABLISHED
(12) eap_peap: Skipping Phase2 because of session resumption
(12) eap_peap: SUCCESS
(12) fsu-eap: Sending EAP Request (code 1) ID 4 length 43
(12) fsu-eap: EAP session adding &reply:State = 0xc30d1631c1090f80
(12) [fsu-eap] = handled
(12) } # Auth-Type fsu-eap = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(12) Sent Access-Challenge Id 46 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(12) User-Name := "dw10j"
(12) EAP-Message =
0x0104002b19001703010020cbea953c76c41ac5cfe03c22a45b0f054910572036b7e27adae
89ef58f4ae2fc
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xc30d1631c1090f80b3424d0b1e3d666b
(12) Finished request
Waking up in 1.9 seconds.
(13) Received Access-Request Id 47 from 128.186.255.238:42749 to
128.186.255.220:1814 length 269
(13) User-Name = "dw10j"
(13) NAS-IP-Address = 128.186.255.200
(13) NAS-Port = 0
(13) NAS-Identifier = "128.186.255.238"
(13) NAS-Port-Type = Wireless-802.11
(13) Calling-Station-Id = "B8E856A8659B"
(13) Called-Station-Id = "001A1E0083D8"
(13) Service-Type = Framed-User
(13) Framed-MTU = 1100
(13) EAP-Message =
0x0204002b19001703010020a351cf90095e7f532aa2a78ecca7a5846b67b9da57246ba6392
7838b473545ed
(13) State = 0xc30d1631c1090f80b3424d0b1e3d666b
(13) Aruba-Essid-Name = "FSUCorex"
(13) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu"
(13) Aruba-AP-Group = "Shaw"
(13) Aruba-Device-Type = "iPhone"
(13) Message-Authenticator = 0x26247fed677e752473789854799c9ac0
(13) session-state: No cached attributes
(13) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(13) authorize {
(13) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(13) EXPAND %{request:User-Name}
(13) --> dw10j
(13) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(13) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(13) EXPAND %{request:User-Name}
(13) --> dw10j
(13) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(13) ntdomain: Checking for prefix before "\"
(13) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(13) [ntdomain] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(13) suffix: Found realm "NULL"
(13) suffix: Adding Stripped-User-Name = "dw10j"
(13) suffix: Adding Realm = "NULL"
(13) suffix: Authentication realm is LOCAL
(13) [suffix] = ok
(13) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 43
(13) fsu-eap: Continuing tunnel setup
(13) [fsu-eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = fsu-eap
(13) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(13) Auth-Type fsu-eap {
(13) fsu-eap: Expiring EAP session with state 0xc30d1631c1090f80
(13) fsu-eap: Finished EAP session with state 0xc30d1631c1090f80
(13) fsu-eap: Previous EAP request found for state 0xc30d1631c1090f80,
released from the list
(13) fsu-eap: Peer sent packet with method EAP PEAP (25)
(13) fsu-eap: Calling submodule eap_peap to process data
(13) eap_peap: Continuing EAP-TLS
(13) eap_peap: [eaptls verify] = ok
(13) eap_peap: Done initial handshake
(13) eap_peap: [eaptls process] = ok
(13) eap_peap: Session established. Decoding tunneled attributes
(13) eap_peap: PEAP state send tlv success
(13) eap_peap: Received EAP-TLV response
(13) eap_peap: Success
(13) eap_peap: No saved attributes in the original Access-Accept
(13) fsu-eap: Sending EAP Success (code 3) ID 4 length 4
(13) fsu-eap: Freeing handler
(13) [fsu-eap] = ok
(13) } # Auth-Type fsu-eap = ok
(13) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(13) post-auth {
(13) if ( session-state: ) {
(13) if ( session-state: ) -> FALSE
(13) else {
(13) update reply {
(13) EXPAND %{reply:User-Name}
(13) -->
(13) &User-Name :=
(13) &Reply-Message += "This is from outer-post-auth"
(13) EXPAND %{reply:Cached-Session-Policy[0]}
(13) -->
(13) &Service-Type := 0
(13) EXPAND %{reply:Cached-Session-Policy[1]}
(13) -->
(13) &Tunnel-Medium-Type := 0
(13) EXPAND %{reply:Cached-Session-Policy[2]}
(13) -->
(13) &Tunnel-Type := 0
(13) EXPAND %{reply:Cached-Session-Policy[3]}
(13) -->
(13) &My-Local-employeeStatus :=
(13) EXPAND %{reply:Cached-Session-Policy[4]}
(13) -->
(13) &Tunnel-Private-Group-ID :=
(13) } # update reply = noop
(13) } # else = noop
(13) } # post-auth = noop
(13) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group}
%{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus}
(13) --> FSUCorex wg-a105-136-hrm.rsb.wireless.fsu.edu Shaw iPhone
(13) Login OK: [dw10j] (from client CamL8 port 0 cli B8E856A8659B)
FSUCorex wg-a105-136-hrm.rsb.wireless.fsu.edu Shaw iPhone
(13) Sent Access-Accept Id 47 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(13) MS-MPPE-Recv-Key =
0xd4642af1af234bbe423648b840dd1159c886031d2b8a3815366c6f99cc8328ab
(13) MS-MPPE-Send-Key =
0x92ae704edf421546f722959cde45b4adc7098784763b3c331a164a5170a823a5
(13) EAP-Message = 0x03040004
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) User-Name := ""
(13) Reply-Message += "This is from outer-post-auth"
(13) Service-Type := 0
(13) Tunnel-Medium-Type := 0
(13) Tunnel-Type := 0
(13) Tunnel-Private-Group-Id := ""
(13) Finished request
Waking up in 1.9 seconds.
