Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2017
- 77 participants
- 100 discussions
18 Sep '17
Hello.
I've upgraded to 3.0.15 from 2.X and now I have a problem with pap
authorization.
My users saved in a MySQL with an attribute md5. But, from Cisco ASA I
receive header User-Password. In a source code I've found next strings:
case PW_USER_PASSWORD: /* deprecated */
RWDEBUG("!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
RWDEBUG("!!! Ignoring control:User-Password.
Update your !!!");
RWDEBUG("!!! configuration so that the \"known
good\" clear text !!!");
RWDEBUG("!!! password is in Cleartext-Password and
NOT in !!!");
RWDEBUG("!!! User-Password.
!!!");
RWDEBUG("!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
break;
Okay. I've found a workaround with unlang and paste it to "authorize"
section:
if (!control:Cleartext-Password && control:User-Password) {
update control {
Cleartext-Password := "%{control:User-Password}"
}
}
But it doesn't work.
How can I save an encrypted password in MySQL and delete header
User-Password which I receive from Cisco ASA (I can't modify software on
the Cisco side)?
--
Best regards,
Anton Kiryushkin
3
3
Update from 3.0.4 to 3.0.13 (RHEL and CentOS 7.3 to 7.4): Reference "${group_attribute}" not found
by Bernd 15 Sep '17
by Bernd 15 Sep '17
15 Sep '17
Hi,
committing an update from CentOS release 7.3.1611 to 7.4.1708 also a
FreeRADIUS update is deployed:
* 7.3.1611: freeradius-3.0.4-8.el7_3.x86_64
* 7.4.1708: freeradius-3.0.13-8.el7_4.x86_64
Afterwards it fails to start. I found a bug report on this (which hit
Fedora 22 back then in the end of 2015):
https://bugzilla.redhat.com/show_bug.cgi?id=1291006
What's the best way to circumvent this? It seems that some
reconfiguration is needed, but I don't see exactly *where*.
A temporary (surely not elegant) fix is to modify
/etc/raddb/mods-config/sql/main/mysql/queries.conf, from
authorize_group_check_query = "\
SELECT id, groupname, attribute, \
Value, op \
FROM ${groupcheck_table} \
WHERE groupname = '%{${group_attribute}}' \
ORDER BY id"
authorize_group_reply_query = "\
SELECT id, groupname, attribute, \
value, op \
FROM ${groupreply_table} \
WHERE groupname = '%{${group_attribute}}' \
ORDER BY id"
in the new 3.0.13 file to
authorize_group_check_query = "\
SELECT id, groupname, attribute, \
Value, op \
FROM ${groupcheck_table} \
WHERE groupname = '%{Sql-Group}' \
ORDER BY id"
authorize_group_reply_query = "\
SELECT id, groupname, attribute, \
value, op \
FROM ${groupreply_table} \
WHERE groupname = '%{Sql-Group}' \
ORDER BY id"
(as it was in 3.0.4).
Best,
Bernd
4
6
15 Sep '17
Hi all,
I have a openldap server with hashed password and am attempting to set up
WPA-Enterprise authentication. I have enabled the ldpap module and straight
authentication usng ldap and pap works. i.e the proxy server authenticates
without any problems.
I have the client configured to use ttls and gtc. I have done the same with
the eap configuration file. I don't get any error messages in the log file
when trying to connect. (I regengerated the ssl certs as hinted at by a
previous message but this took away the ssl cert warning but did not solve
the problem.)
Below is the debug log output. Trying to understand radius and the whole
EAP protocol requires a large amount of effort. I have already understood a
lot more than I did 3 days ago but am not at the end of my concpetual
models ability to trouble shoot this problem. I have tried setting the
Auth-Type: to LDAP in the gtc configuration in the eap conf file as well
but the results are the same.
Any help or hints appreciated. From the log file below it looks like the
client is not responding to the final Access-Challenge. The only other idea
I have is that the User-Password: field is not being passed to the eap
process? Not sure how to fix that or if it is the problem.
Thanks
Ready to process requests
(0) Received Access-Request Id 224 from 192.168.45.05:37339 to
192.168.45.74:1812 length 166
(0) User-Name = "bob"
(0) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Port = 0
(0) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "59B902E8-000000EA"
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02270009016d61726b
(0) Message-Authenticator = 0x4e878ddb529b319d77ea2abfb3131112
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(0) auth_log: EXPAND %t
(0) auth_log: --> Thu Sep 14 11:19:11 2017
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "bob", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 39 length 9
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 40 length 6
(0) eap: EAP session adding &reply:State = 0xbdc37936bdeb6cdd
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Sent Access-Challenge Id 224 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(0) EAP-Message = 0x012800061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xbdc37936bdeb6cdd84932144ea25780b
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 225 from 192.168.45.05:37339 to
192.168.45.74:1812 length 339
(1) User-Name = "bob"
(1) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(1) NAS-Port-Type = Wireless-802.11
(1) NAS-Port = 0
(1) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "59B902E8-000000EA"
(1) Framed-MTU = 1400
(1) EAP-Message =
0x022800a4150016030100990100009503030a1c1c168f1fe7ca21b8e5ee873c19ba1e777641a3b13e1cca092bfa7fe66fc100003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff01000030001700
(1) State = 0xbdc37936bdeb6cdd84932144ea25780b
(1) Message-Authenticator = 0xc6c693312fb56f022f47198c94f4c3c7
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(1) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(1) auth_log: EXPAND %t
(1) auth_log: --> Thu Sep 14 11:19:11 2017
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "bob", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 40 length 164
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xbdc37936bdeb6cdd
(1) eap: Finished EAP session with state 0xbdc37936bdeb6cdd
(1) eap: Previous EAP request found for state 0xbdc37936bdeb6cdd, released
from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: Continuing EAP-TLS
(1) eap_ttls: Got final TLS record fragment (158 bytes)
(1) eap_ttls: WARNING: Total received TLS record fragments (158 bytes),
does not equal indicated TLS record length (0 bytes)
(1) eap_ttls: [eaptls verify] = ok
(1) eap_ttls: Done initial handshake
(1) eap_ttls: (other): before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: <<< recv TLS 1.2 [length 0099]
(1) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(1) eap_ttls: >>> send TLS 1.2 [length 003d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(1) eap_ttls: >>> send TLS 1.2 [length 08d3]
(1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(1) eap_ttls: >>> send TLS 1.2 [length 014d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(1) eap_ttls: >>> send TLS 1.2 [length 0004]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server done
(1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_ttls: In SSL Handshake Phase
(1) eap_ttls: In SSL Accept mode
(1) eap_ttls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 41 length 1004
(1) eap: EAP session adding &reply:State = 0xbdc37936bcea6cdd
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Sent Access-Challenge Id 225 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(1) EAP-Message =
0x012903ec15c000000a75160303003d020000390303bfef2af615bb30a1795e1502febfbbcfaf0829baff49038576161b0bbe9082d500c030000011ff01000100000b0004030001020017000016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d0101
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xbdc37936bcea6cdd84932144ea25780b
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 226 from 192.168.45.05:37339 to
192.168.45.74:1812 length 181
(2) User-Name = "bob"
(2) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(2) NAS-Port-Type = Wireless-802.11
(2) NAS-Port = 0
(2) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) Acct-Session-Id = "59B902E8-000000EA"
(2) Framed-MTU = 1400
(2) EAP-Message = 0x022900061500
(2) State = 0xbdc37936bcea6cdd84932144ea25780b
(2) Message-Authenticator = 0x5e81d512883c3437d5d7c4b1576509da
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(2) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(2) auth_log: EXPAND %t
(2) auth_log: --> Thu Sep 14 11:19:11 2017
(2) [auth_log] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "bob", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 41 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xbdc37936bcea6cdd
(2) eap: Finished EAP session with state 0xbdc37936bcea6cdd
(2) eap: Previous EAP request found for state 0xbdc37936bcea6cdd, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 42 length 1004
(2) eap: EAP session adding &reply:State = 0xbdc37936bfe96cdd
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Sent Access-Challenge Id 226 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(2) EAP-Message =
