Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
December 2017
- 59 participants
- 87 discussions
Hi there,
I want to improve our logging and want to keep track of authentication attempts that do not complete. I was thinking of logging the very first ACCESS-REQUEST and then later on the result. Is there a good way to identify the very first ACCESS-REQUEST from the client with unlang? Maybe by checking the contents of the session-state list or some such? Any ideas?
Thanks!
- Michael
4
6
Hi all,
I'm trying to save some of the Cisco-AVPair attributes into sql while acounting. Specifically, I'm interested in the dhcp-options and http-tlv attributes. WLC describes the connected device in these.
Unfortunately, Freeradius 3.12 expands these values unregexable way.
(With_cisco_vsa_hack = yes in preprocess the result is the same)
Correctly expanded is just Cisco-AVPair = "audit-session-id=1ef1a8c000014809cba76859"
Policy file:
device_regex = '^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)'
()
fill_device_type {
if (&Cisco-AVPair) {
foreach &Cisco-AVPair {
if ("%{Foreach-Variable-0}" =~ /${policy.device_regex}/i) {
update request {
&Calling-Device += "%{8} "
}
}
}
}
}
Processing:
(98) Received Accounting-Request Id 28 from 192.168.241.30:57614 to 172.31.12.101:1813 length 482
(98) User-Name = "martin"
(98) NAS-Port = 8
(98) NAS-IP-Address = 192.168.241.30
(98) Framed-IP-Address = 10.252.136.9
(98) Framed-IPv6-Prefix = 2a07:8d84:800:325f::/64
(98) Framed-IPv6-Prefix = 2a07:8d84:800:325f::/64
(98) Framed-IPv6-Prefix = 2a07:8d84:800:325f::/64
(98) Framed-IPv6-Prefix = 2a07:8d84:800:325f::/64
(98) Framed-IPv6-Prefix = 2a07:8d84:800:325f::/64
(98) Framed-IPv6-Prefix = fe80::/64
(98) NAS-Identifier = "d4-wlc5520"
(98) Airespace-Wlan-Id = 20
(98) Acct-Session-Id = "5968a7cb/34:ab:37:ed:a2:bb/90671"
(98) NAS-Port-Type = Wireless-802.11
(98) Cisco-AVPair = "audit-session-id=1ef1a8c000014809cba76859"
(98) Acct-Authentic = RADIUS
(98) Tunnel-Type:0 = VLAN
(98) Tunnel-Medium-Type:0 = IEEE-802
(98) Tunnel-Private-Group-Id:0 = "595"
(98) Event-Timestamp = "Jul 14 2017 14:47:01 CEST"
(98) Cisco-AVPair = "dhcp-option=\000\014\000\0056spMK"
(98) Cisco-AVPair = "http-tlv=\000\001\000\030iPhone8,2/10.3.2 (14F89)"
How to regex these ?
(98) Acct-Status-Type = Interim-Update
(98) Acct-Input-Octets = 699538
(98) Acct-Input-Gigawords = 0
(98) Acct-Output-Octets = 2957172
(98) Acct-Output-Gigawords = 0
(98) Acct-Input-Packets = 5974
(98) Acct-Output-Packets = 5319
(98) Acct-Session-Time = 5494
(98) Acct-Delay-Time = 0
(98) Calling-Station-Id = "34-ab-37-ed-a2-bb"
(98) Called-Station-Id = "d4-air1702-ap-1:UI MK tst"
(98) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(98) preacct {
(98) [preprocess] = ok
(98) policy rewrite_called_station_id {
(98) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(98) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> FALSE
(98) elsif (&Called-Station-Id && (&Called-Station-Id =~ /^(.+)(:){1}((.+))?$/i)) {
(98) elsif (&Called-Station-Id && (&Called-Station-Id =~ /^(.+)(:){1}((.+))?$/i)) -> TRUE
(98) elsif (&Called-Station-Id && (&Called-Station-Id =~ /^(.+)(:){1}((.+))?$/i)) {
(98) update request {
(98) EXPAND %{1}
(98) --> d4-air1702-ap-1
(98) &Called-Station-Id := d4-air1702-ap-1
(98) EXPAND %{3}
(98) --> UI MK tst
(98) &Called-Station-SSID := UI MK tst
(98) } # update request = noop
(98) [updated] = updated
(98) } # elsif (&Called-Station-Id && (&Called-Station-Id =~ /^(.+)(:){1}((.+))?$/i)) = updated
(98) ... skipping else: Preceding "if" was taken
(98) } # policy rewrite_called_station_id = updated
(98) policy fill_device_type {
(98) if (&Cisco-AVPair) {
(98) if (&Cisco-AVPair) -> TRUE
(98) if (&Cisco-AVPair) {
(98) foreach &Cisco-AVPair
(98) if ("%{Foreach-Variable-0}" =~ /^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)/i) {
(98) EXPAND Foreach-Variable-0
(98) --> audit-session-id=1ef1a8c000014809cba76859
(98) EXPAND %{Foreach-Variable-0}
(98) --> audit-session-id=1ef1a8c000014809cba76859
(98) if ("%{Foreach-Variable-0}" =~ /^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)/i) -> FALSE
(98) if ("%{Foreach-Variable-0}" =~ /^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)/i) {
(98) EXPAND Foreach-Variable-0
(98) --> dhcp-option=
(98) EXPAND %{Foreach-Variable-0}
(98) --> dhcp-option=
(98) if ("%{Foreach-Variable-0}" =~ /^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)/i) -> FALSE
(98) if ("%{Foreach-Variable-0}" =~ /^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)/i) {
(98) EXPAND Foreach-Variable-0
(98) --> http-tlv=
(98) EXPAND %{Foreach-Variable-0}
(98) --> http-tlv=
Both attributes are expanded till first whitespace char
(98) if ("%{Foreach-Variable-0}" =~ /^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)/i) -> FALSE
(98) } # foreach &Cisco-AVPair = updated
(98) } # if (&Cisco-AVPair) = updated
How to get text values following whitespaces?
I've already tried if ("unescape:%{Foreach-Variable-0}" =~ /${policy.device_regex}/i) with no luck
Martin Kylián
4
11
AW: AW: AW: After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate
by Gladewitz, Robert 19 Jan '18
by Gladewitz, Robert 19 Jan '18
19 Jan '18
If I understand this logs rights, the error happening on ca certificate?
...