(10) Cleaning up request packet ID 44 with timestamp +45
(11) Cleaning up request packet ID 45 with timestamp +45
(12) Cleaning up request packet ID 46 with timestamp +45
(13) Cleaning up request packet ID 47 with timestamp +45
2
1
04 Aug '16
Hey there,
I have a home server which only supports pap. FreeRADIUS were configured to establish eap-ttls-pap and then proxy the inner request to my home server. Although It configured to use pap but it doesn’t send user clear-text-password to my home server. Here is the output of freeradius -X:
oot@eduroam:/etc/freeradius# freeradius -X
Server was built with:
accounting : yes
authentication : yes
ascend-binary-attributes : yes
coa : yes
control-socket : yes
detail : yes
dhcp : yes
dynamic-clients : yes
osfc2 : no
proxy : yes
regex-pcre : no
regex-posix : yes
regex-posix-extended : yes
session-management : yes
stats : yes
tcp : yes
threads : yes
tls : yes
unlang : yes
vmps : yes
developer : no
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 1.0.1f release
Endianness:
little
Compilation flags:
cppflags : -D_FORTIFY_SOURCE=2
cflags : -I/build/freeradius-8d5m9K/freeradius-3.0.11 -I/build/freeradius-8d5m9K/freeradius-3.0.11/src -include /build/freeradius-8d5m9K/freeradius-3.0.11/src/freeradius-devel/autoconf.h -include /build/freeradius-8d5m9K/freeradius-3.0.11/src/freeradius-devel/build.h -include /build/freeradius-8d5m9K/freeradius-3.0.11/src/freeradius-devel/features.h -include /build/freeradius-8d5m9K/freeradius-3.0.11/src/freeradius-devel/radpaths.h -fno-strict-aliasing -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O2 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
ldflags : -Wl,-Bsymbolic-functions -Wl,-z,relro
libs : -lcrypto -lssl -ltalloc -lcap -lnsl -lresolv -ldl -lpthread -lreadline
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/logintime
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/debug
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/proxy-inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server ut-ibsng {
ipaddr = 172.16.16.29
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool utpool {
home_server = ut-ibsng
}
realm ut {
auth_pool = utpool
nostrip
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client mehran {
ipaddr = 2.180.36.206
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client radsecproxy {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = PAP
# Creating Auth-Type = eap
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
instantiate {
}
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
ca_file = "/etc/freeradius/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "PAP"
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "proxy-inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server proxy-inner-tunnel { # from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-proxy {...}
} # server proxy-inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1820
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 1821
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 1820
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 1821
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address * port 1820 bound to server default
Listening on acct address * port 1821 bound to server default
Listening on auth address :: port 1820 bound to server default
