Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
February 2017
- 67 participants
- 80 discussions
13 Feb '17
Hello,
I´m running 3.0.12 and use the passwd-module of 3.0.13 (because of "notfound")
After changes in the passwd-file, the server receives a HUP.
This worked in 2.0.2
3.0.12 will give me
> Info: HUP - No files changed. Ignoring
I can confirm, that the passwd-file has changed, since the server has started.
What am I doing wrong?
(Found some entries in the mailing list, that this was a problem in
older versions but should have been fixed since 3.0.10?)
Is it better to change to 3.0.13 completely?
Is it stable?
Thank you very much.
3
2
Hi all,
I actually use FreeRADIUS Version 3.0.13 with PacketFence
and I have an issue when i try the rlm_rest.
If somoene Know why i have this issue :
rest: ERROR: Server returned:
(0) rest: ERROR: {"Reply-Message":"PacketFence does not support this
switch for read/write access
login","reply:PacketFence-Authorization-Status":"allow"}
This is my output radius -x :
0) Received Access-Request Id 10 from 192.168.10.14:1812 to
192.168.10.22:1812 length 122
(0) User-Name = "UserTest"
(0) User-Password = "p@55word"
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Identifier = "las1.albari"
(0) NAS-Port-Type = Ethernet
(0) Acct-Session-Id = "las1.al00000000000000da6bb650001055"
(0) NAS-IP-Address = 192.168.10.14
(0) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) authorize {
(0) update {
(0) EXPAND %{Packet-Src-IP-Address}
(0) --> 192.168.10.14
(0) &request:FreeRADIUS-Client-IP-Address := 192.168.10.14
(0) &control:PacketFence-RPC-Server = 127.0.0.1
(0) &control:PacketFence-RPC-Port = 7070
(0) &control:PacketFence-RPC-User =
(0) &control:PacketFence-RPC-Pass =
(0) &control:PacketFence-RPC-Proto = http
(0) EXPAND %l
(0) --> 1486992205
(0) &control:Tmp-Integer-0 := 1486992205
(0) &control:PacketFence-Request-Time := 0
(0) } # update = noop
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy rewrite_calling_station_id = noop
(0) policy rewrite_called_station_id {
(0) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(0) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy rewrite_called_station_id = noop
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = noop
(0) } # policy filter_username = noop
(0) policy filter_password {
(0) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(0) EXPAND %{string:User-Password}
(0) --> p@55word
(0) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = noop
(0) [preprocess] = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "UserTest", skipping NULL due to config.
(0) [suffix] = noop
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "UserTest", looking up realm NULL
(0) ntdomain: Found realm "null"
(0) ntdomain: Adding Stripped-User-Name = "UserTest"
(0) ntdomain: Adding Realm = "null"
(0) ntdomain: Authentication realm is LOCAL
(0) [ntdomain] = ok
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) if ( !EAP-Message ) {
(0) if ( !EAP-Message ) -> TRUE
(0) if ( !EAP-Message ) {
(0) update {
(0) &control:Auth-Type := Accept
(0) } # update = noop
(0) } # if ( !EAP-Message ) = noop
(0) policy packetfence-eap-mac-policy {
(0) if ( &EAP-Type ) {
(0) if ( &EAP-Type ) -> FALSE
(0) [noop] = noop
(0) } # policy packetfence-eap-mac-policy = noop
(0) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(0) pap: WARNING: !!! Ignoring control:User-Password. Update
your !!!
(0) pap: WARNING: !!! configuration so that the "known good" clear text !!!
(0) pap: WARNING: !!! password is in Cleartext-Password and NOT
in !!!
(0) pap: WARNING: !!!
User-Password. !!!
(0) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) post-auth {
(0) update {
(0) EXPAND %{Packet-Src-IP-Address}
(0) --> 192.168.10.14
(0) &request:FreeRADIUS-Client-IP-Address := 192.168.10.14
(0) &control:PacketFence-RPC-Server = 127.0.0.1
(0) &control:PacketFence-RPC-Port = 7070
(0) &control:PacketFence-RPC-User =
(0) &control:PacketFence-RPC-Pass =
(0) &control:PacketFence-RPC-Proto = http
(0) } # update = noop
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> TRUE
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
rlm_rest (rest): Closing connection (0): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): Closing connection (1): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): Closing connection (2): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (3): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (4): Hit idle_timeout, was idle for
282 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use. You may need to increase
"spare"
rlm_rest (rest): Opening additional connection (5), 1 of 64 pending
slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:7070/"
rlm_rest (rest): Reserved connection (5)
(0) rest: Expanding URI components
(0) rest: EXPAND http://127.0.0.1:7070
(0) rest: --> http://127.0.0.1:7070
(0) rest: EXPAND //radius/rest/authorize
(0) rest: --> //radius/rest/authorize
(0) rest: Sending HTTP POST to
"http://127.0.0.1:7070//radius/rest/authorize"
(0) rest: Encoding attribute "User-Name"
(0) rest: Encoding attribute "User-Password"
(0) rest: Encoding attribute "NAS-IP-Address"
(0) rest: Encoding attribute "Service-Type"
(0) rest: Encoding attribute "Framed-Protocol"
(0) rest: Encoding attribute "NAS-Identifier"
(0) rest: Encoding attribute "NAS-Port-Type"
(0) rest: Encoding attribute "Acct-Session-Id"
(0) rest: Encoding attribute "Event-Timestamp"
(0) rest: Encoding attribute "Stripped-User-Name"
(0) rest: Encoding attribute "Realm"
(0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address"
(0) rest: Processing response header
(0) rest: Status : 401 (Unauthorized)
(0) rest: Type : json (application/json)
(0) rest: ERROR: Server returned:
(0) rest: ERROR: {"Reply-Message":"PacketFence does not support this
switch for read/write access
login","reply:PacketFence-Authorization-Status":"allow"}
rlm_rest (rest): Released connection (5)
rlm_rest (rest): Need 2 more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (6), 1 of 63 pending
slots used
rlm_rest (rest): Connecting to "http://127.0.0.1:7070/"
(0) [rest] = invalid
(0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) )
= invalid
(0) } # post-auth = invalid
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) Post-Auth-Type REJECT {
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> TRUE
(0) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
(0) policy packetfence-audit-log-reject {
(0) if (&User-Name != "dummy") {
(0) if (&User-Name != "dummy") -> TRUE
(0) if (&User-Name != "dummy") {
(0) policy request-timing {
(0) if (control:PacketFence-Request-Time != 0) {
(0) if (control:PacketFence-Request-Time != 0) -> FALSE
(0) } # policy request-timing = noop
(0) sql_reject: EXPAND type.reject.query
(0) sql_reject: --> type.reject.query
(0) sql_reject: Using query template 'query'
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for
282 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for
282 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for
282 seconds
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (4): Hit idle_timeout, was idle for
282 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (0): Hit idle_timeout, was idle for
282 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for
282 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (6), 1 of 64 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket,
server version 5.5.52-MariaDB, protocol version 10
rlm_sql (sql): Reserved connection (6)
(0) sql_reject: EXPAND %{User-Name}
(0) sql_reject: --> UserTest
(0) sql_reject: SQL-User-Name set to 'UserTest'
(0) sql_reject: EXPAND INSERT INTO radius_audit_log ( mac,
ip, computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id,
calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier,
auth_status, reason, auth_type, eap_type,
role, node_status, profile, source, auto_reg, is_phone,
pf_domain, uuid, radius_request, radius_reply,
request_time) VALUES (
'%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
'%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}',
'%{request:Stripped-User-Name}', '%{request:Realm}',
'Radius-Access-Request', '%{%{control:PacketFence-Switch-Id}:-N/A}',
'%{%{control:PacketFence-Switch-Mac}:-N/A}',
'%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
'%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
'%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}',
'%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}',