Mon Dec 18 14:41:44 2017 : Debug: (2) eap_tls: TLS-Cert-Subject :=
"/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige
GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig"
Mon Dec 18 14:41:44 2017 : Debug: (2) eap_tls: TLS-Cert-Issuer :=
"/C=DE/O=Deutsches BiomasseForschungsZentrum gemeinnuetzige
GmbH/OU=IT/CN=CAPF-1b0db5b4/ST=Sachsen/L=Leipzig"
Mon Dec 18 14:41:44 2017 : Debug: (2) eap_tls: TLS-Cert-Common-Name :=
"CAPF-1b0db5b4"
Mon Dec 18 14:41:44 2017 : ERROR: (2) eap_tls: SSL says error 26 :
unsupported certificate purpose
Mon Dec 18 14:41:44 2017 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 0
Mon Dec 18 14:41:44 2017 : Debug: (2) eap_tls: >>> send TLS 1.0 Alert [length
0002], fatal unsupported_certificate
Mon Dec 18 14:41:44 2017 : ERROR: (2) eap_tls: TLS Alert
write:fatal:unsupported certificate
Mon Dec 18 14:41:44 2017 : Error: tls: TLS_accept: Error in error
Mon Dec 18 14:41:44 2017 : ERROR: (2) eap_tls: Failed in __FUNCTION__
(SSL_read): ../ssl/statem/statem_srvr.c[2896]:error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
Mon Dec 18 14:41:44 2017 : ERROR: (2) eap_tls: System call (I/O) error (-1)
...
Robert
4
19
15 Jan '18
Hello & Merry Christmas.
I have managed to enable accounting after all and it seems that the module
sqlcounter is loaded too.
Looking at the documentation here
<https://freeradius.org/radiusd/man/rlm_counter.txt>
The rlm_counter module provides a general framework to measure
total data transferred in a given period. This is very useful in a
'Prepaid Service' situation, where a user has paid for a finite
amount of usage and should not be allowed to use more than that
service.
This is perfect as I need exactly that.
It seems I have to change count_attribute to data usage in order to measure
the usage instead of session time, but I'm not quite sure where to find the
accepted values.
Nonetheless, I'm very confused how I'm supposed to use this module.
I can see the module is loaded when I run it as freeradius -X.
But how do I set it up to allow each user only 3 GB of data usage within a
month?
Or even for testing purposes 500KB on daily basis?
When the month or the day has passed, then the user should be allowed
access again.
Which config files do I have to edit?
Many Thanks for your advice,
Houman
3
14
Hi,
I am trying to set up a new freeradius server (v3.0.15) so that it will send directly to a couchbase server instead of my current old radius server setup that is sending accounting via a radius-proxy server.
Any help would be appreciated in trying to figure this out.
I have enabled the following environment settings:
LCB_OPTIONS="detailed_errcodes=1" && export LCB_OPTIONS
LCB_CNTL_DETAILED_ERRCODES=1 && export LCB_CNTL_DETAILED_ERRCODES
LCB_LOGLEVEL=5 && export LCB_LOGLEVEL
Here is the trimmed output from radius -X:
(0) Received Accounting-Request Id 65 from 127.0.0.1:55005 to 127.0.0.1:1813 length 715
(0) User-Name = "noneexistent123(a)domain.com"
(0) Acct-Status-Type = Interim-Update
(0) Acct-Session-Id = "25466609"
(0) Acct-Input-Octets = 211016095
(0) Acct-Output-Octets = 3081069646
(0) Acct-Session-Time = 2047177
(0) Acct-Input-Packets = 179269685
(0) Acct-Output-Packets = 322301129
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) Filter-Id = "IPV4-ingress:dsl-default-in-si-1/1/0.1073813193-in"
(0) Filter-Id = "IPV4-egress:dsl-default-out-si-1/1/0.1073813193-out"
(0) Attr-26.4874.177 = 0x506f72742053706565643a2031303030303030306b
(0) Tunnel-Type:0 = L2TP
(0) Tunnel-Medium-Type:0 = IPv4
(0) Tunnel-Client-Endpoint:0 = "192.168.242.189"
(0) Tunnel-Server-Endpoint:0 = "192.168.80.106"
(0) Tunnel-Assignment-Id:0 = "57524"
(0) Tunnel-Client-Auth-Id:0 = "AR09"
(0) Tunnel-Server-Auth-Id:0 = "company"
(0) Acct-Tunnel-Connection = "0002758216"
(0) Acct-Authentic = RADIUS
(0) Acct-Delay-Time = 0
(0) Calling-Station-Id = "GigabitEthernet 1/0.12502026:1250-2026#587204111###pppoe 4c:9e:ff:27:41:4c#"
(0) ERX-Dhcp-Mac-Addr = "0000.0000.0000"
(0) Event-Timestamp = "Dec 12 2017 11:35:30 EST"
(0) Framed-IP-Address = 192.168.225.42
(0) Framed-IP-Netmask = 255.255.254.0
(0) ERX-Input-Gigapkts = 0
(0) Acct-Input-Gigawords = 4
(0) NAS-Identifier = "lns01"
(0) NAS-Port = 268439551
(0) NAS-Port-Id = "Ip:192.168.80.106:192.168.242.189:57524:10046:22601:33289:2758216"
(0) NAS-Port-Type = Virtual
(0) ERX-Output-Gigapkts = 0
(0) Acct-Output-Gigawords = 103
(0) ERX-IPv6-Acct-Input-Octets = 0
(0) ERX-IPv6-Acct-Output-Octets = 0
(0) ERX-IPv6-Acct-Input-Packets = 0
(0) ERX-IPv6-Acct-Output-Packets = 0
(0) ERX-IPv6-Acct-Input-Gigawords = 0
(0) ERX-IPv6-Acct-Output-Gigawords = 0
(0) ERX-Tx-Connect-Speed = 13277755
(0) Attr-26.4874.163 = 0x000000
(0) ERX-Pppoe-Description = "pppoe 00:00:00:00:00:00"
(0) NAS-IP-Address = 192.168.191.4
(0) # Executing section preacct from file /etc/raddb/sites-enabled/company
(0) preacct {
(0) policy username_lower_domain {
(0) update request {
(0) EXPAND %{tolower:%{User-Name}}
(0) --> noneexistent123(a)company.com
(0) Stripped-User-Name := noneexistent123(a)company.com
(0) } # update request = noop
(0) if (User-Name =~ /^([^@]*)(@([-[:alnum:]]+\\.[-[:alnum:].]+))?$/){
(0) if (User-Name =~ /^([^@]*)(@([-[:alnum:]]+\\.[-[:alnum:].]+))?$/) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy username_lower_domain = noop
(0) policy acct_counters64_preacct {
(0) update request {
(0) EXPAND %{expr:(%{%{Acct-Input-Gigawords}:-0} * 4294967296) + %{%{Acct-Input-Octets}:-0}}
(0) --> 17390885279
(0) Acct-Input-Octets64 = 17390885279
(0) EXPAND %{expr:(%{%{Acct-Output-Gigawords}:-0} * 4294967296) + %{%{Acct-Output-Octets}:-0}}
(0) --> 445462701134
(0) Acct-Output-Octets64 = 445462701134
(0) } # update request = noop
(0) } # policy acct_counters64_preacct = noop
(0) policy acct_unique {
(0) update request {