0x012a03ec15c000000a75318c53693caf5cec07a26c179201b35044f8b0a36585e88ac8887724d038dace205f76b50f376be76dd9ebe975518e8d82a931d370995cd79469cd39278883b89faf674e3bc275747a253d0cab0004e8308204e4308203cca003020102020900acfa1c7c27c4f226300d06092a
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xbdc37936bfe96cdd84932144ea25780b
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 227 from 192.168.45.05:37339 to
192.168.45.74:1812 length 181
(3) User-Name = "bob"
(3) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(3) NAS-Port-Type = Wireless-802.11
(3) NAS-Port = 0
(3) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) Acct-Session-Id = "59B902E8-000000EA"
(3) Framed-MTU = 1400
(3) EAP-Message = 0x022a00061500
(3) State = 0xbdc37936bfe96cdd84932144ea25780b
(3) Message-Authenticator = 0x9fd121549085c6c53071b12b8b96285a
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(3) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(3) auth_log: EXPAND %t
(3) auth_log: --> Thu Sep 14 11:19:11 2017
(3) [auth_log] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "bob", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 42 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xbdc37936bfe96cdd
(3) eap: Finished EAP session with state 0xbdc37936bfe96cdd
(3) eap: Previous EAP request found for state 0xbdc37936bfe96cdd, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 43 length 699
(3) eap: EAP session adding &reply:State = 0xbdc37936bee86cdd
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Sent Access-Challenge Id 227 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(3) EAP-Message =
0x012b02bb158000000a750101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100e3995c54d00cee2fbbc14478b89b75b38a11643e5c1a51
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xbdc37936bee86cdd84932144ea25780b
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 228 from 192.168.45.05:37339 to
192.168.45.74:1812 length 307
(4) User-Name = "bob"
(4) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(4) NAS-Port-Type = Wireless-802.11
(4) NAS-Port = 0
(4) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) Acct-Session-Id = "59B902E8-000000EA"
(4) Framed-MTU = 1400
(4) EAP-Message =
0x022b0084150016030300461000004241047d7abad05d5661d82c204f0d953f0ce6f5b508de608abf44b528fc3897c2f548baacdb60f5cd867ea90d976f1ad767249c4fc28ba8a810d62bb1102d57fd00e514030300010116030300280000000000000000c227b6f946893e02d0eac613069cdc09d93578
(4) State = 0xbdc37936bee86cdd84932144ea25780b
(4) Message-Authenticator = 0xb50eb2de770b6149c3752e62afebe833
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(4) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(4) auth_log: EXPAND %t
(4) auth_log: --> Thu Sep 14 11:19:11 2017
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "bob", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 43 length 132
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xbdc37936bee86cdd
(4) eap: Finished EAP session with state 0xbdc37936bee86cdd
(4) eap: Previous EAP request found for state 0xbdc37936bee86cdd, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: [eaptls verify] = ok
(4) eap_ttls: Done initial handshake
(4) eap_ttls: TLS_accept: SSLv3/TLS write server done
(4) eap_ttls: <<< recv TLS 1.2 [length 0046]
(4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_ttls: <<< recv TLS 1.2 [length 0010]
(4) eap_ttls: TLS_accept: SSLv3/TLS read finished
(4) eap_ttls: >>> send TLS 1.2 [length 0001]
(4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_ttls: >>> send TLS 1.2 [length 0010]
(4) eap_ttls: TLS_accept: SSLv3/TLS write finished
(4) eap_ttls: (other): SSL negotiation finished successfully
(4) eap_ttls: SSL Connection Established
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 44 length 61
(4) eap: EAP session adding &reply:State = 0xbdc37936b9ef6cdd
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Sent Access-Challenge Id 228 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(4) EAP-Message =
0x012c003d1580000000331403030001011603030028471e30dc08a6d794f227f69ef0ae81d75a7082e5643ef6c65d9ee2604fcd4f7c55114fc65525a838
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xbdc37936b9ef6cdd84932144ea25780b
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 229 from 192.168.45.05:37339 to
192.168.45.74:1812 length 230
(5) User-Name = "bob"
(5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Port = 0
(5) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "59B902E8-000000EA"
(5) Framed-MTU = 1400
(5) EAP-Message =
0x022c00371500170303002c0000000000000001595cecb3de730e899e84a9f3e32a5b344f7831ba3a3b08486ae4ed71c158e57359dded07
(5) State = 0xbdc37936b9ef6cdd84932144ea25780b
(5) Message-Authenticator = 0x04079a652bd0207cdffa3715b865b41a
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(5) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(5) auth_log: EXPAND %t
(5) auth_log: --> Thu Sep 14 11:19:11 2017
(5) [auth_log] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "bob", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 44 length 55
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xbdc37936b9ef6cdd
(5) eap: Finished EAP session with state 0xbdc37936b9ef6cdd
(5) eap: Previous EAP request found for state 0xbdc37936b9ef6cdd, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: [eaptls process] = ok
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls: EAP-Message = 0x02000009016d61726b
(5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Got tunneled identity of bob
(5) eap_ttls: Setting default EAP type for tunneled EAP session
(5) eap_ttls: Sending tunneled request
(5) Virtual server inner-tunnel received request
(5) EAP-Message = 0x02000009016d61726b
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) User-Name = "bob"
(5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Port = 0
(5) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "59B902E8-000000EA"
(5) Framed-MTU = 1400
(5) Event-Timestamp = "Sep 14 2017 11:19:11 SAST"
(5) NAS-IP-Address = 192.168.45.05
(5) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(5) server inner-tunnel {
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "bob", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 0 length 9
(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Peer sent packet with method EAP Identity (1)
(5) eap: Calling submodule eap_gtc to process data
(5) eap_gtc: EXPAND Password:
(5) eap_gtc: --> Password:
(5) eap: Sending EAP Request (code 1) ID 1 length 15
(5) eap: EAP session adding &reply:State = 0x939300d7939206e6
(5) [eap] = handled
(5) } # authenticate = handled
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) EAP-Message = 0x0101000f0650617373776f72643a20
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x939300d7939206e632565a4a2d1be287
(5) eap_ttls: Got tunneled Access-Challenge
(5) eap: Sending EAP Request (code 1) ID 45 length 63
(5) eap: EAP session adding &reply:State = 0xbdc37936b8ee6cdd
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Sent Access-Challenge Id 229 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(5) EAP-Message =
0x012d003f1580000000351703030030471e30dc08a6d79553ed6a4977806816b7ccd9f91d3c7e620176ceb206f3a0d52f0918d696626cf670769ccb64d27449
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xbdc37936b8ee6cdd84932144ea25780b
(5) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 224 with timestamp +10
(1) Cleaning up request packet ID 225 with timestamp +10
(2) Cleaning up request packet ID 226 with timestamp +10
(3) Cleaning up request packet ID 227 with timestamp +10
(4) Cleaning up request packet ID 228 with timestamp +10
(5) Cleaning up request packet ID 229 with timestamp +10
3
7
Hello,
I have trouble assigning the vlan to users in different groups. If I
have one group and if the user is in this group gets a VLAN 200. If
another user is in another group (add another entry in the users file
with the group and vlan), it does not log on or continue to receive the
vlan 200 and I want it to get vlan 216. Below debug with login.
Users are sure to exist and in the appropriate groups
Fri Sep 15 09:07:01 2017 : Info: freeradius: FreeRADIUS Version 2.2.5,
for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:25:15
Fri Sep 15 09:07:01 2017 : Debug: Server was built with:
Fri Sep 15 09:07:01 2017 : Debug: accounting
Fri Sep 15 09:07:01 2017 : Debug: authentication
Fri Sep 15 09:07:01 2017 : Debug: WITH_DHCP
Fri Sep 15 09:07:01 2017 : Debug: WITH_VMPS
Fri Sep 15 09:07:01 2017 : Debug: Server core libs:
Fri Sep 15 09:07:01 2017 : Debug: ssl: OpenSSL 1.0.1t 3 May 2016
Fri Sep 15 09:07:01 2017 : Info: Copyright (C) 1999-2013 The FreeRADIUS
server project and contributors.
Fri Sep 15 09:07:01 2017 : Info: There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A
Fri Sep 15 09:07:01 2017 : Info: PARTICULAR PURPOSE.
Fri Sep 15 09:07:01 2017 : Info: You may redistribute copies of
FreeRADIUS under the terms of the
Fri Sep 15 09:07:01 2017 : Info: GNU General Public License.
Fri Sep 15 09:07:01 2017 : Info: For more information about these
matters, see the file named COPYRIGHT.
Fri Sep 15 09:07:01 2017 : Info: Starting - reading configuration files ...