'%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
'%{%{control:PacketFence-Connection-Type}:-N/A}',
'%{request:NAS-IP-Address}', '%{request:NAS-Identifier}',
'Reject', '%{request:Module-Failure-Message}',
'%{control:Auth-Type}', '%{request:EAP-Type}',
'%{%{control:PacketFence-Role}:-N/A}',
'%{%{control:PacketFence-Status}:-N/A}',
'%{%{control:PacketFence-Profile}:-N/A}',
'%{%{control:PacketFence-Source}:-N/A}',
'%{%{control:PacketFence-AutoReg}:-N/A}',
'%{%{control:PacketFence-IsPhone}:-N/A}',
'%{request:PacketFence-Domain}', '',
'%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
'%{%{control:PacketFence-Request-Time}:-N/A}')
(0) sql_reject: --> INSERT INTO radius_audit_log ( mac, ip,
computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id,
calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier,
auth_status, reason, auth_type, eap_type,
role, node_status, profile, source, auto_reg, is_phone,
pf_domain, uuid, radius_request, radius_reply,
request_time) VALUES ( '', '', 'N/A',
'UserTest', 'UserTest', 'null',
'Radius-Access-Request', 'N/A', 'N/A',
'N/A', '192.168.10.14', '', '', 'Ethernet', '',
'', 'N/A', '', 'N/A', '192.168.10.14', 'las1.albari',
'Reject', 'rest: Server returned:', 'Accept',
'', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A',
'N/A', '', '', 'User-Name =3D =22UserTest=22=2C
User-Password =3D =22p@55word=22=2C NAS-IP-Address =3D 192.168.10.14=2C
Service-Type =3D Framed-User=2C Framed-Protocol =3D PPP=2C
NAS-Identifier =3D =22las1.albari=22=2C NAS-Port-Type =3D Ethernet=2C
Acct-Session-Id =3D =22las1.al00000000000000da6bb650001055=22=2C
Event-Timestamp =3D =22févr. 13 2017 14:23:25 CET=22=2C
Stripped-User-Name =3D =22UserTest=22=2C Realm =3D =22null=22=2C
FreeRADIUS-Client-IP-Address =3D 192.168.10.14=2C Module-Failure-Message
=3D =22rest: Server returned:=22=2C Module-Failure-Message =3D =22rest:
=7B=5C=22Reply-Message=5C=22:=5C=22PacketFence does not support this
switch for read/write access
login=5C=22=2C=5C=22reply:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=7D=22=2C
SQL-User-Name =3D =22UserTest=22','', '0')
(0) sql_reject: Executing query: INSERT INTO
radius_audit_log ( mac, ip, computer_name,
user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac,
switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type,
ssid, nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier,
auth_status, reason, auth_type, eap_type,
role, node_status, profile, source, auto_reg, is_phone,
pf_domain, uuid, radius_request, radius_reply,
request_time) VALUES ( '', '', 'N/A',
'UserTest', 'UserTest', 'null',
'Radius-Access-Request', 'N/A', 'N/A',
'N/A', '192.168.10.14', '', '', 'Ethernet', '',
'', 'N/A', '', 'N/A', '192.168.10.14', 'las1.albari',
'Reject', 'rest: Server returned:', 'Accept',
'', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A',
'N/A', '', '', 'User-Name =3D =22UserTest=22=2C
User-Password =3D =22p@55word=22=2C NAS-IP-Address =3D 192.168.10.14=2C
Service-Type =3D Framed-User=2C Framed-Protocol =3D PPP=2C
NAS-Identifier =3D =22las1.albari=22=2C NAS-Port-Type =3D Ethernet=2C
Acct-Session-Id =3D =22las1.al00000000000000da6bb650001055=22=2C
Event-Timestamp =3D =22févr. 13 2017 14:23:25 CET=22=2C
Stripped-User-Name =3D =22UserTest=22=2C Realm =3D =22null=22=2C
FreeRADIUS-Client-IP-Address =3D 192.168.10.14=2C Module-Failure-Message
=3D =22rest: Server returned:=22=2C Module-Failure-Message =3D =22rest:
=7B=5C=22Reply-Message=5C=22:=5C=22PacketFence does not support this
switch for read/write access
login=5C=22=2C=5C=22reply:PacketFence-Authorization-Status=5C=22:=5C=22allow=5C=22=7D=22=2C
SQL-User-Name =3D =22UserTest=22','', '0')
(0) sql_reject: SQL query returned: success
(0) sql_reject: 1 record(s) updated
rlm_sql (sql): Released connection (6)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 63 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket,
server version 5.5.52-MariaDB, protocol version 10
(0) [sql_reject] = ok
(0) } # if (&User-Name != "dummy") = ok
(0) } # policy packetfence-audit-log-reject = ok
(0) } # if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) )
= ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> UserTest
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(0) attr_filter.packetfence_post_auth: --> UserTest
(0) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(0) [attr_filter.packetfence_post_auth] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(0) linelog: --> messages.Access-Accept
(0) linelog: EXPAND %t : [mac:%{Calling-Station-Id}] Accepted user:
%{reply:User-Name} and returned VLAN %{reply:Tunnel-Private-Group-ID}
(0) linelog: --> Mon Feb 13 14:23:25 2017 : [mac:] Accepted user:
and returned VLAN
(0) linelog: EXPAND /usr/local/pf/logs/radius.log
(0) linelog: --> /usr/local/pf/logs/radius.log
(0) [linelog] = ok
(0) } # Post-Auth-Type REJECT = updated
(0) Rejected in post-auth: [UserTest] (from client 192.168.10.0/24 port 0)
(0) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 10 from 192.168.10.22:1812 to
192.168.10.14:1812 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 10 with timestamp +282
Ready to process requests
Thanks for ur help
Best regards
2
2
Am I missing something here or have there been changes to the behavior
of passwd and unlang since 2.0.2?
If you could please have a look at the configuration (migrated from
2.0.2, where it was working)
and output below.
The username for the request is Mac284-1.
This username is NOT in the passwd-file, which explains the
"Failed retrieving values required to evaluate condition" part.
But then why is notfound -> FALSE?
Should´nt notfound be true and the request thus be rejected?
/etc/raddb/sites-enabled/default:
authorize {
...
maclist
if (notfound) {
reject
}
if ( mac-add !~ /%{Calling-Station-ID}/i) {
reject
}
...
}
/etc/raddb/mods-available/passwd:
passwd maclist {
filename = /etc/raddb/maclist
format = "*User-Name:~mac-add"
}
/etc/raddb/maclist:
Macxxx:00236C94ED49
And the output:
Fri Feb 10 19:10:31 2017 : Debug: (5) suffix: No '@' in User-Name =
"Mac284-1", looking up realm NULL
Fri Feb 10 19:10:31 2017 : Debug: (5) suffix: No such realm "NULL"
Fri Feb 10 19:10:31 2017 : Debug: (5) modsingle[authorize]:
returned from suffix (rlm_realm)
Fri Feb 10 19:10:31 2017 : Debug: (5) [suffix] = noop
Fri Feb 10 19:10:31 2017 : Debug: (5) if (Called-Station-ID =~ /:test$/) {
Fri Feb 10 19:10:31 2017 : Debug: No matches
Fri Feb 10 19:10:31 2017 : Debug: Adding 1 matches
Fri Feb 10 19:10:31 2017 : Debug: (5) if (Called-Station-ID =~
/:test$/) -> TRUE
Fri Feb 10 19:10:31 2017 : Debug: (5) if (Called-Station-ID =~ /:test$/) {
Fri Feb 10 19:10:31 2017 : Debug: (5) modsingle[authorize]:
calling eap (rlm_eap)
Fri Feb 10 19:10:31 2017 : Debug: (5) eap: Peer sent EAP Response
(code 2) ID 6 length 1276
Fri Feb 10 19:10:31 2017 : Debug: (5) eap: No EAP Start, assuming it's
an on-going EAP conversation
Fri Feb 10 19:10:31 2017 : Debug: (5) modsingle[authorize]:
returned from eap (rlm_eap)
Fri Feb 10 19:10:31 2017 : Debug: (5) [eap] = updated
Fri Feb 10 19:10:31 2017 : Debug: (5) modsingle[authorize]:
calling files (rlm_files)
Fri Feb 10 19:10:31 2017 : Debug: (5) modsingle[authorize]:
returned from files (rlm_files)
Fri Feb 10 19:10:31 2017 : Debug: (5) [files] = noop
Fri Feb 10 19:10:31 2017 : Debug: (5) modsingle[authorize]:
calling maclist (rlm_passwd)
Fri Feb 10 19:10:31 2017 : Debug: (5) modsingle[authorize]:
returned from maclist (rlm_passwd)
Fri Feb 10 19:10:31 2017 : Debug: (5) [maclist] = ok
Fri Feb 10 19:10:31 2017 : Debug: (5) if (notfound) {
Fri Feb 10 19:10:31 2017 : Debug: (5) if (notfound) -> FALSE
Fri Feb 10 19:10:31 2017 : Debug: (5) if ( mac-add !~
/%{Calling-Station-ID}/i) {
Fri Feb 10 19:10:31 2017 : ERROR: (5) Failed retrieving values
required to evaluate condition
2
3
Hi Forum,
i have setup a freeradius server with MySQL for Dynamic VLAN assignment. Everything works fine with TP-Link AP running openWRT.
Now I have changed to Unifi AP (Unifi Security Gateway Pro, Unifi Switch US-24 POE Unifi AP Pro) and the dynamic VLAN assignment will not work anymore. When I try to connect to the WPA2 Enterprise WLAN, credentials are accepted but I always been put to default VLAN.
I googled around and found the Link, but I had no success anyway.
http://freeradius.1045715.n5.nabble.com/Freeradius-and-Unifi-Vlan-td5743402… <http://freeradius.1045715.n5.nabble.com/Freeradius-and-Unifi-Vlan-td5743402…>
Anyone has any ideas to help me please?
Which further information do you need?