(0) EXPAND %{md5:%{Stripped-User-Name},%{Acct-Session-ID},%{NAS-IP-Address}}
(0) --> 51dc686492632c94c03d1346eb471bf5
(0) Acct-Unique-Session-Id := 51dc686492632c94c03d1346eb471bf5
(0) } # update request = noop
(0) } # policy acct_unique = noop
(0) if (NAS-Port-Id =~ /:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):/) {
(0) if (NAS-Port-Id =~ /:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):/) -> TRUE
(0) if (NAS-Port-Id =~ /:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):/) {
(0) update request {
(0) EXPAND %{1}
(0) --> 192.168.80.106
(0) NAS-Port-Id := 192.168.80.106
(0) EXPAND %{2}
(0) --> 192.168.242.189
(0) NAS-Identifier := 192.168.242.189
(0) } # update request = noop
(0) } # if (NAS-Port-Id =~ /:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):/) = noop
(0) } # preacct = noop
(0) # Executing section accounting from file /etc/raddb/sites-enabled/company
(0) accounting {
rlm_couchbase (couchtsi): Reserved connection (0)
(0) couchtsi: EXPAND radacct_%{%{Acct-Unique-Session-Id}:-%{Acct-Session-Id}}
(0) couchtsi: --> radacct_51dc686492632c94c03d1346eb471bf5
32450ms [I0] {32348} [INFO] (lcbio_mgr - L:410) <10.0.2.207:11210> (HE=0x5652b23dde40) Found ready connection in pool. Reusing socket and not creating new connection
32450ms [I0] {32348} [TRACE] (bootstrap - L:143) Background-polling for new configuration
32450ms [I0] {32348} [TRACE] (confmon - L:272) Refreshing current cluster map
32450ms [I0] {32348} [DEBUG] (lcbio_mgr - L:247) <10.0.2.207:11210> (HE=0x5652b23dde40) Assigning R=0x5652b2445930 SOCKET=0x5652b23df380
32450ms [I0] {32348} [DEBUG] (ioctx - L:99) <10.0.2.207:11210> (CTX=0x5652b26410d0,unknown) Pairing with SOCK=0x5652b23df380
32450ms [I0] {32348} [TRACE] (confmon - L:259) Attempting to retrieve cluster map via CCCP
32450ms [I0] {32348} [TRACE] (cccp - L:144) Re-Issuing CCCP Command on server struct 0x5652b23ebaf0 (10.0.2.207:11210)
rlm_couchbase: (get_callback) got 93 bytes
32451ms [I0] {32348} [TRACE] (confmon - L:150) Not applying configuration received via CCCP. No changes detected. A.rev=25, B.rev=25
rlm_couchbase: skipping attribute with no map entry - User-Name
rlm_couchbase: skipping attribute with no map entry - Acct-Status-Type
rlm_couchbase: skipping attribute with no map entry - Acct-Session-Id
rlm_couchbase: skipping attribute with no map entry - Acct-Input-Octets
rlm_couchbase: skipping attribute with no map entry - Acct-Output-Octets
rlm_couchbase: skipping attribute with no map entry - Acct-Session-Time
rlm_couchbase: skipping attribute with no map entry - Acct-Input-Packets
rlm_couchbase: skipping attribute with no map entry - Acct-Output-Packets
rlm_couchbase: skipping attribute with no map entry - Service-Type
rlm_couchbase: skipping attribute with no map entry - Framed-Protocol
rlm_couchbase: skipping attribute with no map entry - Filter-Id
rlm_couchbase: skipping attribute with no map entry - Filter-Id
rlm_couchbase: skipping attribute with no map entry - Attr-26.4874.177
rlm_couchbase: skipping attribute with no map entry - Tunnel-Type
rlm_couchbase: skipping attribute with no map entry - Tunnel-Medium-Type
rlm_couchbase: skipping attribute with no map entry - Tunnel-Client-Endpoint
rlm_couchbase: skipping attribute with no map entry - Tunnel-Server-Endpoint
rlm_couchbase: skipping attribute with no map entry - Tunnel-Assignment-Id
rlm_couchbase: skipping attribute with no map entry - Tunnel-Client-Auth-Id
rlm_couchbase: skipping attribute with no map entry - Tunnel-Server-Auth-Id
rlm_couchbase: skipping attribute with no map entry - Acct-Tunnel-Connection
rlm_couchbase: skipping attribute with no map entry - Acct-Authentic
rlm_couchbase: skipping attribute with no map entry - Acct-Delay-Time
rlm_couchbase: skipping attribute with no map entry - Calling-Station-Id
rlm_couchbase: skipping attribute with no map entry - ERX-Dhcp-Mac-Addr
rlm_couchbase: skipping attribute with no map entry - Event-Timestamp
rlm_couchbase: skipping attribute with no map entry - Framed-IP-Address
rlm_couchbase: skipping attribute with no map entry - Framed-IP-Netmask
rlm_couchbase: skipping attribute with no map entry - ERX-Input-Gigapkts
rlm_couchbase: skipping attribute with no map entry - Acct-Input-Gigawords
rlm_couchbase: skipping attribute with no map entry - NAS-Identifier
rlm_couchbase: skipping attribute with no map entry - NAS-Port
rlm_couchbase: skipping attribute with no map entry - NAS-Port-Id
rlm_couchbase: skipping attribute with no map entry - NAS-Port-Type
rlm_couchbase: skipping attribute with no map entry - ERX-Output-Gigapkts
rlm_couchbase: skipping attribute with no map entry - Acct-Output-Gigawords
rlm_couchbase: skipping attribute with no map entry - ERX-IPv6-Acct-Input-Octets
rlm_couchbase: skipping attribute with no map entry - ERX-IPv6-Acct-Output-Octets
rlm_couchbase: skipping attribute with no map entry - ERX-IPv6-Acct-Input-Packets
rlm_couchbase: skipping attribute with no map entry - ERX-IPv6-Acct-Output-Packets
rlm_couchbase: skipping attribute with no map entry - ERX-IPv6-Acct-Input-Gigawords
rlm_couchbase: skipping attribute with no map entry - ERX-IPv6-Acct-Output-Gigawords
rlm_couchbase: skipping attribute with no map entry - ERX-Tx-Connect-Speed
rlm_couchbase: skipping attribute with no map entry - Attr-26.4874.163
rlm_couchbase: skipping attribute with no map entry - ERX-Pppoe-Description
rlm_couchbase: skipping attribute with no map entry - NAS-IP-Address
rlm_couchbase: skipping attribute with no map entry - Stripped-User-Name
rlm_couchbase: skipping attribute with no map entry - Acct-Input-Octets64
rlm_couchbase: skipping attribute with no map entry - Acct-Output-Octets64
rlm_couchbase: skipping attribute with no map entry - Acct-Unique-Session-Id
rlm_couchbase (couchtsi): Released connection (0)
Need 10 more connections to reach 15 spares