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/radiusd.conf
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/proxy.conf
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/clients.conf
Fri Sep 15 09:07:01 2017 : Debug: including files in directory
/etc/freeradius/modules/
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/attr_filter
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/pap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/radrelay
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/mschap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/etc_group
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/sradutmp
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/detail.example.com
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/ippool
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/always
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/rediswho
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/smsotp
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/chap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/exec
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/replicate
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/attr_rewrite
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/checkval
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/krb5
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/smbpasswd
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/counter
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/detail
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/inner-eap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/realm
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/sql_log
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/perl
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/redis
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/passwd
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/radutmp
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/digest
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/preprocess
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/ntlm_auth
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/mac2vlan
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/detail.log
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/policy
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/acct_unique
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/dhcp_sqlippool
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/dynamic_clients
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/mac2ip
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/soh
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/ldap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/wimax
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/expiration
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/pam
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/logintime
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/files
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/cache
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/unix
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/echo
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/otp
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/opendirectory
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/expr
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/cui
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/linelog
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/eap.conf
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/policy.conf
Fri Sep 15 09:07:01 2017 : Debug: including files in directory
/etc/freeradius/sites-enabled/
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/sites-enabled/default.orig
Fri Sep 15 09:07:01 2017 : Debug: main {
Fri Sep 15 09:07:01 2017 : Debug: user = "freerad"
Fri Sep 15 09:07:01 2017 : Debug: group = "freerad"
Fri Sep 15 09:07:01 2017 : Debug: allow_core_dumps = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: including dictionary file
/etc/freeradius/dictionary
Fri Sep 15 09:07:01 2017 : Debug: main {
Fri Sep 15 09:07:01 2017 : Debug: name = "freeradius"
Fri Sep 15 09:07:01 2017 : Debug: prefix = "/usr"
Fri Sep 15 09:07:01 2017 : Debug: localstatedir = "/var"
Fri Sep 15 09:07:01 2017 : Debug: sbindir = "/usr/sbin"
Fri Sep 15 09:07:01 2017 : Debug: logdir = "/var/log/freeradius"
Fri Sep 15 09:07:01 2017 : Debug: run_dir = "/var/run/freeradius"
Fri Sep 15 09:07:01 2017 : Debug: libdir = "/usr/lib/freeradius"
Fri Sep 15 09:07:01 2017 : Debug: radacctdir =
"/var/log/freeradius/radacct"
Fri Sep 15 09:07:01 2017 : Debug: hostname_lookups = no
Fri Sep 15 09:07:01 2017 : Debug: max_request_time = 30
Fri Sep 15 09:07:01 2017 : Debug: cleanup_delay = 5
Fri Sep 15 09:07:01 2017 : Debug: max_requests = 1024
Fri Sep 15 09:07:01 2017 : Debug: pidfile =
"/var/run/freeradius/freeradius.pid"
Fri Sep 15 09:07:01 2017 : Debug: checkrad = "/usr/sbin/checkrad"
Fri Sep 15 09:07:01 2017 : Debug: debug_level = 0
Fri Sep 15 09:07:01 2017 : Debug: proxy_requests = yes
Fri Sep 15 09:07:01 2017 : Debug: log {
Fri Sep 15 09:07:01 2017 : Debug: stripped_names = no
Fri Sep 15 09:07:01 2017 : Debug: auth = no
Fri Sep 15 09:07:01 2017 : Debug: auth_badpass = no
Fri Sep 15 09:07:01 2017 : Debug: auth_goodpass = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: security {
Fri Sep 15 09:07:01 2017 : Debug: max_attributes = 200
Fri Sep 15 09:07:01 2017 : Debug: reject_delay = 1
Fri Sep 15 09:07:01 2017 : Debug: status_server = yes
Fri Sep 15 09:07:01 2017 : Debug: allow_vulnerable_openssl = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Loading Realms and Home
Servers ####
Fri Sep 15 09:07:01 2017 : Debug: proxy server {
Fri Sep 15 09:07:01 2017 : Debug: retry_delay = 5
Fri Sep 15 09:07:01 2017 : Debug: retry_count = 3
Fri Sep 15 09:07:01 2017 : Debug: default_fallback = no
Fri Sep 15 09:07:01 2017 : Debug: dead_time = 120
Fri Sep 15 09:07:01 2017 : Debug: wake_all_if_all_dead = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: home_server radius149.156.2.40 {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 149.156.2.40
Fri Sep 15 09:07:01 2017 : Debug: port = 1812
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: secret =
"CyirkOswir23vyaw2Flymmy7g2yik4shJediajWog"
Fri Sep 15 09:07:01 2017 : Debug: response_window = 20
Fri Sep 15 09:07:01 2017 : Debug: max_outstanding = 65536
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = yes
Fri Sep 15 09:07:01 2017 : Debug: zombie_period = 40
Fri Sep 15 09:07:01 2017 : Debug: status_check = "status-server"
Fri Sep 15 09:07:01 2017 : Debug: ping_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: check_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: num_answers_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: num_pings_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: revive_interval = 300
Fri Sep 15 09:07:01 2017 : Debug: status_check_timeout = 4
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: home_server radius149.156.2.66 {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 149.156.2.66
Fri Sep 15 09:07:01 2017 : Debug: port = 1812
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: secret =
"CyirkOswir23vyaw2Flymmy7g2yik4shJediajWog"
Fri Sep 15 09:07:01 2017 : Debug: response_window = 20
Fri Sep 15 09:07:01 2017 : Debug: max_outstanding = 65536
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = yes
Fri Sep 15 09:07:01 2017 : Debug: zombie_period = 40
Fri Sep 15 09:07:01 2017 : Debug: status_check = "status-server"
Fri Sep 15 09:07:01 2017 : Debug: ping_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: check_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: num_answers_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: num_pings_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: revive_interval = 300
Fri Sep 15 09:07:01 2017 : Debug: status_check_timeout = 4
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: home_server localhost {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 127.0.0.1
Fri Sep 15 09:07:01 2017 : Debug: port = 1812
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: secret = "testing123"
Fri Sep 15 09:07:01 2017 : Debug: response_window = 20
Fri Sep 15 09:07:01 2017 : Debug: no_response_fail = no
Fri Sep 15 09:07:01 2017 : Debug: max_outstanding = 65536
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = yes
Fri Sep 15 09:07:01 2017 : Debug: zombie_period = 40
Fri Sep 15 09:07:01 2017 : Debug: status_check = "status-server"
Fri Sep 15 09:07:01 2017 : Debug: ping_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: check_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: num_answers_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: num_pings_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: revive_interval = 120
Fri Sep 15 09:07:01 2017 : Debug: status_check_timeout = 4
Fri Sep 15 09:07:01 2017 : Debug: coa {
Fri Sep 15 09:07:01 2017 : Debug: irt = 2
Fri Sep 15 09:07:01 2017 : Debug: mrt = 16
Fri Sep 15 09:07:01 2017 : Debug: mrc = 5
Fri Sep 15 09:07:01 2017 : Debug: mrd = 30
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: realm NULL {
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: realm LOCAL {
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: realm mydomain.com {
Fri Sep 15 09:07:01 2017 : Debug: authhost = LOCAL
Fri Sep 15 09:07:01 2017 : Debug: accthost = LOCAL
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: home_server_pool CYFRONET_pool {
Fri Sep 15 09:07:01 2017 : Debug: type = fail-over
Fri Sep 15 09:07:01 2017 : Debug: home_server = radius149.156.2.66
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: realm DEFAULT {
Fri Sep 15 09:07:01 2017 : Debug: auth_pool = CYFRONET_pool
Fri Sep 15 09:07:01 2017 : Debug: nostrip
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Loading Clients ####
Fri Sep 15 09:07:01 2017 : Debug: client localhost {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 127.0.0.1
Fri Sep 15 09:07:01 2017 : Debug: netmask = 32
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = no
Fri Sep 15 09:07:01 2017 : Debug: secret = "testing123"
Fri Sep 15 09:07:01 2017 : Debug: shortname = "localhost"
Fri Sep 15 09:07:01 2017 : Debug: nastype = "other"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: client 10.24.100.41 {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 10.24.100.41
Fri Sep 15 09:07:01 2017 : Debug: netmask = 32
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = no
Fri Sep 15 09:07:01 2017 : Debug: secret = "vFayVjKTby3o"
Fri Sep 15 09:07:01 2017 : Debug: nastype = "cisco"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: client 149.156.2.40 {
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = no
Fri Sep 15 09:07:01 2017 : Debug: secret =
"CyirkOswir23vyaw2Flymmy7g2yik4shJediajWog"
Fri Sep 15 09:07:01 2017 : Debug: nastype = "other"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: client 149.156.2.66 {
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = no
Fri Sep 15 09:07:01 2017 : Debug: secret =
"CyirkOswir23vyaw2Flymmy7g2yik4shJediajWog"
Fri Sep 15 09:07:01 2017 : Debug: nastype = "other"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Instantiating modules ####
Fri Sep 15 09:07:01 2017 : Debug: instantiate {
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_exec, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_exec
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "exec"
from file /etc/freeradius/modules/exec
Fri Sep 15 09:07:01 2017 : Debug: exec {
Fri Sep 15 09:07:01 2017 : Debug: wait = no
Fri Sep 15 09:07:01 2017 : Debug: input_pairs = "request"
Fri Sep 15 09:07:01 2017 : Debug: shell_escape = yes
Fri Sep 15 09:07:01 2017 : Debug: timeout = 10
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_expr, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_expr
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "expr"
from file /etc/freeradius/modules/expr
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_expiration, checking
if it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_expiration
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"expiration" from file /etc/freeradius/modules/expiration
Fri Sep 15 09:07:01 2017 : Debug: expiration {
Fri Sep 15 09:07:01 2017 : Debug: reply-message = "Password Has
Expired "
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_logintime, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_logintime
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"logintime" from file /etc/freeradius/modules/logintime
Fri Sep 15 09:07:01 2017 : Debug: logintime {
Fri Sep 15 09:07:01 2017 : Debug: reply-message = "You are calling
outside your allowed timespan "
Fri Sep 15 09:07:01 2017 : Debug: minimum-timeout = 60
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Loading Virtual Servers ####
Fri Sep 15 09:07:01 2017 : Debug: server { # from file ?