I have a full freeradius -X
Thanks
Foxy
freeradius debug:
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=0, length=162
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x0267000a01766c616e32
Message-Authenticator = 0x06d999db3a89921c59829a06fc6a668c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 103 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 31
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.4.0.3 port 58475
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016800160410d4aaf5baf1249b0b9757e28baaeaaa5f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05bd62b4f6758a6e7768e6c4f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=1, length=178
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026800080319152b
State = 0x5bbe2fd05bd62b4f6758a6e7768e6c4f
Message-Authenticator = 0x832e2a49ed7f71a89ddd64c031384e96
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 104 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 30
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 30
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 10.4.0.3 port 58475
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016900061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05ad7364f6758a6e7768e6c4f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=2, length=297
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x0269007f19800000007516030100700100006c0301589ed44589c48a46cf539f29ccb55919d495885606f29ed44e2a6c29bd86d9eb00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
State = 0x5bbe2fd05ad7364f6758a6e7768e6c4f
Message-Authenticator = 0x36c578d87de859f5bb186da5d12f866d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 105 length 127
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 117
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0070], ClientHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 02ca], Certificate
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to 10.4.0.3 port 58475
EAP-Message = 0x016a040019c0000004661603010039020000350301ca88fca516ec799abd1ac079f7dcde1a67301926aae2707dc648d90fad15555400c01400000dff01000100000b00040300010216030102ca0b0002c60002c30002c0308202bc308201a4a003020102020900a5fffa2bd980f52f300d06092a864886f70d01010b050030163114301206035504030c0b7261737062657272797069301e170d3136303531363039353930305a170d3236303531343039353930305a30163114301206035504030c0b726173706265727279706930820122300d06092a864886f70d01010105000382010f003082010a0282010100c3d09a5c1cf391c424a9db1c9546
EAP-Message = 0xe2d0d56ef0c7992e58cc9fddfcca2e1e792de870f1b44732e39760c9be69d00bee75ebb6544ef6e7552cd6071cf42a0314dfcf5f6588403e82906d1bdc76e22d83d897f5822cc3ad4e8688b26a7e51272de8f12178c18eeef3736db12c082c610cf4ed064ca669a8502cd0b304f9b347e9b6e792d22b7477447b724fc1a5b8feaa5bc2dab89c47f61083f2ad2a713346a45779f64738f78e6c6b50dd9fba57b8c429d9130ffe2852ae300f0da67338d241c7f9ed1a3edfd9e60e4a204888db9e7c2b2c4b2720cac0bb75955fdc8dededdcd3005b33e3c3665cb56f8fea647fe98b100ac37981f6664b06baf77672578b49510203010001a30d300b3009
EAP-Message = 0x0603551d1304023000300d06092a864886f70d01010b0500038201010059f5ccb527a5c95bd585d481cf2c0d940a2100bfe19c781f8fc6c9fe6ecf9581cc11899915a4a4a76f93ce5d9a27a1377e9f5b595d0c91b85158b46264b6bbf53d663f5972a29bb9ee27f94fa19c0e10cb315bbfff1a0b9dada6af7b44055bde3a97fce3d03d0e3d9dd2ca98d02899654c38e978067be45716b8095b7eec985ed5766a840d768fde1384f8d70c2b2b62f3bf1ce577e8c7e55870217ef8101973e33c417108d7645823438b1b637bf66d11755e23ccceabf7256480a3ce55f410d5479aa862e7cd048a3661213131c38bdcfae6a8223dbc92e680e4e8feee2c86
EAP-Message = 0xf60edf462d78a0cd61d0be2a807c82feddfb62a74cd23265bc34cf55c8de1296160301014b0c00014703001741049b8ce76c18bbad24703b1770055b370369335679cf94ea52ffcf0fb82725e6e4180acdba12d45dc91ce19392b2aeeb8af3081f8475a36236ad67689782d72840010035cfee51ff337f1eb937b5a66c75b726e96a2c585d4987a1cbda13df17060e3ae4791a5b09b611fab6be846494ba450248e1da4d1e693940510d3dd879dbe65927e90cd4d325b64514f1af880c2b8b6bd2b702f3315084069dadfde74e622f29654c3ba1862ec885bbf541858571ab5e12c1b9baf903ade005a27da49e31b4f80697c4901e100f61f6c093f751
EAP-Message = 0xc33825db86cc5193821c21c0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd059d4364f6758a6e7768e6c4f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=3, length=176
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026a00061900
State = 0x5bbe2fd059d4364f6758a6e7768e6c4f
Message-Authenticator = 0x99a1d9d626da9befea61798a088dcaa5
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 106 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to 10.4.0.3 port 58475
EAP-Message = 0x016b0076190084b8ddc47f9ae932aad390c476d83be799f4a0573ba9ffc44bb7ab4acd2aee1bf8c481909e6fb235ad5904953e0da13f76cab712d08f270272699821617e7c9bbbf02fe16724e3e118fb1544a1425a42b33d7627f1ac1a3ab6b40de72becd841b631813edf992c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd058d5364f6758a6e7768e6c4f
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=4, length=314
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026b0090198000000086160301004610000042410492699d0b4133e01f3077df1dd32450bb838549add65693b94f1403cc929899231cbad80effab16998dbc60b8de0238ddbe8fefdbbe3e770c3f662d37b37371771403010001011603010030164a6ac78696439e80a7b6e06d205e5a2a6b9a90d8531892b0a24de189284588156554a2a15cbbcb8cc0e9e8f87810c8
State = 0x5bbe2fd058d5364f6758a6e7768e6c4f
Message-Authenticator = 0xbd183035d6eb70e1cf4df33759a104a0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 107 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to 10.4.0.3 port 58475
EAP-Message = 0x016c0041190014030100010116030100302db38c5a4a30e8a20e40e33ea5c90ffc4390aa26733fa055d9e44df2df3fe2efec91ee64752fbaa81952491f4de66b73
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05fd2364f6758a6e7768e6c4f
Finished request 4.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=5, length=176
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026c00061900
State = 0x5bbe2fd05fd2364f6758a6e7768e6c4f
Message-Authenticator = 0xfe48702c915ce42bd6857c1c98c2ad33
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 108 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to 10.4.0.3 port 58475
EAP-Message = 0x016d002b19001703010020720525055a03208c8942699fac52371c34564e69c8ad2dca9670eb2ad7d7990b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05ed3364f6758a6e7768e6c4f
Finished request 5.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=6, length=213
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026d002b1900170301002047bc3b02b2b161c69c407fcc9499570fc44846071487cddd3238a74a6f1b5486
State = 0x5bbe2fd05ed3364f6758a6e7768e6c4f
Message-Authenticator = 0x3043fa8c67010675ab157c9b041ec8e0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 109 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - vlan2
[peap] Got inner identity 'vlan2'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x026d000a01766c616e32
server {
[peap] Setting User-Name to vlan2
Sending tunneled request
EAP-Message = 0x026d000a01766c616e32
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
NAS-IP-Address = 10.4.0.3
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 109 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 29
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016e001f1a016e001a10e77e02f329ceda823151bee45600a691766c616e32
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf69de36bf07c49c7fdd6a5522e854fb
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016e001f1a016e001a10e77e02f329ceda823151bee45600a691766c616e32
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf69de36bf07c49c7fdd6a5522e854fb
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to 10.4.0.3 port 58475
EAP-Message = 0x016e003b19001703010030273a2344da33da6bd4f07a68939b2d6fe8f074d5c8fc5d3bd995b603066ecf0ebadaa7b9c6bb0857de06eb1732da1372
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05dd0364f6758a6e7768e6c4f
Finished request 6.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=7, length=277
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026e006b190017030100609d599b8771f229409a0c80966b2d47df23ee2d458e0aa22554971c8dcbff5c8d6fd24841ac1f33f77b523ad33f435410bd3b5061388f389cf35852f2bbe989d6e79c80c01fa06efa1ac48960c28057604e2d52eaf27fcb9592b15bd81b9d9352
State = 0x5bbe2fd05dd0364f6758a6e7768e6c4f
Message-Authenticator = 0x49a65641575dbc71665aa3a24ed858d4
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 110 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x026e00401a026e003b315e0f62a689f025e1df998ee87babf9de00000000000000007564685ceec9262c6ebfe53b4108d24ae06e720a0fe08a6c00766c616e32
server {
[peap] Setting User-Name to vlan2
Sending tunneled request
EAP-Message = 0x026e00401a026e003b315e0f62a689f025e1df998ee87babf9de00000000000000007564685ceec9262c6ebfe53b4108d24ae06e720a0fe08a6c00766c616e32
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "vlan2"
State = 0xbf69de36bf07c49c7fdd6a5522e854fb
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
NAS-IP-Address = 10.4.0.3
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 110 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 28
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 28
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: vlan2
[mschap] Client is using MS-CHAPv2 for vlan2, we need NT-Password
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016f00331a036e002e533d41463237344142313833423934363930354534383236463136343338333230333744323432413432
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf69de36be06c49c7fdd6a5522e854fb
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016f00331a036e002e533d41463237344142313833423934363930354534383236463136343338333230333744323432413432
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf69de36be06c49c7fdd6a5522e854fb
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to 10.4.0.3 port 58475
EAP-Message = 0x016f005b19001703010050379671a1652397822077c4939f603c0697b5ad4acda69af23684b69747b835bc2eee51061ba9de8736ee1a212c16986b4976389fe0080d8f0d71a892795b124f8bcb4cf473180414321ba05012d9c804
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05cd1364f6758a6e7768e6c4f
Finished request 7.
Going to the next request
Waking up in 2.1 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=8, length=213
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026f002b190017030100204e389e032c31ad1db1e6708b6e4b9d959b44e97a2133228df869f8852f589e6b
State = 0x5bbe2fd05cd1364f6758a6e7768e6c4f
Message-Authenticator = 0x931630aa75d0a3402894d50d928802c2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 111 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x026f00061a03
server {
[peap] Setting User-Name to vlan2
Sending tunneled request
EAP-Message = 0x026f00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "vlan2"
State = 0xbf69de36be06c49c7fdd6a5522e854fb
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
NAS-IP-Address = 10.4.0.3
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 111 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 27
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 27
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x036f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "vlan2"
[peap] Got tunneled reply RADIUS code 2
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x036f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "vlan2"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to 10.4.0.3 port 58475
EAP-Message = 0x0170002b1900170301002016ca7fa553aa22f428b1cc092d8c0edce568f4304d792dc1e4f3ee96aee7dbf4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd053ce364f6758a6e7768e6c4f
Finished request 8.