rlm_couchbase (couchtsi): Opening additional connection (5), 1 of 15 pending slots used
32452ms [I15] {32348} [INFO] (instance - L:423) Version=2.8.3, Changeset=8ce52f9294cfef59b9ff44f3cfc18cc3ca8c2860
32452ms [I15] {32348} [INFO] (instance - L:424) Effective connection string: couchbase+explicit://10.0.2.207,/radius?. Bucket=radius
32452ms [I15] {32348} [DEBUG] (instance - L:284) Applying initial cntl detailed_errcodes=1
32566ms [I15] {32348} [INFO] (instance - L:137) DNS SRV lookup failed: DNS/Hostname lookup failed. Ignore this if not relying on DNS SRV records
32566ms [I15] {32348} [DEBUG] (instance - L:77) Adding host 10.0.2.207:8091 to initial HTTP bootstrap list
32566ms [I15] {32348} [DEBUG] (instance - L:77) Adding host 10.0.2.207:11210 to initial CCCP bootstrap list
32566ms [I15] {32348} [TRACE] (instance - L:117) Bootstrap hosts loaded (cccp:1, http:1)
32566ms [I15] {32348} [DEBUG] (confmon - L:85) Preparing providers (this may be called multiple times)
32566ms [I15] {32348} [DEBUG] (confmon - L:92) Provider CCCP is ENABLED
32566ms [I15] {32348} [DEBUG] (confmon - L:92) Provider HTTP is ENABLED
32566ms [I15] {32348} [TRACE] (confmon - L:272) Refreshing current cluster map
32566ms [I15] {32348} [TRACE] (confmon - L:259) Attempting to retrieve cluster map via CCCP
32566ms [I15] {32348} [INFO] (cccp - L:151) Requesting connection to node 10.0.2.207:11210 for CCCP configuration
32566ms [I15] {32348} [DEBUG] (lcbio_mgr - L:417) <10.0.2.207:11210> (HE=0x5652b2657c70) Creating new connection because none are available in the pool
32566ms [I15] {32348} [TRACE] (lcbio_mgr - L:328) <10.0.2.207:11210> (HE=0x5652b2657c70) New pool entry: I=0x5652b2658ed0
32566ms [I15] {32348} [INFO] (connection - L:467) <10.0.2.207:11210> (SOCK=0x5652b2659070) Starting. Timeout=2000000us
32566ms [I15] {32348} [DEBUG] (connection - L:232) <10.0.2.207:11210> (SOCK=0x5652b2659070) Created new socket with FD=25
32566ms [I15] {32348} [TRACE] (connection - L:333) <10.0.2.207:11210> (SOCK=0x5652b2659070) Scheduling I/O watcher for asynchronous connection completion.
32567ms [I15] {32348} [INFO] (connection - L:141) <10.0.2.207:11210> (SOCK=0x5652b2659070) Connected established
32567ms [I15] {32348} [DEBUG] (connection - L:100) <10.0.2.207:11210> (SOCK=0x5652b2659070) Successfully set TCP_NODELAY
32567ms [I15] {32348} [DEBUG] (connection - L:100) <10.0.2.207:11210> (SOCK=0x5652b2659070) Successfully set TCP_KEEPALIVE
32567ms [I15] {32348} [DEBUG] (lcbio_mgr - L:287) <10.0.2.207:11210> (HE=0x5652b2657c70) Received result for I=0x5652b2658ed0,C=(nil); E=0x0
32567ms [I15] {32348} [DEBUG] (lcbio_mgr - L:247) <10.0.2.207:11210> (HE=0x5652b2657c70) Assigning R=0x5652b2657d20 SOCKET=0x5652b2659070
32567ms [I15] {32348} [DEBUG] (ioctx - L:99) <10.0.2.207:11210> (CTX=0x5652b2659870,unknown) Pairing with SOCK=0x5652b2659070
32567ms [I15] {32348} [DEBUG] (negotiation - L:390) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl,SASLREQ=0x5652b2659690) HELLO identificator: "libcouchbase/2.8.3"
32567ms [I15] {32348} [DEBUG] (negotiation - L:394) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl,SASLREQ=0x5652b2659690) Request feature: 0x2 (TLS)
32567ms [I15] {32348} [DEBUG] (negotiation - L:394) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl,SASLREQ=0x5652b2659690) Request feature: 0x6 (XATTR)
32567ms [I15] {32348} [DEBUG] (negotiation - L:394) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl,SASLREQ=0x5652b2659690) Request feature: 0x8 (Select Bucket)
32567ms [I15] {32348} [DEBUG] (negotiation - L:394) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl,SASLREQ=0x5652b2659690) Request feature: 0x7 (Error Map)
32567ms [I15] {32348} [DEBUG] (negotiation - L:394) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl,SASLREQ=0x5652b2659690) Request feature: 0x3 (TCP NODELAY)
32567ms [I15] {32348} [DEBUG] (negotiation - L:420) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl,SASLREQ=0x5652b2659690) Server supports feature: 0x3 (TCP NODELAY)
32567ms [I15] {32348} [TRACE] (negotiation - L:565) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl,SASLREQ=0x5652b2659690) GET_ERRORMAP unsupported/disabled
32568ms [I15] {32348} [DEBUG] (ioctx - L:149) <10.0.2.207:11210> (CTX=0x5652b2659870,sasl) Destroying context. Pending Writes=0, Entered=true, Socket Refcount=1
32568ms [I15] {32348} [DEBUG] (ioctx - L:99) <10.0.2.207:11210> (CTX=0x5652b2661d80,unknown) Pairing with SOCK=0x5652b2659070
32568ms [I15] {32348} [DEBUG] (ioctx - L:149) <10.0.2.207:11210> (CTX=0x5652b2661d80,bc_cccp) Destroying context. Pending Writes=0, Entered=true, Socket Refcount=1
32568ms [I15] {32348} [INFO] (lcbio_mgr - L:467) <10.0.2.207:11210> (HE=0x5652b2657c70) Placing socket back into the pool. I=0x5652b2658ed0,C=0x5652b2659070
32569ms [I15] {32348} [INFO] (confmon - L:158) Setting new configuration. Received via CCCP
32569ms [I15] {32348} [DEBUG] (bootstrap - L:56) Instance configured
32569ms [I15] {32348} [DEBUG] (confmon - L:85) Preparing providers (this may be called multiple times)
32569ms [I15] {32348} [DEBUG] (confmon - L:92) Provider CCCP is ENABLED
(0) [couchtsi] = ok
(0) [ok] = ok
(0) } # accounting = ok
(0) Sent Accounting-Response Id 65 from 127.0.0.1:1813 to 127.0.0.1:55005 length 0
(0) Finished request
(0) Cleaning up request packet ID 65 with timestamp +31
Ready to process requests
**************************************************
cat /etc/raddb/mods-enabled/couchbase
couchbase {
server = "http://10.0.2.207:8091/pools"
bucket = "radius"
password = "PasswordString"
acct_key = "radacct_%{%{Acct-Unique-Session-Id}:-%{Acct-Session-Id}}"
doctype = "radacct"
expire = 2592000
update {
sessionId = 'Acct-Session-Id'
uniqueId = 'Acct-Unique-Session-Id'
lastStatus = 'Acct-Status-Type'
userName = 'User-Name'
lowercaseUser = 'Stripped-User-Name'