Fri Sep 15 09:07:01 2017 : Debug: modules {
Fri Sep 15 09:07:01 2017 : Debug: Module: Creating Auth-Type = digest
Fri Sep 15 09:07:01 2017 : Debug: Module: Creating Auth-Type = LDAP
Fri Sep 15 09:07:01 2017 : Debug: Module: Creating Post-Auth-Type = REJECT
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking authenticate {...}
for more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_pap, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_pap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "pap"
from file /etc/freeradius/modules/pap
Fri Sep 15 09:07:01 2017 : Debug: pap {
Fri Sep 15 09:07:01 2017 : Debug: encryption_scheme = "auto"
Fri Sep 15 09:07:01 2017 : Debug: auto_header = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_chap, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_chap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "chap"
from file /etc/freeradius/modules/chap
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_mschap, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_mschap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "mschap"
from file /etc/freeradius/modules/mschap
Fri Sep 15 09:07:01 2017 : Debug: mschap {
Fri Sep 15 09:07:01 2017 : Debug: use_mppe = no
Fri Sep 15 09:07:01 2017 : Debug: require_encryption = no
Fri Sep 15 09:07:01 2017 : Debug: require_strong = no
Fri Sep 15 09:07:01 2017 : Debug: with_ntdomain_hack = no
Fri Sep 15 09:07:01 2017 : Debug: ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Fri Sep 15 09:07:01 2017 : Debug: allow_retry = yes
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_digest, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_digest
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "digest"
from file /etc/freeradius/modules/digest
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_ldap, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_ldap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "ldap"
from file /etc/freeradius/modules/ldap
Fri Sep 15 09:07:01 2017 : Debug: ldap {
Fri Sep 15 09:07:01 2017 : Debug: server = "ldap1.mydomain.com"
Fri Sep 15 09:07:01 2017 : Debug: port = 389
Fri Sep 15 09:07:01 2017 : Debug: password = "rad--IJP--02"
Fri Sep 15 09:07:01 2017 : Debug: expect_password = yes
Fri Sep 15 09:07:01 2017 : Debug: identity =
"cn=freeradius,ou=services,dc=ijp,dc=pan,dc=local"
Fri Sep 15 09:07:01 2017 : Debug: net_timeout = 1
Fri Sep 15 09:07:01 2017 : Debug: timeout = 4
Fri Sep 15 09:07:01 2017 : Debug: timelimit = 3
Fri Sep 15 09:07:01 2017 : Debug: max_uses = 0
Fri Sep 15 09:07:01 2017 : Debug: tls_mode = no
Fri Sep 15 09:07:01 2017 : Debug: start_tls = no
Fri Sep 15 09:07:01 2017 : Debug: tls_require_cert = "allow"
Fri Sep 15 09:07:01 2017 : Debug: tls {
Fri Sep 15 09:07:01 2017 : Debug: start_tls = no
Fri Sep 15 09:07:01 2017 : Debug: require_cert = "allow"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: basedn = "dc=ijp,dc=pan,dc=local"
Fri Sep 15 09:07:01 2017 : Debug: filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
Fri Sep 15 09:07:01 2017 : Debug: base_filter =
"(objectclass=radiusprofile)"
Fri Sep 15 09:07:01 2017 : Debug: auto_header = no
Fri Sep 15 09:07:01 2017 : Debug: access_attr_used_for_allow = yes
Fri Sep 15 09:07:01 2017 : Debug: chase_referrals = yes
Fri Sep 15 09:07:01 2017 : Debug: rebind = yes
Fri Sep 15 09:07:01 2017 : Debug: groupname_attribute = "cn"
Fri Sep 15 09:07:01 2017 : Debug: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
Fri Sep 15 09:07:01 2017 : Debug: groupmembership_attribute =
"memberOf"
Fri Sep 15 09:07:01 2017 : Debug: dictionary_mapping =
"/etc/freeradius/ldap.attrmap"
Fri Sep 15 09:07:01 2017 : Debug: ldap_debug = 0
Fri Sep 15 09:07:01 2017 : Debug: ldap_connections_number = 5
Fri Sep 15 09:07:01 2017 : Debug: compare_check_items = no
Fri Sep 15 09:07:01 2017 : Debug: do_xlat = yes
Fri Sep 15 09:07:01 2017 : Debug: edir_account_policy_check = no
Fri Sep 15 09:07:01 2017 : Debug: set_auth_type = yes
Fri Sep 15 09:07:01 2017 : Debug: keepalive {
Fri Sep 15 09:07:01 2017 : Debug: idle = 60
Fri Sep 15 09:07:01 2017 : Debug: probes = 3
Fri Sep 15 09:07:01 2017 : Debug: interval = 3
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: Registering ldap_groupcmp
for Ldap-Group
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: Registering ldap_xlat with
xlat_name ldap
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: reading ldap<->radius
mappings from file /etc/freeradius/ldap.attrmap
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCheckItem mapped
to RADIUS $GENERIC$
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusReplyItem mapped
to RADIUS $GENERIC$
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusAuthType mapped
to RADIUS Auth-Type
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusSimultaneousUse
mapped to RADIUS Simultaneous-Use
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCalledStationId
mapped to RADIUS Called-Station-Id
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCallingStationId
mapped to RADIUS Calling-Station-Id
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP lmPassword mapped to
RADIUS LM-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP ntPassword mapped to
RADIUS NT-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP sambaLmPassword mapped
to RADIUS LM-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP sambaNtPassword mapped
to RADIUS NT-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP dBCSPwd mapped to
RADIUS LM-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP userPassword mapped to
RADIUS Password-With-Header
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP acctFlags mapped to
RADIUS SMB-Account-CTRL-TEXT
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusExpiration mapped
to RADIUS Expiration
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusNASIpAddress
mapped to RADIUS NAS-IP-Address
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusServiceType
mapped to RADIUS Service-Type
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedProtocol
mapped to RADIUS Framed-Protocol
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedIPAddress
mapped to RADIUS Framed-IP-Address
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedIPNetmask
mapped to RADIUS Framed-IP-Netmask
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedRoute
mapped to RADIUS Framed-Route
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedRouting
mapped to RADIUS Framed-Routing
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFilterId mapped
to RADIUS Filter-Id
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedMTU mapped
to RADIUS Framed-MTU
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedCompression
mapped to RADIUS Framed-Compression
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginIPHost
mapped to RADIUS Login-IP-Host
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginService
mapped to RADIUS Login-Service
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginTCPPort
mapped to RADIUS Login-TCP-Port
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCallbackNumber
mapped to RADIUS Callback-Number
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCallbackId mapped
to RADIUS Callback-Id
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedIPXNetwork
mapped to RADIUS Framed-IPX-Network
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusClass mapped to
RADIUS Class
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusSessionTimeout
mapped to RADIUS Session-Timeout
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusIdleTimeout
mapped to RADIUS Idle-Timeout
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusTerminationAction
mapped to RADIUS Termination-Action
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginLATService
mapped to RADIUS Login-LAT-Service
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginLATNode
mapped to RADIUS Login-LAT-Node
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginLATGroup
mapped to RADIUS Login-LAT-Group
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP
radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP
radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP
radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusPortLimit mapped
to RADIUS Port-Limit
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginLATPort
mapped to RADIUS Login-LAT-Port
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusReplyMessage
mapped to RADIUS Reply-Message
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusTunnelType mapped
to RADIUS Tunnel-Type
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusTunnelMediumType
mapped to RADIUS Tunnel-Medium-Type
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP
radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
Fri Sep 15 09:07:01 2017 : Debug: conns: 0x2706520
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_eap, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_eap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "eap"
from file /etc/freeradius/eap.conf
Fri Sep 15 09:07:01 2017 : Debug: eap {
Fri Sep 15 09:07:01 2017 : Debug: default_eap_type = "md5"
Fri Sep 15 09:07:01 2017 : Debug: timer_expire = 60
Fri Sep 15 09:07:01 2017 : Debug: ignore_unknown_eap_types = no
Fri Sep 15 09:07:01 2017 : Debug: cisco_accounting_username_bug = no
Fri Sep 15 09:07:01 2017 : Debug: max_sessions = 1024
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_md5
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-md5
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_leap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-leap
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_gtc
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-gtc
Fri Sep 15 09:07:01 2017 : Debug: gtc {
Fri Sep 15 09:07:01 2017 : Debug: challenge = "Password: "
Fri Sep 15 09:07:01 2017 : Debug: auth_type = "PAP"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_tls
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-tls
Fri Sep 15 09:07:01 2017 : Debug: tls {
Fri Sep 15 09:07:01 2017 : Debug: rsa_key_exchange = no
Fri Sep 15 09:07:01 2017 : Debug: dh_key_exchange = yes
Fri Sep 15 09:07:01 2017 : Debug: rsa_key_length = 512
Fri Sep 15 09:07:01 2017 : Debug: dh_key_length = 512
Fri Sep 15 09:07:01 2017 : Debug: verify_depth = 0
Fri Sep 15 09:07:01 2017 : Debug: CA_path = "/etc/freeradius/certs"
Fri Sep 15 09:07:01 2017 : Debug: pem_file_type = yes
Fri Sep 15 09:07:01 2017 : Debug: private_key_file =
"/etc/freeradius/certs/server.key"
Fri Sep 15 09:07:01 2017 : Debug: certificate_file =
"/etc/freeradius/certs/server.pem"
Fri Sep 15 09:07:01 2017 : Debug: CA_file =
"/etc/freeradius/certs/ca.pem"
Fri Sep 15 09:07:01 2017 : Debug: private_key_password =
"si7ys4mxs984mxksj4oi"
Fri Sep 15 09:07:01 2017 : Debug: dh_file =
"/etc/freeradius/certs/dh"