Going to the next request
Waking up in 2.0 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=9, length=213
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x0270002b19001703010020f1fad92ca1690eeab1fd596f4e05814f52fe6ca28544b4fa55eee6ea9709ba21
State = 0x5bbe2fd053ce364f6758a6e7768e6c4f
Message-Authenticator = 0xdb9f0883a110094183004dd28a6f5261
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 112 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
User-Name = "vlan2"
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vlan2', '', 'Access-Accept', '2017-02-11 09:54:40')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vlan2', '', 'Access-Accept', '2017-02-11 09:54:40')
rlm_sql (sql): Reserving sql socket id: 26
rlm_sql (sql): Released sql socket id: 26
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 9 to 10.4.0.3 port 58475
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
User-Name = "vlan2"
MS-MPPE-Recv-Key = 0xc42271ac1c9ce5bd6fd9be65a9eaf0b2c9512de5a0561888d8c4443a42a3ea0e
MS-MPPE-Send-Key = 0xe57e91b287bd2e2d536e08176c9a61fdaa9ae60687e59db5310af032b8c3e430
EAP-Message = 0x03700004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 2.0 seconds.
Cleaning up request 0 ID 0 with timestamp +47
Cleaning up request 1 ID 1 with timestamp +47
Cleaning up request 2 ID 2 with timestamp +47
Cleaning up request 3 ID 3 with timestamp +47
Waking up in 2.6 seconds.
Cleaning up request 4 ID 4 with timestamp +49
Cleaning up request 5 ID 5 with timestamp +49
Cleaning up request 6 ID 6 with timestamp +49
Cleaning up request 7 ID 7 with timestamp +49
Cleaning up request 8 ID 8 with timestamp +50
Cleaning up request 9 ID 9 with timestamp +50
Ready to process requests.
2
4
Hello.
At what stage of AAA does FreeRADIUS send the SQL server the
'simul_check' and the 'simul_verify' queries? What other information
than the "Username" can I send to a custom query at this stage?
Best regards.
Selahattin CILEK
5
7
I've just set up a test wireless network that assigns users IPv6
addresses. From an Airheads page I found the following re IPv6 accounting
:-
==============
Pre 6.5, we can only perform authentication/authorization of IPv6 clients.
Starting Aruba OS 6.5, we have the capability to monitor the bandwidth
usage of the clients with IPv6 addresses.
* We are following RFC 6911 which defines the attributes to be used for
IPv6 access networks.
* The *Framed-IPv6-Address* is the key attribute and will be used in
accounting start, stop and interim packets.
* With IPv6 implementation, it is possible for a single host to have
multiple IPv6 addresses.
* We now have ability to track the usage of each and every IPv6 entry.
A host can have both IPv4 andIPv6 addresses. Following behavior is expected
in the mentioned scenarios-
*With one IPv6 address:*
Start, stop and interim update messages are sent for the only IPv6
address.
*With one each IPv4 and IPv6 address:*
Start, stop and interim update messages are sent for both IPv4 and IPv6
address.
*With multiple IPv6 address:*
Start, stop and interim update messages are sent for each of the IPv6
addresses.
*With multiple IPv6 and multiple IPv4 address:*
Start, stop and interim update messages are sent for each of the IPv6
addresses.
Start message is sent only for the first IPv4 address.
Interim updates are sent for all the IPv4 addresses.
•Stop message is sent only for the last IPv4 entry.
=======
however looking at both queries.conf and schema.conf , there doesn't seem
to be any reference to supporting IPv6 addresses via the Framd-ipv6-address
attribute.
Tried looking at the FR v4 source for queries.conf and schema.conf on
github and there's no reference to Framed-IPv6-Adddress there either.
Is this something I've got to roll out myself?
Rgds
Alex
2
1
Hello,
I´m trying to migrate an old installation of freeradius to a more recent system.
Old version is 2.0.2
Target system is running CentOS 7 and the packaged version of
freeradius, which is 3.0.4
The setup on the old server is using the passwd-module and unlang to
bind the username (which comes from a certificate) to a mac-address
and checks the validity of the username.
MAC-address is added to request.
/etc/raddb/mods-enabled/passwd:
passwd maclist {
filename = /etc/raddb/maclist
format = "*User-Name:~mac-add"
}
/etc/raddb/sites-enabled/default:
...
authorize {
...
maclist
if (notfound) {
reject
}
if ( mac-add !~ /%{Calling-Station-ID}/i) {
reject
}
...
/etc/raddb/dictionary:
ATTRIBUTE mac-add 3005 string
On access-request I´ll get the following error, and the check is not working:
(1) [maclist] = ok
(1) if (notfound)
(1) if (notfound) -> FALSE
(1) if ( mac-add !~ /%{Calling-Station-ID}/i)
(1) EXPAND %{Calling-Station-ID}
(1) --> 00236c94ed49
(1) ERROR: Failed retrieving values required to evaluate condition
What am I doing wrong?
Full debug and connection log below.
Thank you very much.
[root@radrad raddb]# radiusd -X
radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu,
built on Mar 5 2015 at 23:41:36
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/www/path/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 192.168.2.42 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = "cisco-wlc"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client
192.168.2.42. Please fix your configuration
Support for old-style clients will be removed in a future release
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_always
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 1024
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_exec
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "cistron"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
checks for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/authorize
[/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility
checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility
checks for entry DEFAULT ...
[/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility
checks for entry DEFAULT ...
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_linelog
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{Packet-Type}:-default}"
}
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Instantiating module "maclist" from file /etc/raddb/mods-enabled/passwd
passwd maclist {
filename = "/etc/raddb/maclist"
format = "*User-Name:~mac-add"
delimiter = ":"
ignore_nislike = yes
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
# Loaded module rlm_unpack
# Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address :: port 1812 as server default
Listening on acct address :: port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 44568
Ready to process requests
Received Access-Request Id 16 from 192.168.2.42:32769 to
10.1.2.27:1812 length 241
User-Name = 'Mac284-1'
Chargeable-User-Identity = 0x00
Location-Capable = Civix-Location
Calling-Station-Id = '00236c94ed49'
Called-Station-Id = '34a84edc9b40:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
NAS-IP-Address = 192.168.2.42
NAS-Identifier = 'cisco-wlc'
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000d014d61633238342d31
Message-Authenticator = 0x1ab41330ba943539bcc92c8db9966a0f
(0) Received Access-Request packet from host 192.168.2.42 port 32769,
id=16, length=241
(0) User-Name = 'Mac284-1'
(0) Chargeable-User-Identity = 0x00
(0) Location-Capable = Civix-Location
(0) Calling-Station-Id = '00236c94ed49'
(0) Called-Station-Id = '34a84edc9b40:test'
(0) NAS-Port = 1
(0) Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
(0) Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
(0) NAS-IP-Address = 192.168.2.42
(0) NAS-Identifier = 'cisco-wlc'
(0) Airespace-Wlan-Id = 6
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) EAP-Message = 0x0201000d014d61633238342d31
(0) Message-Authenticator = 0x1ab41330ba943539bcc92c8db9966a0f
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\\./)
(0) if (&User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "Mac284-1", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) if (Called-Station-ID =~ /:test$/)
(0) if (Called-Station-ID =~ /:test$/) -> TRUE
(0) if (Called-Station-ID =~ /:test$/) {
(0) eap : Peer sent code Response (2) ID 1 length 13
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0) [eap] = ok
(0) } # if (Called-Station-ID =~ /:test$/) = ok
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply 0x3286ec463284e8a3
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 192.168.2.42 port 32769,
id=16, length=0
(0) EAP-Message = 0x01020016041022c02db351bae08c46ab81cb684e2bc8
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x3286ec463284e8a3af3e7e5c1128d5dc
Sending Access-Challenge Id 16 from 10.1.2.27:1812 to 192.168.2.42:32769
EAP-Message = 0x01020016041022c02db351bae08c46ab81cb684e2bc8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3286ec463284e8a3af3e7e5c1128d5dc