userDomain = 'Stripped-User-Domain'
nasIpAddress = 'NAS-IP-Address'
nasIdentifier = 'NAS-Identifier'
nasPort = 'NAS-Port-Id'
calledStationId = 'Called-Station-Id'
callingStationId = 'Calling-Station-Id'
framedIpAddress = 'Framed-IP-Address'
framedRoute = 'Framed-Route'
framedIpv6Address = 'Framed-IPv6-Prefix'
framedIpv6Id = 'Framed-Interface-Id'
framedV6Route = 'Delegated-IPv6-Prefix'
multiSessionId = 'Acct-Multi-Session-Id'
multiSessionCount = 'Acct-Link-Count'
TerminateCause = 'Acct-Terminate-Cause'
sessionTime = 'Acct-Session-Time'
lastUpdated = 'Event-Timestamp'
}
usage {
lastStatus = 'Acct-Status-Type'
timeStamp = 'Event-Timestamp'
download = 'Acct-Output-Octets64'
upload = 'Acct-Input-Octets64'
}
user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}"
pool {
start = 5
min = 5
max = 20
spare = 15
uses = 0
lifetime = 0
idle_timeout = 1200
}
}
Thanks.
-Mike
2
7
Hi,
I have a customer running a Fortigate SSL-VPN solution authenticating users via RADIUS (PAP) towards a Gemalto SAS OTP solution. The user just use the Gemalto MobilePASS app to generate an OTP code and enters that into the password field, which works fine.
However, he now wants to first authenticate the user with username/AD-password via LDAP against their AD, and if successful, the user should be prompted for the OTP code as a second step. This is currently not possible with the Gemalto SAS solution, so I’m therefor trying to deploy a FreeRADIUS (v3.0.13 on CentOS7) server in between and have FR perform the AD auth, return an Access-Challenge and then proxy the second Access-Request with the OTP code to Gemalto RADIUS.
I’ve successfully managed to independently configure FR with the LDAP module to authenticate the username/password against their AD, or configure it as a proxy to send the requests to Gemalto, but I can’t really figure out how to chain these two auth methods together. After I enabled proxying of NULL realm, the first auth request is sent straight on to Gemalto.
Is it even possible with pure configuration, or would I have to patch the two modules to accomplish this? Any hints would be greatly appreciated.
PS: I have no need for authorizing the user AD group belongings etc in FR, this is done in the second step by Gemalto anyway. I just need pure authentication against the AD in step 1.
This is what I got so far:
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/ldap
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
authhost = 172.16.8.107:1812
accthost = 172.16.8.107:1813
secret = <<< secret >>>
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = LDAP
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "10.100.0.10"
identity = "SRV-LDAPS-GEMALTO"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
scope = "sub"
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
}
client {
scope = "sub"
base_dn = ""
}
profile {
}
options {
ldap_debug = 0
chase_referrals = yes
rebind = yes
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20444
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 5
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 10 pending slots used
rlm_ldap (ldap): Connecting to ldap://10.100.0.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 9 pending slots used
rlm_ldap (ldap): Connecting to ldap://10.100.0.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 8 pending slots used
rlm_ldap (ldap): Connecting to ldap://10.100.0.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 7 pending slots used
rlm_ldap (ldap): Connecting to ldap://10.100.0.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 6 pending slots used
rlm_ldap (ldap): Connecting to ldap://10.100.0.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:330
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 53500
Ready to process requests
(0) Received Access-Request Id 161 from 127.0.0.1:53117 to 127.0.0.1:1812 length 85
(0) User-Name = "mathias.sundman"
(0) User-Password = "myadpassword"
(0) NAS-IP-Address = 172.16.8.111
(0) NAS-Port = 0
(0) Message-Authenticator = 0xba542c1bc308cf31d91ebb1cd7843f1d
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "mathias.sundman", looking up realm NULL
(0) suffix: Found realm "NULL"
(0) suffix: Adding Stripped-User-Name = "mathias.sundman"
(0) suffix: Adding Realm = "NULL"
(0) suffix: Proxying request from user mathias.sundman to realm NULL
(0) suffix: Preparing to proxy authentication request to realm "NULL"
(0) [suffix] = updated
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry DEFAULT at line 67
(0) [files] = ok
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (samaccountname=mathias.sundman)
(0) ldap: Performing search in "dc=int,dc=it-total,dc=local" with filter "(samaccountname=mathias.sundman)", scope "sub"
(0) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.int.it-total.local/DC=DomainDnsZones,DC=int,DC=it-total,DC=local
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) ldap: User object found at DN "CN=Mathias Sundman,OU=Users,OU=IT-Total,DC=int,DC=it-total,DC=local"
rlm_ldap (ldap): Deleting connection (0)
Need 1 more connections to reach min connections (5)
rlm_ldap (ldap): Opening additional connection (5), 1 of 6 pending slots used
rlm_ldap (ldap): Connecting to ldap://10.100.0.10:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) Starting proxy to home server 172.16.8.107 port 1812
(0) Proxying request to home server 172.16.8.107 port 1812 timeout 14.000000
(0) Sent Access-Request Id 150 from 0.0.0.0:53500 to 172.16.8.107:1812 length 96
(0) User-Name = "mathias.sundman"
(0) User-Password = "myadpassword"
(0) NAS-IP-Address = 172.16.8.111
(0) NAS-Port = 0
(0) Message-Authenticator = 0xba542c1bc308cf31d91ebb1cd7843f1d
(0) Event-Timestamp = "Dec 27 2017 15:59:56 CET"
(0) Proxy-State = 0x313631
Waking up in 0.3 seconds.