Fri Sep 15 09:07:01 2017 : Debug: random_file = "/dev/urandom"
Fri Sep 15 09:07:01 2017 : Debug: fragment_size = 1024
Fri Sep 15 09:07:01 2017 : Debug: include_length = yes
Fri Sep 15 09:07:01 2017 : Debug: check_crl = no
Fri Sep 15 09:07:01 2017 : Debug: cipher_list = "DEFAULT"
Fri Sep 15 09:07:01 2017 : Debug: make_cert_command =
"/etc/freeradius/certs/bootstrap"
Fri Sep 15 09:07:01 2017 : Debug: ecdh_curve = "prime256v1"
Fri Sep 15 09:07:01 2017 : Debug: cache {
Fri Sep 15 09:07:01 2017 : Debug: enable = no
Fri Sep 15 09:07:01 2017 : Debug: lifetime = 24
Fri Sep 15 09:07:01 2017 : Debug: max_entries = 255
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: verify {
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: ocsp {
Fri Sep 15 09:07:01 2017 : Debug: enable = no
Fri Sep 15 09:07:01 2017 : Debug: override_cert_url = yes
Fri Sep 15 09:07:01 2017 : Debug: url = "http://127.0.0.1/ocsp/"
Fri Sep 15 09:07:01 2017 : Debug: use_nonce = yes
Fri Sep 15 09:07:01 2017 : Debug: timeout = 0
Fri Sep 15 09:07:01 2017 : Debug: softfail = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_ttls
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-ttls
Fri Sep 15 09:07:01 2017 : Debug: ttls {
Fri Sep 15 09:07:01 2017 : Debug: default_eap_type = "md5"
Fri Sep 15 09:07:01 2017 : Debug: copy_request_to_tunnel = yes
Fri Sep 15 09:07:01 2017 : Debug: use_tunneled_reply = yes
Fri Sep 15 09:07:01 2017 : Debug: virtual_server = "inner-tunnel"
Fri Sep 15 09:07:01 2017 : Debug: include_length = yes
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_peap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-peap
Fri Sep 15 09:07:01 2017 : Debug: peap {
Fri Sep 15 09:07:01 2017 : Debug: default_eap_type = "mschapv2"
Fri Sep 15 09:07:01 2017 : Debug: copy_request_to_tunnel = yes
Fri Sep 15 09:07:01 2017 : Debug: use_tunneled_reply = yes
Fri Sep 15 09:07:01 2017 : Debug: proxy_tunneled_request_as_eap = yes
Fri Sep 15 09:07:01 2017 : Debug: virtual_server = "inner-tunnel"
Fri Sep 15 09:07:01 2017 : Debug: soh = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module
rlm_eap_mschapv2
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-mschapv2
Fri Sep 15 09:07:01 2017 : Debug: mschapv2 {
Fri Sep 15 09:07:01 2017 : Debug: with_ntdomain_hack = no
Fri Sep 15 09:07:01 2017 : Debug: send_error = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking authorize {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_preprocess, checking
if it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_preprocess
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"preprocess" from file /etc/freeradius/modules/preprocess
Fri Sep 15 09:07:01 2017 : Debug: preprocess {
Fri Sep 15 09:07:01 2017 : Debug: huntgroups =
"/etc/freeradius/huntgroups"
Fri Sep 15 09:07:01 2017 : Debug: hints = "/etc/freeradius/hints"
Fri Sep 15 09:07:01 2017 : Debug: with_ascend_hack = no
Fri Sep 15 09:07:01 2017 : Debug: ascend_channels_per_line = 23
Fri Sep 15 09:07:01 2017 : Debug: with_ntdomain_hack = no
Fri Sep 15 09:07:01 2017 : Debug: with_specialix_jetstream_hack = no
Fri Sep 15 09:07:01 2017 : Debug: with_cisco_vsa_hack = no
Fri Sep 15 09:07:01 2017 : Debug: with_alvarion_vsa_hack = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/huntgroups
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/hints
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_realm, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_realm
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "suffix"
from file /etc/freeradius/modules/realm
Fri Sep 15 09:07:01 2017 : Debug: realm suffix {
Fri Sep 15 09:07:01 2017 : Debug: format = "suffix"
Fri Sep 15 09:07:01 2017 : Debug: delimiter = "@"
Fri Sep 15 09:07:01 2017 : Debug: ignore_default = no
Fri Sep 15 09:07:01 2017 : Debug: ignore_null = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_files, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_files
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "files"
from file /etc/freeradius/modules/files
Fri Sep 15 09:07:01 2017 : Debug: files {
Fri Sep 15 09:07:01 2017 : Debug: usersfile = "/etc/freeradius/users"
Fri Sep 15 09:07:01 2017 : Debug: acctusersfile =
"/etc/freeradius/acct_users"
Fri Sep 15 09:07:01 2017 : Debug: preproxy_usersfile =
"/etc/freeradius/preproxy_users"
Fri Sep 15 09:07:01 2017 : Debug: compat = "no"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/users
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/acct_users
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/preproxy_users
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking preacct {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_acct_unique, checking
if it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_acct_unique
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"acct_unique" from file /etc/freeradius/modules/acct_unique
Fri Sep 15 09:07:01 2017 : Debug: acct_unique {
Fri Sep 15 09:07:01 2017 : Debug: key = "User-Name,
Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking accounting {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_detail, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_detail
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "detail"
from file /etc/freeradius/modules/detail
Fri Sep 15 09:07:01 2017 : Debug: detail {
Fri Sep 15 09:07:01 2017 : Debug: detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
Fri Sep 15 09:07:01 2017 : Debug: header = "%t"
Fri Sep 15 09:07:01 2017 : Debug: detailperm = 384
Fri Sep 15 09:07:01 2017 : Debug: dirperm = 493
Fri Sep 15 09:07:01 2017 : Debug: locking = no
Fri Sep 15 09:07:01 2017 : Debug: log_packet_header = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_unix, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_unix
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "unix"
from file /etc/freeradius/modules/unix
Fri Sep 15 09:07:01 2017 : Debug: unix {
Fri Sep 15 09:07:01 2017 : Debug: radwtmp =
"/var/log/freeradius/radwtmp"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_attr_filter, checking
if it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_attr_filter
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
Fri Sep 15 09:07:01 2017 : Debug: attr_filter
attr_filter.accounting_response {
Fri Sep 15 09:07:01 2017 : Debug: attrsfile =
"/etc/freeradius/attrs.accounting_response"
Fri Sep 15 09:07:01 2017 : Debug: key = "%{User-Name}"
Fri Sep 15 09:07:01 2017 : Debug: relaxed = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/attrs.accounting_response
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking session {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_radutmp, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_radutmp
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"radutmp" from file /etc/freeradius/modules/radutmp
Fri Sep 15 09:07:01 2017 : Debug: radutmp {
Fri Sep 15 09:07:01 2017 : Debug: filename =
"/var/log/freeradius/radutmp"
Fri Sep 15 09:07:01 2017 : Debug: username = "%{User-Name}"
Fri Sep 15 09:07:01 2017 : Debug: case_sensitive = yes
Fri Sep 15 09:07:01 2017 : Debug: check_with_nas = yes
Fri Sep 15 09:07:01 2017 : Debug: perm = 384
Fri Sep 15 09:07:01 2017 : Debug: callerid = yes
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking post-proxy {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking post-auth {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
Fri Sep 15 09:07:01 2017 : Debug: attr_filter attr_filter.access_reject {
Fri Sep 15 09:07:01 2017 : Debug: attrsfile =
"/etc/freeradius/attrs.access_reject"
Fri Sep 15 09:07:01 2017 : Debug: key = "%{User-Name}"
Fri Sep 15 09:07:01 2017 : Debug: relaxed = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/attrs.access_reject
Fri Sep 15 09:07:01 2017 : Debug: } # modules
Fri Sep 15 09:07:01 2017 : Debug: } # server
Fri Sep 15 09:07:01 2017 : Debug: server inner-tunnel { # from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:01 2017 : Debug: modules {
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking authenticate {...}
for more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking authorize {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking session {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking post-proxy {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking post-auth {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: } # modules
Fri Sep 15 09:07:01 2017 : Debug: } # server
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Opening IP addresses and
Ports ####
Fri Sep 15 09:07:01 2017 : Debug: listen {
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = *
Fri Sep 15 09:07:01 2017 : Debug: port = 0
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: listen {
Fri Sep 15 09:07:01 2017 : Debug: type = "acct"
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = *
Fri Sep 15 09:07:01 2017 : Debug: port = 0
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: listen {
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 127.0.0.1
Fri Sep 15 09:07:01 2017 : Debug: port = 18120
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: ... adding new socket proxy address *
port 51874
Fri Sep 15 09:07:01 2017 : Debug: ... adding new socket proxy address *
port 60324
Fri Sep 15 09:07:01 2017 : Debug: ... adding new socket proxy address *
port 57887
Fri Sep 15 09:07:01 2017 : Debug: Listening on authentication address *
port 1812
Fri Sep 15 09:07:01 2017 : Debug: Listening on accounting address * port
1813
Fri Sep 15 09:07:01 2017 : Debug: Listening on authentication address
127.0.0.1 port 18120 as server inner-tunnel
Fri Sep 15 09:07:01 2017 : Debug: Listening on proxy address * port 1814
Fri Sep 15 09:07:01 2017 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=30, length=287
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x02020017017073697461727a40696a702e70616e2e706c
Message-Authenticator = 0xe3b9300c51ffe43e482510eccd899c44
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 2
length 23
Fri Sep 15 09:07:16 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = updated
Fri Sep 15 09:07:16 2017 : Info: [files] users: Matched entry DEFAULT at
line 12
Fri Sep 15 09:07:16 2017 : Info: ++[files] = ok
Fri Sep 15 09:07:16 2017 : Info: [ldap] performing user authorization
for psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
%{Stripped-User-Name} -> psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
dc=ijp,dc=pan,dc=local -> dc=ijp,dc=pan,dc=local
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] attempting LDAP reconnection
Fri Sep 15 09:07:16 2017 : Debug: [ldap] (re)connect to
ldap1.mydomain.com:389, authentication 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] bind as
cn=freeradius,ou=services,dc=ijp,dc=pan,dc=local/rad--IJP--02 to
ldap1.mydomain.com:389
Fri Sep 15 09:07:16 2017 : Debug: [ldap] waiting for bind result ...