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 17 from 192.168.2.42:32769 to
10.1.2.27:1812 length 252
User-Name = 'Mac284-1'
Chargeable-User-Identity = 0x00
Location-Capable = Civix-Location
Calling-Station-Id = '00236c94ed49'
Called-Station-Id = '34a84edc9b40:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
NAS-IP-Address = 192.168.2.42
NAS-Identifier = 'cisco-wlc'
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02020006030d
State = 0x3286ec463284e8a3af3e7e5c1128d5dc
Message-Authenticator = 0x3951d3d7ec148c5021d91af9b33ae8f4
(1) Received Access-Request packet from host 192.168.2.42 port 32769,
id=17, length=252
(1) User-Name = 'Mac284-1'
(1) Chargeable-User-Identity = 0x00
(1) Location-Capable = Civix-Location
(1) Calling-Station-Id = '00236c94ed49'
(1) Called-Station-Id = '34a84edc9b40:test'
(1) NAS-Port = 1
(1) Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
(1) Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
(1) NAS-IP-Address = 192.168.2.42
(1) NAS-Identifier = 'cisco-wlc'
(1) Airespace-Wlan-Id = 6
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) EAP-Message = 0x02020006030d
(1) State = 0x3286ec463284e8a3af3e7e5c1128d5dc
(1) Message-Authenticator = 0x3951d3d7ec148c5021d91af9b33ae8f4
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\\./)
(1) if (&User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "Mac284-1", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) if (Called-Station-ID =~ /:test$/)
(1) if (Called-Station-ID =~ /:test$/) -> TRUE
(1) if (Called-Station-ID =~ /:test$/) {
(1) eap : Peer sent code Response (2) ID 2 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [maclist] = ok
(1) if (notfound)
(1) if (notfound) -> FALSE
(1) if ( mac-add !~ /%{Calling-Station-ID}/i)
(1) EXPAND %{Calling-Station-ID}
(1) --> 00236c94ed49
(1) ERROR: Failed retrieving values required to evaluate condition
(1) } # if (Called-Station-ID =~ /:test$/) = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type
(1) WARNING: pap : Authentication will fail unless a "known good"
password is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x3286ec463284e8a3
(1) eap : Finished EAP session with state 0x3286ec463284e8a3
(1) eap : Previous EAP request found for state 0x3286ec463284e8a3,
released from the list
(1) eap : Peer sent method NAK (3)
(1) eap : Found mutually acceptable type TLS (13)
(1) eap : Calling eap_tls to process EAP data
(1) eap_tls : Flushing SSL sessions (of #0)
(1) eap_tls : Requiring client certificate
(1) eap_tls : Initiate
(1) eap_tls : Requiring client certificate
(1) eap_tls : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply 0x3286ec463385e1a3
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 192.168.2.42 port 32769,
id=17, length=0
(1) EAP-Message = 0x010300060d20
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x3286ec463385e1a3af3e7e5c1128d5dc
Sending Access-Challenge Id 17 from 10.1.2.27:1812 to 192.168.2.42:32769
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3286ec463385e1a3af3e7e5c1128d5dc
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 18 from 192.168.2.42:32769 to
10.1.2.27:1812 length 398
User-Name = 'Mac284-1'
Chargeable-User-Identity = 0x00
Location-Capable = Civix-Location
Calling-Station-Id = '00236c94ed49'
Called-Station-Id = '34a84edc9b40:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
NAS-IP-Address = 192.168.2.42
NAS-Identifier = 'cisco-wlc'
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300980d800000008e1603010089010000850301589c70aac65ee802893e9669a76d4b6ba5245eadb48ca2b02ca1a2c67e308b5e00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0x3286ec463385e1a3af3e7e5c1128d5dc
Message-Authenticator = 0x544710c4d800cca04ae8d70b22ba2bd6
(2) Received Access-Request packet from host 192.168.2.42 port 32769,
id=18, length=398
(2) User-Name = 'Mac284-1'
(2) Chargeable-User-Identity = 0x00
(2) Location-Capable = Civix-Location
(2) Calling-Station-Id = '00236c94ed49'
(2) Called-Station-Id = '34a84edc9b40:test'
(2) NAS-Port = 1
(2) Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
(2) Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
(2) NAS-IP-Address = 192.168.2.42
(2) NAS-Identifier = 'cisco-wlc'
(2) Airespace-Wlan-Id = 6
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message =
0x020300980d800000008e1603010089010000850301589c70aac65ee802893e9669a76d4b6ba5245eadb48ca2b02ca1a2c67e308b5e00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
(2) State = 0x3286ec463385e1a3af3e7e5c1128d5dc
(2) Message-Authenticator = 0x544710c4d800cca04ae8d70b22ba2bd6
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (!&User-Name)
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\\./)
(2) if (&User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : No '@' in User-Name = "Mac284-1", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) if (Called-Station-ID =~ /:test$/)
(2) if (Called-Station-ID =~ /:test$/) -> TRUE
(2) if (Called-Station-ID =~ /:test$/) {
(2) eap : Peer sent code Response (2) ID 3 length 152
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [maclist] = ok
(2) if (notfound)
(2) if (notfound) -> FALSE
(2) if ( mac-add !~ /%{Calling-Station-ID}/i)
(2) EXPAND %{Calling-Station-ID}
(2) --> 00236c94ed49
(2) ERROR: Failed retrieving values required to evaluate condition
(2) } # if (Called-Station-ID =~ /:test$/) = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x3286ec463385e1a3
(2) eap : Finished EAP session with state 0x3286ec463385e1a3
(2) eap : Previous EAP request found for state 0x3286ec463385e1a3,
released from the list
(2) eap : Peer sent method TLS (13)
(2) eap : EAP TLS (13)
(2) eap : Calling eap_tls to process EAP data
(2) eap_tls : Authenticate
(2) eap_tls : processing EAP-TLS
TLS Length 142
(2) eap_tls : Length Included
(2) eap_tls : eaptls_verify returned 11
(2) eap_tls : (other): before/accept initialization
(2) eap_tls : TLS_accept: before/accept initialization
(2) eap_tls : <<< TLS 1.0 Handshake [length 0089], ClientHello
(2) eap_tls : TLS_accept: SSLv3 read client hello A
(2) eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_tls : TLS_accept: SSLv3 write server hello A
(2) eap_tls : >>> TLS 1.0 Handshake [length 07aa], Certificate
(2) eap_tls : TLS_accept: SSLv3 write certificate A
(2) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_tls : TLS_accept: SSLv3 write key exchange A
(2) eap_tls : >>> TLS 1.0 Handshake [length 00b9], CertificateRequest
(2) eap_tls : TLS_accept: SSLv3 write certificate request A
(2) eap_tls : TLS_accept: SSLv3 flush data
(2) eap_tls : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_tls : eaptls_process returned 13
(2) eap : New EAP session, adding 'State' attribute to reply 0x3286ec463082e1a3
(2) [eap] = handled
(2) } # authenticate = handled
(2) Sending Access-Challenge packet to host 192.168.2.42 port 32769,
id=18, length=0
(2) EAP-Message =
0x010403ec0dc000000a1b1603010059020000550301589c70a92d3e8d6b590e516b0aa7cb43a4bce8de31334b620f07e5f22ac9e194204fc06eb146aaf33925cb9503d38e0aed4ef2b6b082f6e485abf50ceb399cae73c01400000dff01000100000b00040300010216030107aa0b0007a60007a30003cf308203cb308202b3a003020102020101300d06092a864886f70d01010405003081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949422d4341301e170d3038303830353131333532335a170d3138303830333131333532335a308191310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d62657267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f676965310f300d060355040313064d61633333393125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e646530820122
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x3286ec463082e1a3af3e7e5c1128d5dc
Sending Access-Challenge Id 18 from 10.1.2.27:1812 to 192.168.2.42:32769
EAP-Message = 0x010403ec0dc000000a1b1603010059020000550301589c70a92d3e8d6b590e516b0aa7cb43a4bce8de31334b620f07e5f22ac9e194204fc06eb146aaf33925cb9503d38e0aed4ef2b6b082f6e485abf50ceb399cae73c01400000dff01000100000b00040300010216030107aa0b0007a60007a30003cf308203cb308202b3a003020102020101300d06092a864886f70d01010405003081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949422d4341301e170d3038303830353131333532335a170d3138303830333131333532335a308191310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d62657267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f676965310f300d060355040313064d61633333393125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653082012
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3286ec463082e1a3af3e7e5c1128d5dc
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 19 from 192.168.2.42:32769 to
10.1.2.27:1812 length 252
User-Name = 'Mac284-1'
Chargeable-User-Identity = 0x00
Location-Capable = Civix-Location
Calling-Station-Id = '00236c94ed49'
Called-Station-Id = '34a84edc9b40:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
NAS-IP-Address = 192.168.2.42
NAS-Identifier = 'cisco-wlc'