(0) Expecting proxy response no later than 13.678859 seconds from now
Waking up in 13.6 seconds.
(0) Clearing existing &reply: attributes
(0) Received Access-Reject Id 150 from 172.16.8.107:1812 to 172.16.8.111:53500 length 25
(0) Proxy-State = 0x313631
(0) # Executing section post-proxy from file /etc/raddb/sites-enabled/default
(0) post-proxy {
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> mathias.sundman
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 161 from 127.0.0.1:1812 to 127.0.0.1:53117 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 161 with timestamp +40
Ready to process requests
2
8
Hello
I have a question about AD authentication that I can't seem to find an answer to in the documentation. The question simply boils down to this: who do I specify a configuration when dealing with domain.com and subdomain.domain.com?
We currently use 802.1x on all network ports and have three login scenarios:
1. 802.1x using PEAP-MSCHAPv2 (domain computers)
2. 802.1x using MD5 (yes I know this is older but that is what the devices support)
3. MAC address authentication (printers, cameras, etc)
Right now NPS is the first RADIUS server inline and handles all the PEAP requests for machine authentication if the traffic does not conform a specific pattern - if it does conform the traffic is forwarded to freeradius for scenarios 2 & 3. The end goal is to get down to a single server instead of a relayed configuration. What is required is the ability to support both domain.com and subdomain.domain.com or domain A and domain B and computers could be a member from either domain. I also need to find a way to not have these users defined in freeradius as most of the guides seem to point to but instead validate the return results based on the group membership (Domain Computers) from either group, each domain gets a unique vlan assignment from NPS based on this relationship.
I pulled this from FreeRADIUS guides:
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
}
Which leads to the questions about multi domain configurations which I can't find mentioned anywhere in the wiki's, faqs or internet in general which leads me to think that this is one of three cases:
1. This configuration is uncommon
2. This configuration is not possible
3. I am just being dense in the head (I prefer to believe this is not the scenario).
Using the NTLM_AUTH test tool I am able to specify the domain and get a successful auth as there is a trust between these parent and child domains but because everything is based on the samaccountname the domain has to be specified with the tool. I also understand that calling the ntlm_auth program may not be the best way to go and that a library exists but I believe the base question(s) are still relevant in both cases. Any guidance would greatly be appreciated even if it is stick what you got.
Thanks
Jeremy
4
20
Hello,
We are upgrading FreeRADIUS from 2.x to 3.x, during our work around with
FreeRADIUS-2.x we have created modules in c/c++. Now we need to update
these modules as per FR-3.x standards but modules created in c++ code do
not get compiled (with below errors) even after re-structuring the module
as FR3.x standards.
/usr/include/freeradius/libradius.h:190:25: error: '<anonymous>' declared
as a 'virtual' field
unsigned int virtual : 1; //!< for dynamic expansion
^
/usr/include/freeradius/libradius.h:612:64: error: expected ',' or '...'
before 'new'
VALUE_PAIR *fr_cursor_replace(vp_cursor_t *cursor, VALUE_PAIR *new);
^
In file included from rlm_attrefvnf_auth_status_monitor.cpp:3:0:
/usr/include/freeradius/modules.h:67:19: error: expected unqualified-id
before 'typename'
char const *typename; //!< Type name e.g. "Auth-Type".
^
/usr/include/freeradius/modules.h:67:18: error: expected ';' at end of
member declaration
char const *typename; //!< Type name e.g. "Auth-Type".
^
/usr/include/freeradius/modules.h:67:27: error: expected
nested-name-specifier before ';' token
char const *typename; //!< Type name e.g. "Auth-Type".
Is it high necessary that FR-3.x modules are to be written only in c-code ?
Is there any way to overcome this issue ?
Thanks..
3
4
Hi Users.
I'm Running 3.0.13 for a while now. I set it up to support cert
authentication, as well as authorized MACs. I didn't deploy any clients
using certs, only set up with user/pass and authorized MACs.
Sometime last week, users couldn't authenticate. I see errors in debug
stated there are 2 auth types, I can see the MAC auth is working, but users
are failing to authenticate because of EAP failure. At this point, I want
to be able to use both MAC / user+pass auth, and if in the future we decide
to deploy certs, than allow that too. If we need to disable EAP or certs
to get this working, that is an option too. Not sure why it stopped
working out of the blue. The radius server hasn't been touched since the
initial working config.
Any ideas?