Fri Sep 15 09:07:16 2017 : Debug: [ldap] Bind was successful
Fri Sep 15 09:07:16 2017 : Debug: [ldap] performing search in
dc=ijp,dc=pan,dc=local, with filter (sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Debug: [ldap] rebind to URL
ldap://mydomain.com/CN=Configuration,DC=ijp,DC=pan,DC=local
Fri Sep 15 09:07:16 2017 : Info: [ldap] No default NMAS login sequence
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for check items in
directory...
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for reply items in
directory...
Fri Sep 15 09:07:16 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 15 09:07:16 2017 : Info: ++[ldap] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[expiration] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[logintime] = noop
Fri Sep 15 09:07:16 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Sep 15 09:07:16 2017 : Info: ++[pap] = noop
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = updated
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP Identity
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type md5
Fri Sep 15 09:07:16 2017 : Debug: rlm_eap_md5: Issuing Challenge
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 30 to 10.24.100.41 port 32773
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "200"
Reply-Message = "YYYY HIT: my_wifi"
EAP-Message = 0x01030016041093d2cac6b3d1336be38f63896a404f69
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebcc2d4be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 0.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=31, length=288
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020300060319
State = 0xbcc1d00ebcc2d4be84f2b34ad01933f1
Message-Authenticator = 0xa15f469880c1d97b82fba834c87bd10b
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 3
length 6
Fri Sep 15 09:07:16 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = updated
Fri Sep 15 09:07:16 2017 : Info: [files] users: Matched entry DEFAULT at
line 12
Fri Sep 15 09:07:16 2017 : Info: ++[files] = ok
Fri Sep 15 09:07:16 2017 : Info: [ldap] performing user authorization
for psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
%{Stripped-User-Name} -> psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
dc=ijp,dc=pan,dc=local -> dc=ijp,dc=pan,dc=local
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] performing search in
dc=ijp,dc=pan,dc=local, with filter (sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Debug: [ldap] rebind to URL
ldap://mydomain.com/CN=Configuration,DC=ijp,DC=pan,DC=local
Fri Sep 15 09:07:16 2017 : Info: [ldap] No default NMAS login sequence
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for check items in
directory...
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for reply items in
directory...
Fri Sep 15 09:07:16 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 15 09:07:16 2017 : Info: ++[ldap] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[expiration] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[logintime] = noop
Fri Sep 15 09:07:16 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Sep 15 09:07:16 2017 : Info: ++[pap] = noop
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = updated
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP NAK
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP-NAK asked for EAP-Type/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type tls
Fri Sep 15 09:07:16 2017 : Info: [tls] Initiate
Fri Sep 15 09:07:16 2017 : Info: [tls] Start returned 1
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 31 to 10.24.100.41 port 32773
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "200"
Reply-Message = "YYYY HIT: my_wifi"
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebdc5c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 1.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=32, length=395
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x0204007119800000006716030100620100005e030159bb7c3b7f85ba3410a1b66afdd8eb687b96f62ad26175641d3ed2aa9cee899300001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
State = 0xbcc1d00ebdc5c9be84f2b34ad01933f1
Message-Authenticator = 0xdb5b1081947941e25dbe17961232739c
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 4
length 113
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Debug: TLS Length 103
Fri Sep 15 09:07:16 2017 : Info: [peap] Length Included
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 11
Fri Sep 15 09:07:16 2017 : Info: [peap] (other): before/accept
initialization
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: before/accept
initialization
Fri Sep 15 09:07:16 2017 : Info: [peap] <<< TLS 1.0 Handshake [length
0062], ClientHello
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
0039], ServerHello
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
08a6], Certificate
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
014b], ServerKeyExchange
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
0004], ServerHelloDone
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: Need to read
more data: unknown state
Fri Sep 15 09:07:16 2017 : Debug: In SSL Handshake Phase
Fri Sep 15 09:07:16 2017 : Debug: In SSL Accept mode
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 13
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_HANDLED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 32 to 10.24.100.41 port 32773
EAP-Message =
0x0105040019c000000a4216030100390200003503018185835081a6c1001c29d0732978cd92ae81954b6b08f4e4f5c76d011aebb7b400c01400000dff01000100000b00040300010216030108a60b0008a200089f000488308204843082036ca003020102020100300d06092a864886f70d0101050500308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c
EAP-Message =
0x6f63616c301e170d3137303832313131303233355a170d3332303831373131303233355a308187310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311c301a06035504030c136c646170312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf2015679983021d7e971d84ea7c7f5ba06e4b4808b7674f687fc0880cf4635a2db718cb22982ddd8822afe970ec
EAP-Message =
0x2d745deac6e6acf21e7330b77cd86fdb28ab4e04eda8789771a6e30890e6b67c3e111bcd017b12856072c19afefc1d07fcd1a6c53e66cdd8008e8766a1e7dbce66966e07814e08c6bbc2399cae3694dba14c021b588a967cbf5e23197c8593cf28bd84f44a03ecfdfc4e34000e07e9edf676b57633787cb5c3a7b4406c8f4d535c2ffe08f5ce60756500f3887c62b1c34c1088b27de433a9aef286b914e38f6bb307d322586bb33dcd74352dfc37e28eae33f4299d5d120a521a6c691a0980a22ad63ed220331210383ee14edd24be3088b90203010001a381f73081f430090603551d1304023000302c06096086480186f842010d041f161d4f70656e
EAP-Message =
0x53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143b1a3710cdf72a3288cc76cc3d5ad3e9b2384503301f0603551d23041830168014c1d62dd5cd9967b990856c18acc7f2e64f40a29c304106082b0601050507010104353033303106082b060105050730028625687474703a2f2f6b302e696a702e70616e2e6c6f63616c2f63612f7375626361312e63727430360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f7375626361312e63726c300d06092a864886f70d0101050500038201010062dae87f130c1ab3ef0acf5bd31aed2b4f524b4a84
EAP-Message = 0xaf5192d4e9d1c6301ce43d01
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebec4c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 2.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=33, length=288
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020500061900
State = 0xbcc1d00ebec4c9be84f2b34ad01933f1
Message-Authenticator = 0xfb763038263f85526f7d8abaa936a1bf
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 5
length 6
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] Received TLS ACK
Fri Sep 15 09:07:16 2017 : Info: [peap] ACK handshake fragment handler
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 1
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 13
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_HANDLED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 33 to 10.24.100.41 port 32773
EAP-Message =
0x010603fc1940b01e45053cb5d289d8a07c691f42babbaf4150ea36d712beb08a0c1eaa301b5df2b9d6975f9dfecbe42c847567bd961d58a520d68fb34854326b7dba525597e4ac0b1a5a66b9d677be1f5e0adfd325311af927356634a7f8aee2770898b4044daf46d89745f7262026f2e1b81caa53a4aebd5310ba988cd6364fd6b79795f38e23d047ad0af23bbcd5407317cb01b49b61eac8d67cf784948797aba3968b094cdfb93c2177da70b000f1797bf3bd979b8317daec32cd87cfa3a471d891abdacea5776581fb2416c93b2f01ba6b6728099d7e26d7974eec099035ee212077e70004113082040d308202f5a003020102020900fda7ea2091
EAP-Message =