Listening on acct address :: port 1821 bound to server default
Listening on proxy address * port 46929
Listening on proxy address :: port 43664
Ready to process requests
And here is access-request:
Received Access-Request Id 78 from 127.0.0.1:51273 to 127.0.0.1:1820 length 381
(5) User-Name = "neda.divsalar(a)ut.ac.ir"
(5) Service-Type = Framed-User
(5) Cisco-AVPair = "service-type=Framed"
(5) Framed-MTU = 1449
(5) Called-Station-Id = "74-a0-2f-fc-24-b0:EduRoam"
(5) Calling-Station-Id = "60-92-17-1E-BB-36"
(5) EAP-Message = 0x0206004f15800000004517030100400739d36efe8a02fbcfc11117ef77be9721ab8334795f67cfacb20b46543320231334fe81da0e56c1c57213dd6ce49e93a0996567f0f7ac8af6212a7eaef4f3af
(5) Message-Authenticator = 0x451491865326093e261d7acec62c2c8b
(5) Cisco-AVPair = "audit-session-id=ac13040257a1b97b0009cac1"
(5) Cisco-AVPair = "method=dot1x"
(5) NAS-IP-Address = 172.19.4.2
(5) NAS-Port-Id = "Capwap1"
(5) NAS-Port-Type = Wireless-802.11
(5) State = 0x57ac0bea53aa1ecc562ac00250a74721
(5) Airespace-Wlan-Id = 42
(5) Cisco-AVPair = "cisco-wlan-ssid=EduRoam"
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "ut.ac.ir" for User-Name = "neda.divsalar(a)ut.ac.ir"
(5) suffix: No such realm "ut.ac.ir"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 79
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x57ac0bea53aa1ecc
(5) eap: Finished EAP session with state 0x57ac0bea53aa1ecc
(5) eap: Previous EAP request found for state 0x57ac0bea53aa1ecc, released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: Peer indicated complete TLS record size will be 69 bytes
(5) eap_ttls: Got complete TLS record (69 bytes)
(5) eap_ttls: [eaptls verify] = length included
(5) eap_ttls: [eaptls process] = ok
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls: EAP-Message = 0x0200001b016e6564612e64697673616c61724075742e61632e6972
(5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Got tunneled identity of neda.divsalar(a)ut.ac.ir
(5) eap_ttls: Sending tunneled request
(5) Virtual server proxy-inner-tunnel received request
(5) EAP-Message = 0x0200001b016e6564612e64697673616c61724075742e61632e6972
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) User-Name = "neda.divsalar(a)ut.ac.ir"
(5) WARNING: Outer and inner identities are the same. User privacy is compromised.
(5) server proxy-inner-tunnel {
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(5) authorize {
(5) update control {
(5) &Proxy-To-Realm := "ut"
(5) } # update control = noop
(5) } # authorize = noop
(5) } # server proxy-inner-tunnel
(5) Virtual server sending reply
(5) eap_ttls: Tunneled authentication will be proxied to ut
(5) eap: Tunneled session will be proxied. Not doing EAP
(5) [eap] = handled
(5) } # authenticate = handled
(5) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(5) pre-proxy {
(5) attr_filter.pre-proxy: EXPAND %{Realm}
(5) attr_filter.pre-proxy: --> ut
(5) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(5) [attr_filter.pre-proxy] = updated
(5) } # pre-proxy = updated
(5) Proxying request to home server 172.16.16.29 port 1812 timeout 30.000000
(5) Sent Access-Request Id 129 from 0.0.0.0:46929 to 172.16.16.29:1812 length 101
(5) NAS-Port := 0
(5) EAP-Message = 0x0200001b016e6564612e64697673616c61724075742e61632e6972
(5) User-Name = "neda.divsalar(a)ut.ac.ir"
(5) Message-Authenticator = 0x
(5) Proxy-State = 0x3738
Waking up in 0.3 seconds.