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400060d00
State = 0x3286ec463082e1a3af3e7e5c1128d5dc
Message-Authenticator = 0x0d72f1f75ef029f407528b3aeefb8e35
(3) Received Access-Request packet from host 192.168.2.42 port 32769,
id=19, length=252
(3) User-Name = 'Mac284-1'
(3) Chargeable-User-Identity = 0x00
(3) Location-Capable = Civix-Location
(3) Calling-Station-Id = '00236c94ed49'
(3) Called-Station-Id = '34a84edc9b40:test'
(3) NAS-Port = 1
(3) Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
(3) Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
(3) NAS-IP-Address = 192.168.2.42
(3) NAS-Identifier = 'cisco-wlc'
(3) Airespace-Wlan-Id = 6
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x020400060d00
(3) State = 0x3286ec463082e1a3af3e7e5c1128d5dc
(3) Message-Authenticator = 0x0d72f1f75ef029f407528b3aeefb8e35
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (!&User-Name)
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /)
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ )
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ )
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\\.$/)
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\\./)
(3) if (&User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : Checking for suffix after "@"
(3) suffix : No '@' in User-Name = "Mac284-1", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) if (Called-Station-ID =~ /:test$/)
(3) if (Called-Station-ID =~ /:test$/) -> TRUE
(3) if (Called-Station-ID =~ /:test$/) {
(3) eap : Peer sent code Response (2) ID 4 length 6
(3) eap : No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
(3) [maclist] = ok
(3) if (notfound)
(3) if (notfound) -> FALSE
(3) if ( mac-add !~ /%{Calling-Station-ID}/i)
(3) EXPAND %{Calling-Station-ID}
(3) --> 00236c94ed49
(3) ERROR: Failed retrieving values required to evaluate condition
(3) } # if (Called-Station-ID =~ /:test$/) = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x3286ec463082e1a3
(3) eap : Finished EAP session with state 0x3286ec463082e1a3
(3) eap : Previous EAP request found for state 0x3286ec463082e1a3,
released from the list
(3) eap : Peer sent method TLS (13)
(3) eap : EAP TLS (13)
(3) eap : Calling eap_tls to process EAP data
(3) eap_tls : Authenticate
(3) eap_tls : processing EAP-TLS
(3) eap_tls : Received TLS ACK
(3) eap_tls : Received TLS ACK
(3) eap_tls : ACK handshake fragment handler
(3) eap_tls : eaptls_verify returned 1
(3) eap_tls : eaptls_process returned 13
(3) eap : New EAP session, adding 'State' attribute to reply 0x3286ec463183e1a3
(3) [eap] = handled
(3) } # authenticate = handled
(3) Sending Access-Challenge packet to host 192.168.2.42 port 32769,
id=19, length=0
(3) EAP-Message =
0x010503ec0dc000000a1b6a659dcfe39398cfd9c7305d004b5811091a9b899ee9b7a4819aa20ec49b1337c6e1d01b9e96cebec78d7126da71b4cf35fa43ea2403b4ee8b9e4977e98fd081db3845bc77321dfad9c86cfbb4e8802c3600d406856db21e19d20003ce308203ca308202b202090098b6bd1078043d7c300d06092a864886f70d01010405003081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949422d4341301e170d3038303830353131333531305a170d3138303830333131333531305a3081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3286ec463183e1a3af3e7e5c1128d5dc
Sending Access-Challenge Id 19 from 10.1.2.27:1812 to 192.168.2.42:32769
EAP-Message = 0x010503ec0dc000000a1b6a659dcfe39398cfd9c7305d004b5811091a9b899ee9b7a4819aa20ec49b1337c6e1d01b9e96cebec78d7126da71b4cf35fa43ea2403b4ee8b9e4977e98fd081db3845bc77321dfad9c86cfbb4e8802c3600d406856db21e19d20003ce308203ca308202b202090098b6bd1078043d7c300d06092a864886f70d01010405003081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949422d4341301e170d3038303830353131333531305a170d3138303830333131333531305a3081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d50494
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3286ec463183e1a3af3e7e5c1128d5dc
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 20 from 192.168.2.42:32769 to
10.1.2.27:1812 length 252
User-Name = 'Mac284-1'
Chargeable-User-Identity = 0x00
Location-Capable = Civix-Location
Calling-Station-Id = '00236c94ed49'
Called-Station-Id = '34a84edc9b40:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
NAS-IP-Address = 192.168.2.42
NAS-Identifier = 'cisco-wlc'
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500060d00
State = 0x3286ec463183e1a3af3e7e5c1128d5dc
Message-Authenticator = 0x4cc5f7ef51a86729426329df7f3dcabd
(4) Received Access-Request packet from host 192.168.2.42 port 32769,
id=20, length=252
(4) User-Name = 'Mac284-1'
(4) Chargeable-User-Identity = 0x00
(4) Location-Capable = Civix-Location
(4) Calling-Station-Id = '00236c94ed49'
(4) Called-Station-Id = '34a84edc9b40:test'
(4) NAS-Port = 1
(4) Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
(4) Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
(4) NAS-IP-Address = 192.168.2.42
(4) NAS-Identifier = 'cisco-wlc'
(4) Airespace-Wlan-Id = 6
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) EAP-Message = 0x020500060d00
(4) State = 0x3286ec463183e1a3af3e7e5c1128d5dc
(4) Message-Authenticator = 0x4cc5f7ef51a86729426329df7f3dcabd
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (!&User-Name)
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /)
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ )
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ )
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\\.$/)
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\\./)
(4) if (&User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : Checking for suffix after "@"
(4) suffix : No '@' in User-Name = "Mac284-1", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) if (Called-Station-ID =~ /:test$/)
(4) if (Called-Station-ID =~ /:test$/) -> TRUE
(4) if (Called-Station-ID =~ /:test$/) {
(4) eap : Peer sent code Response (2) ID 5 length 6
(4) eap : No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
(4) [maclist] = ok
(4) if (notfound)
(4) if (notfound) -> FALSE
(4) if ( mac-add !~ /%{Calling-Station-ID}/i)
(4) EXPAND %{Calling-Station-ID}
(4) --> 00236c94ed49
(4) ERROR: Failed retrieving values required to evaluate condition
(4) } # if (Called-Station-ID =~ /:test$/) = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x3286ec463183e1a3
(4) eap : Finished EAP session with state 0x3286ec463183e1a3
(4) eap : Previous EAP request found for state 0x3286ec463183e1a3,
released from the list
(4) eap : Peer sent method TLS (13)
(4) eap : EAP TLS (13)
(4) eap : Calling eap_tls to process EAP data
(4) eap_tls : Authenticate
(4) eap_tls : processing EAP-TLS
(4) eap_tls : Received TLS ACK
(4) eap_tls : Received TLS ACK
(4) eap_tls : ACK handshake fragment handler
(4) eap_tls : eaptls_verify returned 1
(4) eap_tls : eaptls_process returned 13
(4) eap : New EAP session, adding 'State' attribute to reply 0x3286ec463680e1a3
(4) [eap] = handled
(4) } # authenticate = handled
(4) Sending Access-Challenge packet to host 192.168.2.42 port 32769,
id=20, length=0
(4) EAP-Message =
0x010602610d8000000a1bf72d066d93329bb942fb06862c2fec2ad76c4157b0754ad679a5e2f689478c827dfd4dd53ad9f59f6404326d34ce7ad3d9d4665ea116bd4fedbf129944c8ad1048bfbfb88824da246b160301014b0c0001470300174104c2461c8f32df8e6307d2e4ab9e1d173d34da3585659b3300afbc3546f542d5d7ea943a06eb2bb63df06fd8b87e5a9bf5347f2ec50c3a32ffa96969a6826219d301003c2f99660402340ca595bb777f5a889bfc2ac0443e1e8eafcfc79e09e3a05367243cd8836cf22fed170916ceb56c798273373b0f4cd74ecef5125e2b44c5286b6e11cfc67d0b61044504831e32883d3e1a5b4754555ab3da7f0f8bd34ade833a348de84deb693f03264ecaa21433425ea4cc90b4ef45d550e28fdcc2b326d4621a6b3180fc8e1a29e918aa172df73340dff26aae525b75d5d2c1ba77180ab1be713019fb700c3afa8e73ca37e91a411d35882f2db08085ae20191bcc76d11f7cdf51a2a59308ad90d02cdc77aa1956810982b63dca940584f2f1b57b61ef8329354335824d72515d005f3b73a88846e6bb68c511a2e0b06ab0f595b009303e1916030100b90d0000b10301024000ab00a93081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d30
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x3286ec463680e1a3af3e7e5c1128d5dc
Sending Access-Challenge Id 20 from 10.1.2.27:1812 to 192.168.2.42:32769
EAP-Message = 0x010602610d8000000a1bf72d066d93329bb942fb06862c2fec2ad76c4157b0754ad679a5e2f689478c827dfd4dd53ad9f59f6404326d34ce7ad3d9d4665ea116bd4fedbf129944c8ad1048bfbfb88824da246b160301014b0c0001470300174104c2461c8f32df8e6307d2e4ab9e1d173d34da3585659b3300afbc3546f542d5d7ea943a06eb2bb63df06fd8b87e5a9bf5347f2ec50c3a32ffa96969a6826219d301003c2f99660402340ca595bb777f5a889bfc2ac0443e1e8eafcfc79e09e3a05367243cd8836cf22fed170916ceb56c798273373b0f4cd74ecef5125e2b44c5286b6e11cfc67d0b61044504831e32883d3e1a5b4754555ab3da7f0f8bd34ade833a348de84deb693f03264ecaa21433425ea4cc90b4ef45d550e28fdcc2b326d4621a6b3180fc8e1a29e918aa172df73340dff26aae525b75d5d2c1ba77180ab1be713019fb700c3afa8e73ca37e91a411d35882f2db08085ae20191bcc76d11f7cdf51a2a59308ad90d02cdc77aa1956810982b63dca940584f2f1b57b61ef8329354335824d72515d005f3b73a88846e6bb68c511a2e0b06ab0f595b009303e1916030100b90d0000b10301024000ab00a93081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3286ec463680e1a3af3e7e5c1128d5dc