0x83fda3300d06092a864886f70d01010505003077310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b696531263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c14726f6f7463612e696a702e70616e2e6c6f63616c301e170d3137303832313130343434315a170d3337303831363130343434315a308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120
EAP-Message =
0x506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cec338083565b45728e1f8176ba4daabda4ea88555201f503e3977492e85b49759cd232e7934acd16194ca3889d6975a29f68017427738b2fe57db0951e879afb9f5eae6a75a8d8b96cc12acb9686227322a555ec7e298b77b139874e9c0935d52117991a27281644f351bbacf3f804a1da86f26e784a507ec21e3aacfaf5e686fc01e570397f2dcc5822edd7c0b59f20dc48c408453ba7e9ea170a72c175ca352818c
EAP-Message =
0xf095d192d42cf58272c00c477f2e1755104ced45567186bd44f7b3ab6c947a427e0f3e54c5d88e544c349f16737de5c8191785c2a5af1be735466dff6bdb08682494b1b54c25429014c59437925c441f4c1e42ceb12b7d060b7159f5350203010001a38189308186301d0603551d0e04160414c1d62dd5cd9967b990856c18acc7f2e64f40a29c301f0603551d230418301680148ae199d104b425c1279d439e0b0d2487dfda236c300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f726f6f7463612e63726c300d06092a864886f70d0101050500
EAP-Message = 0x0382010100a7ba01
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebfc7c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 3.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=34, length=288
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020600061900
State = 0xbcc1d00ebfc7c9be84f2b34ad01933f1
Message-Authenticator = 0x78af48b2e32899574eb459692278e13a
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 6
length 6
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] Received TLS ACK
Fri Sep 15 09:07:16 2017 : Info: [peap] ACK handshake fragment handler
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 1
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 13
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_HANDLED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 34 to 10.24.100.41 port 32773
EAP-Message =
0x0107025c19004d16d1c7a4c127b06c3974533a055af202e7fe05f13dc5f78bf50eb852b25913965c85f981b45b174003af43ddbb5d8754406a26645dd06a9d4ce4b1622de1b4cec8a3d91f973b6332ba5fd78ff18e6feb1b87e664ee981c68523c4d9517a9c8f97abbefd1d76ba66dbeee1fe4e8d4420f6606ff280119897d3026e466910f5ebb892ce764e60fc8d7e4eb2f1609348a405b6e92133d1f4a6f612f4a6eee9c1c04677bcf3e574dc88d64e8972be7d01a080968f189d9258bca3419feff11a7409ae6471a32eab899837f79f8c8116f27ecf63daf802cd7b0df1b3a767d46bb4a40f07b0ead84f31ba36292b6df736e38d9b2f25e2e1483
EAP-Message =
0x6e854d35643c160301014b0c0001470300174104c749e5af44a1f2c9b879f1f7d840237935fd1df922ab61437f05c1d22a4638aff08e10339671937adc00893635bd845462fc0154817d3b5a116d142e1bac5f4201001bbdf61538895d0d92597c97b5d1ee8399d775cccb53cb7d67b3794daf6a2b452b4e6050d41d9a7411b7457c7294b2e1d736c4ab51ffd5208739525e84115b183aad5ba3e02874c3156f2f6167996e546d7f0e18cec93d124251d483a82cada947992d2c9c8f961939b12d388095aa01a11f88be2dc8517174d7dcc89b1119c5f66512194b940e795c6f119440bfcfdaeceda9855551af8932e73270689e74e474adfd1d07157e
EAP-Message =
0x0ee4449c6e6b535f410007efc4607971c3efa594861aa9ee3561f2ad2bc786e7709f9b5e094d809c2561d9d78eecba382efdac6303efd502c1f3b56822599f13b73c72693373256bc1d266769a2ed2201947a1444b2424e3b216030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00eb8c6c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 4.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=35, length=426
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x0207009019800000008616030100461000004241049d9710b7a426a3513d57e030bab3b25a4edf8ca94bbb7eee10006e28e28e5c512206aed775a97bec0a76df64f1fc669507917cabfe556cde04b31ca9f6ac756e1403010001011603010030bda12143c44ac47dd3649040750bb5bb2087fa7dc17179928504e7e470dd78ddfd264d269d3f2fd70711f63f11e67949
State = 0xbcc1d00eb8c6c9be84f2b34ad01933f1
Message-Authenticator = 0x06d4628d7d8179d2d01a8385b86bcfd0
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 7
length 144
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Debug: TLS Length 134
Fri Sep 15 09:07:16 2017 : Info: [peap] Length Included
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 11
Fri Sep 15 09:07:16 2017 : Info: [peap] <<< TLS 1.0 Handshake [length
0046], ClientKeyExchange
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] <<< TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Sep 15 09:07:16 2017 : Info: [peap] <<< TLS 1.0 Handshake [length
0010], Finished
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
0010], Finished
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] (other): SSL negotiation
finished successfully
Fri Sep 15 09:07:16 2017 : Debug: SSL Connection Established
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 13
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_HANDLED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 35 to 10.24.100.41 port 32773
EAP-Message =
0x01080041190014030100010116030100309cd4d10a07b4d67d561d06430c7165c09277f7946aa722b96cf27f896ea980206825dc614435f7bf0835e8e484977d23
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00eb9c9c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 5.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=36, length=288
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020800061900
State = 0xbcc1d00eb9c9c9be84f2b34ad01933f1
Message-Authenticator = 0x262dea598010395c76016ea6f7099a1f
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 8
length 6
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] Received TLS ACK
Fri Sep 15 09:07:16 2017 : Info: [peap] ACK handshake is finished
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 3
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 3
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_SUCCESS
Fri Sep 15 09:07:16 2017 : Info: [peap] Session established. Decoding
tunneled attributes.
Fri Sep 15 09:07:16 2017 : Info: [peap] Peap state TUNNEL ESTABLISHED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 36 to 10.24.100.41 port 32773
EAP-Message =
0x0109002b19001703010020364933ca1f707384c392a6841c48ed1c0e1a241b99f5e087dc818743cb2507d4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebac8c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 6.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=37, length=341
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x0209003b1900170301003064732805af4010f3b1137dfc4a31da6d74eb906b3a7c681a01e0f7c9a0fd015df5ebb14b96b6a7c44354cc2260b91b2a
State = 0xbcc1d00ebac8c9be84f2b34ad01933f1
Message-Authenticator = 0x329df1765f0c2fc1e6a35faab42c2056
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 9
length 59
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] Done initial handshake
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_OK
Fri Sep 15 09:07:16 2017 : Info: [peap] Session established. Decoding
tunneled attributes.
Fri Sep 15 09:07:16 2017 : Info: [peap] Peap state WAITING FOR INNER
IDENTITY
Fri Sep 15 09:07:16 2017 : Info: [peap] Identity - psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Info: [peap] Got inner identity
'psitarz(a)mydomain.com'
Fri Sep 15 09:07:16 2017 : Info: [peap] Setting default EAP type for
tunneled EAP session.
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled request
EAP-Message = 0x02090017017073697461727a40696a702e70616e2e706c
server {
Fri Sep 15 09:07:16 2017 : Info: [peap] Setting User-Name to
psitarz(a)mydomain.com
Sending tunneled request
EAP-Message = 0x02090017017073697461727a40696a702e70616e2e706c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 9
length 23
Fri Sep 15 09:07:16 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = updated
Fri Sep 15 09:07:16 2017 : Info: [files] users: Matched entry DEFAULT at
line 12
Fri Sep 15 09:07:16 2017 : Info: ++[files] = ok
Fri Sep 15 09:07:16 2017 : Info: [ldap] performing user authorization
for psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
%{Stripped-User-Name} -> psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
dc=ijp,dc=pan,dc=local -> dc=ijp,dc=pan,dc=local
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] performing search in
dc=ijp,dc=pan,dc=local, with filter (sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Debug: [ldap] rebind to URL
ldap://mydomain.com/CN=Configuration,DC=ijp,DC=pan,DC=local
Fri Sep 15 09:07:16 2017 : Info: [ldap] No default NMAS login sequence
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for check items in
directory...