(0) Received Access-Request Id 168 from 10.2.1.53:41523 to 10.2.2.35:1812
length 218
(0) User-Name = "rbadani"
(0) NAS-Identifier = "pakedge"
(0) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 0
(0) Calling-Station-Id = "34-F3-9A-86-59-57"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "196EB9DAB87DC1A9"
(0) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02e1000c0172626164616e69
(0) Message-Authenticator = 0xa0ce8c9f4fc59786614b51de2a9d2ec5
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) update request {
(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 34-F3-9A-86-59-57
(0) &Calling-Station-Id := 34-F3-9A-86-59-57
(0) } # update request = noop
(0) [updated] = updated
(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_calling_station_id = updated
(0) authorized_macs: EXPAND %{Calling-Station-ID}
(0) authorized_macs: --> 34-F3-9A-86-59-57
(0) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(0) [authorized_macs] = ok
(0) if (!ok) {
(0) if (!ok) -> FALSE
(0) else {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # else = noop
(0) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(0) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(0) auth_log: EXPAND %t
(0) auth_log: --> Wed Dec 27 16:56:02 2017
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 225 length 12
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Found Auth-Type = eap
(0) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 226 length 22
(0) eap: EAP session adding &reply:State = 0x6b29e7526bcbe320
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 168 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(0) EAP-Message = 0x01e200160410f2c51c0a8574f54c59f1fb4f5448daec
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x6b29e7526bcbe32030426126b755182c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 169 from 10.2.1.53:41523 to 10.2.2.35:1812
length 230
(1) User-Name = "rbadani"
(1) NAS-Identifier = "pakedge"
(1) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 0
(1) Calling-Station-Id = "34-F3-9A-86-59-57"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "196EB9DAB87DC1A9"
(1) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x02e200060319
(1) State = 0x6b29e7526bcbe32030426126b755182c
(1) Message-Authenticator = 0x832b06e0af58a82af454cf2ffc708452
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 34-F3-9A-86-59-57
(1) &Calling-Station-Id := 34-F3-9A-86-59-57
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) authorized_macs: EXPAND %{Calling-Station-ID}
(1) authorized_macs: --> 34-F3-9A-86-59-57
(1) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(1) [authorized_macs] = ok
(1) if (!ok) {
(1) if (!ok) -> FALSE
(1) else {
(1) update control {
(1) Auth-Type := Accept
(1) } # update control = noop
(1) } # else = noop
(1) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(1) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(1) auth_log: EXPAND %t
(1) auth_log: --> Wed Dec 27 16:56:02 2017
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 226 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry rbadani at line 8
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = Accept
(1) Found Auth-Type = eap
(1) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x6b29e7526bcbe320
(1) eap: Finished EAP session with state 0x6b29e7526bcbe320
(1) eap: Previous EAP request found for state 0x6b29e7526bcbe320, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 227 length 6
(1) eap: EAP session adding &reply:State = 0x6b29e7526acafe20
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 169 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(1) EAP-Message = 0x01e300061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x6b29e7526acafe2030426126b755182c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 170 from 10.2.1.53:41523 to 10.2.2.35:1812
length 394
(2) User-Name = "rbadani"
(2) NAS-Identifier = "pakedge"
(2) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 0
(2) Calling-Station-Id = "34-F3-9A-86-59-57"
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) Acct-Session-Id = "196EB9DAB87DC1A9"
(2) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message =
0x02e300aa1980000000a0160303009b0100009703035a444122e1641f29196378fe1c9196ff77cac7424e30263c29b46a54f4bc39a500002ec02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0005000401000040000500050100000000000a0008
(2) State = 0x6b29e7526acafe2030426126b755182c
(2) Message-Authenticator = 0xe0f5b4a26689126da9c07570236cee15
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) policy rewrite_calling_station_id {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> 34-F3-9A-86-59-57
(2) &Calling-Station-Id := 34-F3-9A-86-59-57
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_calling_station_id = updated
(2) authorized_macs: EXPAND %{Calling-Station-ID}
(2) authorized_macs: --> 34-F3-9A-86-59-57
(2) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(2) [authorized_macs] = ok
(2) if (!ok) {
(2) if (!ok) -> FALSE
(2) else {
(2) update control {
(2) Auth-Type := Accept
(2) } # update control = noop
(2) } # else = noop
(2) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(2) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(2) auth_log: EXPAND %t
(2) auth_log: --> Wed Dec 27 16:56:02 2017
(2) [auth_log] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 227 length 170
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = Accept
(2) Found Auth-Type = eap
(2) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x6b29e7526acafe20
(2) eap: Finished EAP session with state 0x6b29e7526acafe20
(2) eap: Previous EAP request found for state 0x6b29e7526acafe20, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 160 bytes
(2) eap_peap: Got complete TLS record (160 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< recv TLS 1.2 [length 009b]
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> send TLS 1.2 [length 0039]
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> send TLS 1.2 [length 0867]
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 228 length 1004
(2) eap: EAP session adding &reply:State = 0x6b29e75269cdfe20
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 170 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(2) EAP-Message =
0x01e403ec19c000000a0516030300390200003503036ebcda08da00855d6c3903df56f6204584a3ed5ce1f6ec53737cfbbcc0aed45300c03000000dff01000100000b00040300010216030308670b0008630008600003b8308203b43082029ca003020102020103300d06092a864886f70d01010b050030
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x6b29e75269cdfe2030426126b755182c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 171 from 10.2.1.53:41523 to 10.2.2.35:1812
length 230
(3) User-Name = "rbadani"
(3) NAS-Identifier = "pakedge"
(3) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 0
(3) Calling-Station-Id = "34-F3-9A-86-59-57"
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) Acct-Session-Id = "196EB9DAB87DC1A9"
(3) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x02e400061900
(3) State = 0x6b29e75269cdfe2030426126b755182c
(3) Message-Authenticator = 0x32ce0d06029a65d0b7bde17bbedd6a2d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) policy rewrite_calling_station_id {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> 34-F3-9A-86-59-57
(3) &Calling-Station-Id := 34-F3-9A-86-59-57
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_calling_station_id = updated
(3) authorized_macs: EXPAND %{Calling-Station-ID}
(3) authorized_macs: --> 34-F3-9A-86-59-57
(3) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(3) [authorized_macs] = ok
(3) if (!ok) {
(3) if (!ok) -> FALSE
(3) else {
(3) update control {
(3) Auth-Type := Accept
(3) } # update control = noop
(3) } # else = noop
(3) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(3) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(3) auth_log: EXPAND %t
(3) auth_log: --> Wed Dec 27 16:56:02 2017
(3) [auth_log] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 228 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = Accept
(3) Found Auth-Type = eap
(3) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x6b29e75269cdfe20
(3) eap: Finished EAP session with state 0x6b29e75269cdfe20
(3) eap: Previous EAP request found for state 0x6b29e75269cdfe20, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 229 length 1000
(3) eap: EAP session adding &reply:State = 0x6b29e75268ccfe20
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 171 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(3) EAP-Message =
0x01e503e8194071011954c4fbd3ea40e221db1dc5d77725bc6912e81c7f2ade46e59bab56d3bd12d1210004a23082049e30820386a003020102020900fb9eca29e490e9c3300d06092a864886f70d01010b0500307d310b3009060355040613025553310b300906035504080c024341310b300906035504