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 21 from 192.168.2.42:32769 to
10.1.2.27:1812 length 1532
User-Name = 'Mac284-1'
Chargeable-User-Identity = 0x00
Location-Capable = Civix-Location
Calling-Station-Id = '00236c94ed49'
Called-Station-Id = '34a84edc9b40:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
NAS-IP-Address = 192.168.2.42
NAS-Identifier = 'cisco-wlc'
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020604fc0dc00000094416030107ae0b0007aa0007a70003d3308203cf308202b7a0030201020202016e300d06092a864886f70d01010405003081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949422d4341301e170d3135303330343132323032395a170d3137303330333132323032395a308194310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d62657267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653111300f060355040313084d61633238342d313126302406092a864886f70d01090116176275726765727740696d6d756e62696f2e6d70672e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100c7a68bc70a10d04e8ced6f282c2b2d34b377a921a0842d587090342f761117222f0567dafba7bfc025cca4e4eb7f0648ffdc2eb4a068cb063f5c76644
State = 0x3286ec463680e1a3af3e7e5c1128d5dc
Message-Authenticator = 0x10295592d7b1c2ce3bb27ca74014847d
(5) Received Access-Request packet from host 192.168.2.42 port 32769,
id=21, length=1532
(5) User-Name = 'Mac284-1'
(5) Chargeable-User-Identity = 0x00
(5) Location-Capable = Civix-Location
(5) Calling-Station-Id = '00236c94ed49'
(5) Called-Station-Id = '34a84edc9b40:test'
(5) NAS-Port = 1
(5) Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
(5) Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
(5) NAS-IP-Address = 192.168.2.42
(5) NAS-Identifier = 'cisco-wlc'
(5) Airespace-Wlan-Id = 6
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) EAP-Message =
0x020604fc0dc00000094416030107ae0b0007aa0007a70003d3308203cf308202b7a0030201020202016e300d06092a864886f70d01010405003081a6310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949422d4341301e170d3135303330343132323032395a170d3137303330333132323032395a308194310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d62657267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653111300f060355040313084d61633238342d313126302406092a864886f70d01090116176275726765727740696d6d756e62696f2e6d70672e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100c7a68bc70a10d04e8ced6f282c2b2d34b377a921a0842d587090342f761117222f0567dafba7bfc025cca4e4eb7f0648ffdc2eb4a068cb063f5c766443
(5) State = 0x3286ec463680e1a3af3e7e5c1128d5dc
(5) Message-Authenticator = 0x10295592d7b1c2ce3bb27ca74014847d
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (!&User-Name)
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /)
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ )
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ )
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\\.$/)
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\\./)
(5) if (&User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : Checking for suffix after "@"
(5) suffix : No '@' in User-Name = "Mac284-1", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) if (Called-Station-ID =~ /:test$/)
(5) if (Called-Station-ID =~ /:test$/) -> TRUE
(5) if (Called-Station-ID =~ /:test$/) {
(5) eap : Peer sent code Response (2) ID 6 length 1276
(5) eap : No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [maclist] = ok
(5) if (notfound)
(5) if (notfound) -> FALSE
(5) if ( mac-add !~ /%{Calling-Station-ID}/i)
(5) EXPAND %{Calling-Station-ID}
(5) --> 00236c94ed49
(5) ERROR: Failed retrieving values required to evaluate condition
(5) } # if (Called-Station-ID =~ /:test$/) = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x3286ec463680e1a3
(5) eap : Finished EAP session with state 0x3286ec463680e1a3
(5) eap : Previous EAP request found for state 0x3286ec463680e1a3,
released from the list
(5) eap : Peer sent method TLS (13)
(5) eap : EAP TLS (13)
(5) eap : Calling eap_tls to process EAP data
(5) eap_tls : Authenticate
(5) eap_tls : processing EAP-TLS
TLS Length 2372
(5) eap_tls : Received EAP-TLS First Fragment of the message
(5) eap_tls : eaptls_verify returned 9
(5) eap_tls : eaptls_process returned 13
(5) eap : New EAP session, adding 'State' attribute to reply 0x3286ec463781e1a3
(5) [eap] = handled
(5) } # authenticate = handled
(5) Sending Access-Challenge packet to host 192.168.2.42 port 32769,
id=21, length=0
(5) EAP-Message = 0x010700060d00
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x3286ec463781e1a3af3e7e5c1128d5dc
Sending Access-Challenge Id 21 from 10.1.2.27:1812 to 192.168.2.42:32769
EAP-Message = 0x010700060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3286ec463781e1a3af3e7e5c1128d5dc
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 22 from 192.168.2.42:32769 to
10.1.2.27:1812 length 1366
User-Name = 'Mac284-1'
Chargeable-User-Identity = 0x00
Location-Capable = Civix-Location
Calling-Station-Id = '00236c94ed49'
Called-Station-Id = '34a84edc9b40:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
NAS-IP-Address = 192.168.2.42
NAS-Identifier = 'cisco-wlc'
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020704580d007565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949422d434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ddb3cbfbf6c5d677919df998e53625f1a01f7f67f3f2ec6c6c5ccb191b3bf2f8e4f3181a5e19352d9f5d6b9ad47b3572d4f6ea9a950f83c71b883af3701eb83dc7865e128163d7d88010568aa8a577430a4faa87725f1e7cd5f8342cef30e4336358d938add380f3877ed14eb3d9551c76aea9fa556084e64552283d48e23904e4b5490c3273dc168f52ed8c877c2ac37d0bb94ceabaf24954c479d0f65c81c4669f7b7e345f6d9b900b46eafb6dc0ceeeb5e41b5f38e92f9a8f760acf2d8dccb5c21e9f2ff4262e9cde23b5f7372552da398c6e54480f0f86e57e55a90866603edfc5888775d4413085f7786538c6a1cd20e26cb6d62a4f42b08b944292ab350203010001300d06092a864886f70d01010405000382010100101eda3f790f087c8060506e9218801409545d0d275b72add6d46ffb7773caa39450a32462da5829cb13b0a5d256a4b
State = 0x3286ec463781e1a3af3e7e5c1128d5dc
Message-Authenticator = 0x5876b9620fed3f65ab38aa94397a1e96
(6) Received Access-Request packet from host 192.168.2.42 port 32769,
id=22, length=1366
(6) User-Name = 'Mac284-1'
(6) Chargeable-User-Identity = 0x00
(6) Location-Capable = Civix-Location
(6) Calling-Station-Id = '00236c94ed49'
(6) Called-Station-Id = '34a84edc9b40:test'
(6) NAS-Port = 1
(6) Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
(6) Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
(6) NAS-IP-Address = 192.168.2.42
(6) NAS-Identifier = 'cisco-wlc'
(6) Airespace-Wlan-Id = 6
(6) Service-Type = Framed-User
(6) Framed-MTU = 1300
(6) NAS-Port-Type = Wireless-802.11
(6) EAP-Message =
0x020704580d007565727474656d626572673111300f060355040713084672656962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769653125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653111300f060355040313084d504949422d434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ddb3cbfbf6c5d677919df998e53625f1a01f7f67f3f2ec6c6c5ccb191b3bf2f8e4f3181a5e19352d9f5d6b9ad47b3572d4f6ea9a950f83c71b883af3701eb83dc7865e128163d7d88010568aa8a577430a4faa87725f1e7cd5f8342cef30e4336358d938add380f3877ed14eb3d9551c76aea9fa556084e64552283d48e23904e4b5490c3273dc168f52ed8c877c2ac37d0bb94ceabaf24954c479d0f65c81c4669f7b7e345f6d9b900b46eafb6dc0ceeeb5e41b5f38e92f9a8f760acf2d8dccb5c21e9f2ff4262e9cde23b5f7372552da398c6e54480f0f86e57e55a90866603edfc5888775d4413085f7786538c6a1cd20e26cb6d62a4f42b08b944292ab350203010001300d06092a864886f70d01010405000382010100101eda3f790f087c8060506e9218801409545d0d275b72add6d46ffb7773caa39450a32462da5829cb13b0a5d256a4b9
(6) State = 0x3286ec463781e1a3af3e7e5c1128d5dc
(6) Message-Authenticator = 0x5876b9620fed3f65ab38aa94397a1e96
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (!&User-Name)
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\\./)
(6) if (&User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "Mac284-1", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) if (Called-Station-ID =~ /:test$/)
(6) if (Called-Station-ID =~ /:test$/) -> TRUE
(6) if (Called-Station-ID =~ /:test$/) {
(6) eap : Peer sent code Response (2) ID 7 length 1112
(6) eap : No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) [files] = noop
(6) [maclist] = ok
(6) if (notfound)
(6) if (notfound) -> FALSE
(6) if ( mac-add !~ /%{Calling-Station-ID}/i)
(6) EXPAND %{Calling-Station-ID}
(6) --> 00236c94ed49
(6) ERROR: Failed retrieving values required to evaluate condition
(6) } # if (Called-Station-ID =~ /:test$/) = updated
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0x3286ec463781e1a3
(6) eap : Finished EAP session with state 0x3286ec463781e1a3
(6) eap : Previous EAP request found for state 0x3286ec463781e1a3,