(5) Marking home server 172.16.16.29 port 1812 alive
(5) Clearing existing &reply: attributes
(5) Received Access-Accept Id 129 from 172.16.16.29:1812 to 172.16.16.174:46929 length 42
(5) Proxy-State = 0x3738
(5) Acct-Interim-Interval = 60
(5) Service-Type = Framed-User
(5) Framed-Protocol = PPP
(5) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(5) post-proxy {
(5) eap: Doing post-proxy callback
(5) eap: Passing reply from proxy back into the tunnel
server proxy-inner-tunnel {
(5) eap: post-auth returns 2
} # server proxy-inner-tunnel
(5) eap: Final reply from tunneled session code 2
(5) eap: Proxy-State = 0x3738
(5) eap: Acct-Interim-Interval = 60
(5) eap: Service-Type = Framed-User
(5) eap: Framed-Protocol = PPP
(5) eap: Got reply 2
(5) eap: Got tunneled Access-Accept
(5) eap: Reply was OK
(5) eap: No information to cache: session caching will be disabled for session 8ca2fe46dcd5d29e2c2614a30163e41427825b311d419ca1bfe47e4b940eb0e6
(5) eap: Sending EAP Success (code 3) ID 6 length 4
(5) eap: Freeing handler
(5) [eap] = ok
(5) } # post-proxy = ok
(5) Found Auth-Type = eap
(5) Found Auth-Type = Accept
(5) ERROR: Warning: Found 2 auth-types on request for user 'neda.divsalar(a)ut.ac.ir'
(5) Auth-Type = Accept, accepting the user
(5) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(5) post-auth {
(5) update {
(5) No attributes updated
(5) } # update = noop
(5) [exec] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # post-auth = noop
(5) Sent Access-Accept Id 78 from 127.0.0.1:1820 to 127.0.0.1:51273 length 0
(5) Acct-Interim-Interval = 60
(5) Service-Type = Framed-User
(5) Framed-Protocol = PPP
(5) MS-MPPE-Recv-Key = 0x9d4140eccfea8cb931d954326345ada15d2925df4804908c546957c3ceaab222
(5) MS-MPPE-Send-Key = 0xbdedc69648e6aab32a0b733a51cbae32fe8a1022907695ea2d7c647a758f1142
(5) EAP-Message = 0x03060004
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) User-Name = "neda.divsalar(a)ut.ac.ir"
(5) Finished request
3
5
Hello all.
1. NAS (MDG from Motorola, do we need add addionational attributes in
dictionary file for the Motorola MDG)
2. Freeradius version 3.x, oracle 11g client (installed or Dell
PowerEdge R730 or oracle 11x86)
3. Database (installed or Sparc remote server)
4. Driver rlm_sql is already installed .
<mailto:root@ruh02saaa02:/usr/local/freeradius3/lib>
root@ruh02saaa02:/usr/local/freeradius3/lib# ls -l rlm_sql_oracle*
-rwxr-xr-x 1 root root 964808 Apr 14 14:35 rlm_sql_oracle.a
-rwxr-xr-x 1 root root 27 Apr 14 14:35 <http://rlm_sql_oracle.la/>
rlm_sql_oracle.la
-rwxr-xr-x 1 root root 775232 Apr 14 14:35 rlm_sql_oracle.so
The Radius server is able to connect to the database as below but the
authentication is failed. as i am very new to freeradius any help would be
highly appreciated..
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 59512
Listening on proxy address :: port 52582
Ready to process requests
(0) Received Access-Request Id 0 from <http://10.99.10.135:54942/>
10.99.10.135:54942 to <http://0.0.0.0:1812/> 0.0.0.0:1812 length
52
(0) User-Name = "10.10.82.80 "
(0) User-Password = "cisco"
(0) # Executing section authorize from file
/usr/local/freeradius3/etc/raddb/sit
es-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> TRUE
(0) if (&User-Name =~ / /) {
(0) update request {
(0) &Module-Failure-Message += 'Rejected: User-Name contains
whitesp
ace'
(0) } # update request = noop
(0) [reject] = reject
(0) } # if (&User-Name =~ / /) = reject
(0) } # if (&User-Name) = reject
(0) } # policy filter_username = reject
(0) } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/usr/local/freeradius3/etc/raddb/sites-enabled/d
efault
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for 104
second
s
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 104
second
s
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 104
second
s
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 104
second
s
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for 104
second
s
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (5), 1 of 32 pending slots used
rlm_sql (sql): Reserved connection (5)
(0) sql: EXPAND %{User-Name}
(0) sql: --> 10.10.82.80
(0) sql: SQL-User-Name set to '10.10.82.80 '
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES
( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-
Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES
( '10.10.82.80 ', 'cisco', 'Access-Reject', '2016-04-14 16:32:58')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authda
te) VALUES ( '10.10.82.80 ', 'cisco', 'Access-Reject', '2016-04-14
16:32:58')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 31 pending slots used
(0) [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> 10.10.82.80
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 0 from <http://0.0.0.0:1812/> 0.0.0.0:1812 to
<http://10.99.10.135:54942/> 10.99.10.135:54942 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +104
Ready to process requests
Thanks,
Mohammed Ejaz
Asst. Operation Director of Systems.
Cyberia SAUDI ARABIA
P.O.Box: 301079, Riyadh 11372
Phone: (+966) 11 464 7114 Ext. 140
Mobile: (+966) 562311787
Fax: (+966) 11 465 4735
Website: http://www.cyberia.net.sa
3
5
I use Freeradius auth with LDAP. Freeradius server send "reply" to client.