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x6b29e75268ccfe2030426126b755182c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 172 from 10.2.1.53:41523 to 10.2.2.35:1812
length 230
(4) User-Name = "rbadani"
(4) NAS-Identifier = "pakedge"
(4) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 0
(4) Calling-Station-Id = "34-F3-9A-86-59-57"
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) Acct-Session-Id = "196EB9DAB87DC1A9"
(4) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x02e500061900
(4) State = 0x6b29e75268ccfe2030426126b755182c
(4) Message-Authenticator = 0x7739a6384734a45ec44ace0b45406285
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) policy rewrite_calling_station_id {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> 34-F3-9A-86-59-57
(4) &Calling-Station-Id := 34-F3-9A-86-59-57
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_calling_station_id = updated
(4) authorized_macs: EXPAND %{Calling-Station-ID}
(4) authorized_macs: --> 34-F3-9A-86-59-57
(4) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(4) [authorized_macs] = ok
(4) if (!ok) {
(4) if (!ok) -> FALSE
(4) else {
(4) update control {
(4) Auth-Type := Accept
(4) } # update control = noop
(4) } # else = noop
(4) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(4) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(4) auth_log: EXPAND %t
(4) auth_log: --> Wed Dec 27 16:56:02 2017
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 229 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = Accept
(4) Found Auth-Type = eap
(4) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x6b29e75268ccfe20
(4) eap: Finished EAP session with state 0x6b29e75268ccfe20
(4) eap: Previous EAP request found for state 0x6b29e75268ccfe20, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 230 length 583
(4) eap: EAP session adding &reply:State = 0x6b29e7526fcffe20
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 172 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(4) EAP-Message =
0x01e60247190073f384abcce0dc6bd99d41c7308a2ec286779db1ac2b4a9fa101913c9eff54715a9f99e2d2e6d6216d873cbac8894daa5fb56c68bf9bac69bbe516b2b8b0e0f187ffaca6abb8a1065d90af0d81b75ed06b75ef6c624c8e41b5f461944111a9bdbe4004178fdf81b1220f11bd3db9bc26a9
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x6b29e7526fcffe2030426126b755182c
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 173 from 10.2.1.53:41523 to 10.2.2.35:1812
length 360
(5) User-Name = "rbadani"
(5) NAS-Identifier = "pakedge"
(5) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 0
(5) Calling-Station-Id = "34-F3-9A-86-59-57"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "196EB9DAB87DC1A9"
(5) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message =
0x02e6008819800000007e1603030046100000424104d33c0ca6bed2496ed0ad157f243201b932ed73853b41b8def5f71764e3a434e98d15d1477fc921b14b1737929024dd22964795dc547dfad5ba1f6eaa05df358e140303000101160303002800000000000000005130785f81b63c506013130a51fa52
(5) State = 0x6b29e7526fcffe2030426126b755182c
(5) Message-Authenticator = 0x542305e6de3e64f4761fd45c4254dd66
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) policy rewrite_calling_station_id {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> 34-F3-9A-86-59-57
(5) &Calling-Station-Id := 34-F3-9A-86-59-57
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_calling_station_id = updated
(5) authorized_macs: EXPAND %{Calling-Station-ID}
(5) authorized_macs: --> 34-F3-9A-86-59-57
(5) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(5) [authorized_macs] = ok
(5) if (!ok) {
(5) if (!ok) -> FALSE
(5) else {
(5) update control {
(5) Auth-Type := Accept
(5) } # update control = noop
(5) } # else = noop
(5) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(5) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(5) auth_log: EXPAND %t
(5) auth_log: --> Wed Dec 27 16:56:02 2017
(5) [auth_log] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 230 length 136
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = Accept
(5) Found Auth-Type = eap
(5) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x6b29e7526fcffe20
(5) eap: Finished EAP session with state 0x6b29e7526fcffe20
(5) eap: Previous EAP request found for state 0x6b29e7526fcffe20, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.2 [length 0046]
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: TLS_accept: SSLv3 read certificate verify A
(5) eap_peap: <<< recv TLS 1.2 [length 0001]
(5) eap_peap: <<< recv TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> send TLS 1.2 [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> send TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 231 length 57
(5) eap: EAP session adding &reply:State = 0x6b29e7526ecefe20
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 173 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(5) EAP-Message =
0x01e7003919001403030001011603030028dadb4eb42e0085becbd6fd6994801f5313c33c66c9cc80d3a42272a0d39d7b73ddc03b6589312f87
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x6b29e7526ecefe2030426126b755182c
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 174 from 10.2.1.53:41523 to 10.2.2.35:1812
length 265
(6) User-Name = "rbadani"
(6) NAS-Identifier = "pakedge"
(6) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 0
(6) Calling-Station-Id = "34-F3-9A-86-59-57"
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) Acct-Session-Id = "196EB9DAB87DC1A9"
(6) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message =
0x02e7002919800000001f150303001a000000000000000183535c188c7891749e86843fccb8f9afccd7
(6) State = 0x6b29e7526ecefe2030426126b755182c
(6) Message-Authenticator = 0x51b7e34c9a113e47185fa29ed2265939
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 34-F3-9A-86-59-57
(6) &Calling-Station-Id := 34-F3-9A-86-59-57
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) authorized_macs: EXPAND %{Calling-Station-ID}
(6) authorized_macs: --> 34-F3-9A-86-59-57
(6) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(6) [authorized_macs] = ok
(6) if (!ok) {
(6) if (!ok) -> FALSE
(6) else {
(6) update control {
(6) Auth-Type := Accept
(6) } # update control = noop
(6) } # else = noop
(6) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(6) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(6) auth_log: EXPAND %t
(6) auth_log: --> Wed Dec 27 16:56:02 2017
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 231 length 41
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = Accept
(6) Found Auth-Type = eap
(6) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x6b29e7526ecefe20
(6) eap: Finished EAP session with state 0x6b29e7526ecefe20
(6) eap: Previous EAP request found for state 0x6b29e7526ecefe20, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 31 bytes
(6) eap_peap: Got complete TLS record (31 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: <<< recv TLS 1.2 [length 0002]
(6) eap_peap: ERROR: TLS Alert read:fatal:access denied
(6) eap_peap: WARNING: No data inside of the tunnel
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state ?
(6) eap_peap: ERROR: Tunneled data is invalid
(6) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(6) eap: Sending EAP Failure (code 4) ID 231 length 4
(6) eap: Failed in EAP select
(6) [eap] = invalid
(6) } # authenticate = invalid
(6) Failed to authenticate the user
(6) Login incorrect (Warning: Found 2 auth-types on request for user
'rbadani'): [rbadani] (from client 10.2.1.53 port 0 cli 34-F3-9A-86-59-57)
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> rbadani
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) [eap] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # Post-Auth-Type REJECT = updated
(6) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(6) Sending delayed response
(6) Sent Access-Reject Id 174 from 10.2.2.35:1812 to 10.2.1.53:41523 length
44
(6) EAP-Message = 0x04e70004
(6) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 168 with timestamp +43
(1) Cleaning up request packet ID 169 with timestamp +43
(2) Cleaning up request packet ID 170 with timestamp +43
(3) Cleaning up request packet ID 171 with timestamp +43
(4) Cleaning up request packet ID 172 with timestamp +43
(5) Cleaning up request packet ID 173 with timestamp +43
(6) Cleaning up request packet ID 174 with timestamp +43
Ready to process requests
2
1
Hello,
Is there any way to return from a section in radiusd.conf without fall
through.
Eg:
preacct {
detail
if(condition)
{
return from this section
}
module1
module2
}
I don't want the request to go through module1 & module2 if the condition
is met. Is there any way to do this ?
Thanks
2
1