released from the list
(6) eap : Peer sent method TLS (13)
(6) eap : EAP TLS (13)
(6) eap : Calling eap_tls to process EAP data
(6) eap_tls : Authenticate
(6) eap_tls : processing EAP-TLS
(6) eap_tls : eaptls_verify returned 7
(6) eap_tls : Done initial handshake
(6) eap_tls : <<< TLS 1.0 Handshake [length 07ae], Certificate
(6) eap_tls : chain-depth=1,
(6) eap_tls : error=0
(6) eap_tls : --> User-Name = Mac284-1
(6) eap_tls : --> BUF-Name = ###########blurred out###########
(6) eap_tls : --> subject = /C=DE/ST=###########blurred out###########
(6) eap_tls : --> issuer = /C=DE/ST=###########blurred out###########
(6) eap_tls : --> verify return:1
(6) eap_tls : chain-depth=0,
(6) eap_tls : error=0
(6) eap_tls : --> User-Name = Mac284-1
(6) eap_tls : --> BUF-Name = Mac284-1
(6) eap_tls : --> subject = /C=DE/ST=###########blurred out###########
(6) eap_tls : --> issuer = /C=DE/ST=###########blurred out###########
(6) eap_tls : --> verify return:1
(6) eap_tls : TLS_accept: SSLv3 read client certificate A
(6) eap_tls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(6) eap_tls : TLS_accept: SSLv3 read client key exchange A
(6) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify
(6) eap_tls : TLS_accept: SSLv3 read certificate verify A
(6) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished
(6) eap_tls : TLS_accept: SSLv3 read finished A
(6) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_tls : TLS_accept: SSLv3 write change cipher spec A
(6) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished
(6) eap_tls : TLS_accept: SSLv3 write finished A
(6) eap_tls : TLS_accept: SSLv3 flush data
SSL: adding session
4fc06eb146aaf33925cb9503d38e0aed4ef2b6b082f6e485abf50ceb399cae73 to
cache
(6) eap_tls : (other): SSL negotiation finished successfully
SSL Connection Established
(6) eap_tls : eaptls_process returned 13
(6) eap : New EAP session, adding 'State' attribute to reply 0x3286ec46348ee1a3
(6) [eap] = handled
(6) } # authenticate = handled
(6) Sending Access-Challenge packet to host 192.168.2.42 port 32769,
id=22, length=0
(6) EAP-Message =
0x010800450d800000003b1403010001011603010030dfca648e3d3d11e62b70f33686cc777c4725cbaf9ac64a187585afb0e0e9a1ab552d1d9477d6287a5ab1eb57aa8cfc90
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x3286ec46348ee1a3af3e7e5c1128d5dc
Sending Access-Challenge Id 22 from 10.1.2.27:1812 to 192.168.2.42:32769
EAP-Message = 0x010800450d800000003b1403010001011603010030dfca648e3d3d11e62b70f33686cc777c4725cbaf9ac64a187585afb0e0e9a1ab552d1d9477d6287a5ab1eb57aa8cfc90
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3286ec46348ee1a3af3e7e5c1128d5dc
(6) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 23 from 192.168.2.42:32769 to
10.1.2.27:1812 length 252
User-Name = 'Mac284-1'
Chargeable-User-Identity = 0x00
Location-Capable = Civix-Location
Calling-Station-Id = '00236c94ed49'
Called-Station-Id = '34a84edc9b40:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
NAS-IP-Address = 192.168.2.42
NAS-Identifier = 'cisco-wlc'
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020800060d00
State = 0x3286ec46348ee1a3af3e7e5c1128d5dc
Message-Authenticator = 0xe683920c6f081c2299ff1364520a77a0
(7) Received Access-Request packet from host 192.168.2.42 port 32769,
id=23, length=252
(7) User-Name = 'Mac284-1'
(7) Chargeable-User-Identity = 0x00
(7) Location-Capable = Civix-Location
(7) Calling-Station-Id = '00236c94ed49'
(7) Called-Station-Id = '34a84edc9b40:test'
(7) NAS-Port = 1
(7) Cisco-AVPair = 'audit-session-id=c0a8022a0006da17589c709a'
(7) Acct-Session-Id = '589c709a/00:23:6c:94:ed:49/89377'
(7) NAS-IP-Address = 192.168.2.42
(7) NAS-Identifier = 'cisco-wlc'
(7) Airespace-Wlan-Id = 6
(7) Service-Type = Framed-User
(7) Framed-MTU = 1300
(7) NAS-Port-Type = Wireless-802.11
(7) EAP-Message = 0x020800060d00
(7) State = 0x3286ec46348ee1a3af3e7e5c1128d5dc
(7) Message-Authenticator = 0xe683920c6f081c2299ff1364520a77a0
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (!&User-Name)
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\\./)
(7) if (&User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "Mac284-1", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) if (Called-Station-ID =~ /:test$/)
(7) if (Called-Station-ID =~ /:test$/) -> TRUE
(7) if (Called-Station-ID =~ /:test$/) {
(7) eap : Peer sent code Response (2) ID 8 length 6
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [maclist] = ok
(7) if (notfound)
(7) if (notfound) -> FALSE
(7) if ( mac-add !~ /%{Calling-Station-ID}/i)
(7) EXPAND %{Calling-Station-ID}
(7) --> 00236c94ed49
(7) ERROR: Failed retrieving values required to evaluate condition
(7) } # if (Called-Station-ID =~ /:test$/) = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x3286ec46348ee1a3
(7) eap : Finished EAP session with state 0x3286ec46348ee1a3
(7) eap : Previous EAP request found for state 0x3286ec46348ee1a3,
released from the list
(7) eap : Peer sent method TLS (13)
(7) eap : EAP TLS (13)
(7) eap : Calling eap_tls to process EAP data
(7) eap_tls : Authenticate
(7) eap_tls : processing EAP-TLS
(7) eap_tls : Received TLS ACK
(7) eap_tls : Received TLS ACK
(7) eap_tls : ACK handshake is finished
(7) eap_tls : eaptls_verify returned 3
(7) eap_tls : eaptls_process returned 3
(7) eap_tls : Saving session
4fc06eb146aaf33925cb9503d38e0aed4ef2b6b082f6e485abf50ceb399cae73 vps
0x7f11ef620680 in the cache
(7) eap : Freeing handler
(7) [eap] = ok
(7) } # authenticate = ok
(7) Login OK: [Mac284-1] (from client cisco-wlc port 1 cli 00236c94ed49)
(7) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(7) post-auth {
(7) [exec] = noop
(7) remove_reply_message_if_eap remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message)
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else else {
(7) [noop] = noop
(7) } # else else = noop
(7) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(7) } # post-auth = noop
(7) Sending Access-Accept packet to host 192.168.2.42 port 32769,
id=23, length=0
(7) MS-MPPE-Recv-Key =
0x524620c62a30b50ced129eb501237962ea4113db5e897220560b8685fa5901e2
(7) MS-MPPE-Send-Key =
0x891949b902c55410351d498c2eb18db6cbe6832859c4b2dee3fa087ff2a0c248
(7) EAP-MSK = 0x524620c62a30b50ced129eb501237962ea4113db5e897220560b8685fa5901e2891949b902c55410351d498c2eb18db6cbe6832859c4b2dee3fa087ff2a0c248
(7) EAP-EMSK = 0x880ef79921478e5bd23d143295c03af31d8a2c9bf7c7abbed6709b413df36c5224299e1d257d9309cdf9d970d522e2e97ac7f37b27b63ffe15c1d342ba8562d3
(7) EAP-Session-Id =
0x0d589c70aac65ee802893e9669a76d4b6ba5245eadb48ca2b02ca1a2c67e308b5e589c70a92d3e8d6b590e516b0aa7cb43a4bce8de31334b620f07e5f22ac9e194
(7) EAP-Message = 0x03080004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = 'Mac284-1'
Sending Access-Accept Id 23 from 10.1.2.27:1812 to 192.168.2.42:32769
MS-MPPE-Recv-Key =
0x524620c62a30b50ced129eb501237962ea4113db5e897220560b8685fa5901e2
MS-MPPE-Send-Key =
0x891949b902c55410351d498c2eb18db6cbe6832859c4b2dee3fa087ff2a0c248
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'Mac284-1'
(7) Finished request
Waking up in 0.2 seconds.
Waking up in 4.5 seconds.
^C
[root@radrad raddb]#
3
5
Hi Guys,
i have a problem with 3.0.12 and User-Name.
I send a request with domain name included in User-Name:
radtest -t mschap "test\radius" radius localhost 1 testing123
On freeradius i see User-Name = "test\radius" in line 2.
(0) Received Access-Request Id 61 from 127.0.0.1:34351 to 127.0.0.1:1812 length 142
(0) User-Name = "test\radius"
(0) NAS-IP-Address = 10.100.254.174
(0) NAS-Port = 1
(0) Message-Authenticator = 0xdd90f7f9365aca2896632b1a531bb760
(0) Framed-Protocol = PPP
(0) MS-CHAP-Challenge = 0xe7d0a3bb2ba11619
(0) MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f16973c17df493cec36e7f24c5ed837697dbb69248fdb117
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "test adius", looking up realm NULL
(0) ntdomain: No such realm "NULL"
...
But for ntdomain the User-Name is broken. The blackslash escape the "r" so i seed "test adius" instead "test\radius".
I also tried to use split_username_nai but here the same problem.
My problem is, that windows send every time a domain.
Anybody have an idea to fix this bug?
Greets Marco
3
4
Hi,Getting following issueWed Feb 8 17:51:06: Info: WARNING: Child is hung for request 12945049 in component <core> module <queue>.Please let me know the cause and resolution for the sameFor your information "max_requests" has been set to 25000.Is this creating some problem?Thanks & regardsManjunath
2
1
Hi All,
I am seeking some help regarding group access. I've have built a system by
using freeradius, samba4 (AD) to secure our Wireless network. The client
authentication works perfectly fine, but I'd like to deny access to some
specific groups. I can deny access to users but not groups. Could someone
point me to the right direction?
Regards,
David
5
7