It's OK. But i want to below package send (forward) another IP address
(fortigate firewall).
Sending Access-Accept of id 79 to 17.16.10.20 port 46695
Reply-Message = "test string"
Service-Type = Framed-User
Framed-Protocol = PPP
Class = 0x73657669796532
Framed-IP-Address = 17.16.1.101
User-Name = "test12345"
Tunnel-Type:0 = VLAN
In example i want forward to 17.16.10.1
3
9
I'm sorry for asking such a simple thing but I can't find any
reference for FreeRadius3.
I have been successfully using this functionality in Freeardius2, in
the same manner as reported here:
http://freeradius-users.freeradius.narkive.com/k46qBmbs/referencing-ldap-at…
I've created a new ldap module inside mods-available/ldap to extract a
specific ldap attribute (macAddress) from a specific ldap location ad
reported here in rlm_ldap module documentation.
ldap ldap_mac_auth {
server = 'samba4.server.mynet.lan'
identity = 'cn=administrator,cn=Users,dc=ad,dc=mynet,dc=lan'
password = p4ss
base_dn = 'ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan'
update {
reply:macAddress := 'macAddress'
}
user {
base_dn = "${..base_dn}"
filter =
"(&(objectClass=computer)(managedBy=%{control:Ldap-UserDn}))"
}
}
Then i'm calling it inside the authorize section of the default server.
authorize {
..
ldap
ldap_mac_auth
..
}
In the post-auth section of the default server i'm applying the
following control.
post-auth {
..
if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) {
update reply {
Tunnel-Private-Group-Id := 43
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Type := "VLAN"
}
}
..
}
Inside the dictionary file I've added the reference to that variable.
ATTRIBUTE macAddress 3000 string
During the authentication process I can see the ldap_auth_mac module running.
(2) ldap_mac_auth: EXPAND
(&(objectClass=computer)(managedBy=%{control:Ldap-UserDn}))
(2) ldap_mac_auth: --> (&(objectClass=computer)(managedBy=CN\3dTest
User\2cOU\3dStaff\2cOU\3dUsers\2cOU\3dMyNet\2cDC\3dad\2cDC\3dmynet\2cDC\3dlan))
(2) ldap_mac_auth: Performing search in
"ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan" with filter
"(&(objectClass=computer)(managedBy=CN\3dTest
User\2cOU\3dStaff\2cOU\3dUsers\2cOU\3dMyNet\2cDC\3dad\2cDC\3dmynet\2cDC\3dlan))",
scope "sub"
(2) ldap_mac_auth: Waiting for search result...
(2) ldap_mac_auth: User object found at DN
"CN=MyNetbook,OU=WiFi,OU=Computers,OU=MyNet,DC=ad,DC=mynet,DC=lan"
(2) ldap_mac_auth: Processing user attributes
(2) ldap_mac_auth: reply:macAddress := '13-59-F3-A3-94-00'
So, as you see, the macAddress ldap attribute is correctly mapped to
the reply:macAddress variable. But at the end of the process,
executing the post-auth section, this is the result:
(10) post-auth {
(10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) {
(10) EXPAND %{reply:macAddress}
(10) -->
(10) EXPAND %{Calling-Station-Id}
(10) --> 13-59-F3-A3-94-00
(10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) -> FALSE
So the variable "reply:macAddress" couldn't correctly expanded.
I'm using FreeRADIUS Version 3.0.12.
Thanks in advance for your help.
4
4
Hi,
I'm using freeradius 3.0.4 on a Red Hat Centos 7 and it seems I missed a
fundamental point.
I have several customers with their own database. I do logging
accounting data to sql. My problem is that any accounting data of any
customers is logged to any radacct tables. E.g. accounting data of
customer1 is logged to (sql) customer1.radacct, but also to
customer2.radacct and vise versa.
/etc/raddb/mods-enabled/sql:
sql customer1 {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "ffgfdfdgfdgdg"
radius_db = "customer1"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = 5
min = 4
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
read_clients = yes
client_table = "nas"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
sql customer2 {
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "fgfdgdg"
radius_db = "customer2"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = 5
min = 4
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
read_clients = yes
client_table = "nas"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
...
/etc/raddb/sites-enabled/default:
[..]
accounting {
..
customer1
customer2
..
}
Any help would be appreciated.
--
MrLINK
3
3