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for reply items in
directory...
Fri Sep 15 09:07:16 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 15 09:07:16 2017 : Info: ++[ldap] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[expiration] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[logintime] = noop
Fri Sep 15 09:07:16 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Sep 15 09:07:16 2017 : Info: ++[pap] = noop
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = updated
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP Identity
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type mschapv2
Fri Sep 15 09:07:16 2017 : Debug: rlm_eap_mschapv2: Issuing Challenge
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
} # server inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled reply code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "200"
Reply-Message = "YYYY HIT: my_wifi"
EAP-Message =
0x010a002c1a010a0027105c28e3c5119990bfecac594ca8283abe7073697461727a40696a702e70616e2e706c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd9fc6e1ed9f6747899ae3f4494b5bd42
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "200"
Reply-Message = "YYYY HIT: my_wifi"
EAP-Message =
0x010a002c1a010a0027105c28e3c5119990bfecac594ca8283abe7073697461727a40696a702e70616e2e706c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd9fc6e1ed9f6747899ae3f4494b5bd42
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled Access-Challenge
PEAP tunnel data out 0000: 1a 01 0a 00 27 10 5c 28 e3 c5 11 99 90 bf
ec ac
PEAP tunnel data out 0010: 59 4c a8 28 3a be 70 73 69 74 61 72 7a 40
69 6a
PEAP tunnel data out 0020: 70 2e 70 61 6e 2e 70 6c
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 37 to 10.24.100.41 port 32773
EAP-Message =
0x010a004b190017030100400aa668edae7f810d1ee048d420a7e0da4ed981b1f3600eaf99fcc21365740c8f52c6f995b1dda5c3672245d5189d2e57e02017247a53c2e6bae6c1ba226a5676
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebbcbc9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 7.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=38, length=389
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x020a006b190017030100609c8e8afad49636b8659624cca08c0af13596288fa47edf937944bdef3d4e0de58e67e9c03e69aa6231ce684940848f416242f7c72b34a5487f1638a87920db4293467e7e0566b999463ba56d78483646a844ed67b203597983e21fe4d551473f
State = 0xbcc1d00ebbcbc9be84f2b34ad01933f1
Message-Authenticator = 0x2f84e9005e5ce14f6b0b4d26cabe49c5
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 10
length 107
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] Done initial handshake
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_OK
Fri Sep 15 09:07:16 2017 : Info: [peap] Session established. Decoding
tunneled attributes.
Fri Sep 15 09:07:16 2017 : Info: [peap] Peap state phase2
Fri Sep 15 09:07:16 2017 : Info: [peap] EAP type mschapv2
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled request
EAP-Message =
0x020a004d1a020a00483127a0255afce7ebd675f5e2580c500e5e0000000000000000dbdff2050731af4d5e7f6bbcc15f6ba740b157f5df29b787007073697461727a40696a702e70616e2e706c
server {
Fri Sep 15 09:07:16 2017 : Info: [peap] Setting User-Name to
psitarz(a)mydomain.com
Sending tunneled request
EAP-Message =
0x020a004d1a020a00483127a0255afce7ebd675f5e2580c500e5e0000000000000000dbdff2050731af4d5e7f6bbcc15f6ba740b157f5df29b787007073697461727a40696a702e70616e2e706c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "psitarz(a)mydomain.com"
State = 0xd9fc6e1ed9f6747899ae3f4494b5bd42
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 10
length 77
Fri Sep 15 09:07:16 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = updated
Fri Sep 15 09:07:16 2017 : Info: [files] users: Matched entry DEFAULT at
line 12
Fri Sep 15 09:07:16 2017 : Info: ++[files] = ok
Fri Sep 15 09:07:16 2017 : Info: [ldap] performing user authorization
for psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
%{Stripped-User-Name} -> psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
dc=ijp,dc=pan,dc=local -> dc=ijp,dc=pan,dc=local
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] performing search in
dc=ijp,dc=pan,dc=local, with filter (sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Debug: [ldap] rebind to URL
ldap://mydomain.com/CN=Configuration,DC=ijp,DC=pan,DC=local
Fri Sep 15 09:07:16 2017 : Info: [ldap] No default NMAS login sequence
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for check items in
directory...
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for reply items in
directory...
Fri Sep 15 09:07:16 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 15 09:07:16 2017 : Info: ++[ldap] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[expiration] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[logintime] = noop
Fri Sep 15 09:07:16 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Sep 15 09:07:16 2017 : Info: ++[pap] = noop
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = updated
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/mschapv2
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type mschapv2
Fri Sep 15 09:07:16 2017 : Info: [mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: [mschapv2] +group MS-CHAP {
Fri Sep 15 09:07:16 2017 : Info: [mschap] Creating challenge hash with
username: psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Info: [mschap] Client is using MS-CHAPv2 for
psitarz(a)mydomain.com, we need NT-Password
Fri Sep 15 09:07:16 2017 : Info: [mschap] WARNING: Deprecated
conditional expansion ":-". See "man unlang" for details
Fri Sep 15 09:07:16 2017 : Info: [mschap] expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=psitarz
Fri Sep 15 09:07:16 2017 : Info: [mschap] Creating challenge hash with
username: psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=30cedb6750524fca
Fri Sep 15 09:07:16 2017 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=dbdff2050731af4d5e7f6bbcc15f6ba740b157f5df29b787
Fri Sep 15 09:07:16 2017 : Debug: Exec output: Logon failure (0xc000006d)
Fri Sep 15 09:07:16 2017 : Debug: Exec plaintext: Logon failure
(0xc000006d)
Fri Sep 15 09:07:16 2017 : Info: [mschap] Exec: program returned: 1
Fri Sep 15 09:07:16 2017 : Info: [mschap] External script failed.
Fri Sep 15 09:07:16 2017 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = reject
Fri Sep 15 09:07:16 2017 : Info: +} # group MS-CHAP = reject
Fri Sep 15 09:07:16 2017 : Info: [eap] Freeing handler
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = reject
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = reject
Fri Sep 15 09:07:16 2017 : Info: Failed to authenticate the user.
Fri Sep 15 09:07:16 2017 : Info: Using Post-Auth-Type REJECT
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group REJECT {
Fri Sep 15 09:07:16 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Sep 15 09:07:16 2017 : Info: ++[attr_filter.access_reject] = updated
Fri Sep 15 09:07:16 2017 : Info: +} # group REJECT = updated
} # server inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled reply code 3
Reply-Message = "YYYY HIT: my_wifi"
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled reply RADIUS code 3
Reply-Message = "YYYY HIT: my_wifi"
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Fri Sep 15 09:07:16 2017 : Info: [peap] Tunneled authentication was
rejected.
Fri Sep 15 09:07:16 2017 : Info: [peap] FAILURE
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 38 to 10.24.100.41 port 32773
EAP-Message =
0x010b002b1900170301002081117f973bff6879014450c7523c384a68e5d5c65e7d952d690f53d929d388a5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00eb4cac9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 8.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=39, length=325
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x020b002b1900170301002018e0dac5f02e034e89760f78d0c904adb33c3619b1c5a0a946f01f7f0beed16d
State = 0xbcc1d00eb4cac9be84f2b34ad01933f1
Message-Authenticator = 0x867f83b390796be84d7ea49fa63c6775
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 11
length 43
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] Done initial handshake
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_OK
Fri Sep 15 09:07:16 2017 : Info: [peap] Session established. Decoding
tunneled attributes.
Fri Sep 15 09:07:16 2017 : Info: [peap] Peap state send tlv failure
Fri Sep 15 09:07:16 2017 : Info: [peap] Received EAP-TLV response.
Fri Sep 15 09:07:16 2017 : Info: [peap] The users session was
previously rejected: returning reject (again.)
Fri Sep 15 09:07:16 2017 : Info: [peap] *** This means you need to read
the PREVIOUS messages in the debug output
Fri Sep 15 09:07:16 2017 : Info: [peap] *** to find out the reason why
the user was rejected.
Fri Sep 15 09:07:16 2017 : Info: [peap] *** Look for "reject" or
"fail". Those earlier messages will tell you.
Fri Sep 15 09:07:16 2017 : Info: [peap] *** what went wrong, and how to
fix the problem.
Fri Sep 15 09:07:16 2017 : Info: [eap] Handler failed in EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] Failed in EAP select
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = invalid
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = invalid
Fri Sep 15 09:07:16 2017 : Info: Failed to authenticate the user.
Fri Sep 15 09:07:16 2017 : Info: Using Post-Auth-Type REJECT
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group REJECT {
Fri Sep 15 09:07:16 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Sep 15 09:07:16 2017 : Info: ++[attr_filter.access_reject] = updated
Fri Sep 15 09:07:16 2017 : Info: +} # group REJECT = updated
Fri Sep 15 09:07:16 2017 : Info: Delaying reject of request 9 for 1 seconds
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 0.9 seconds.
Fri Sep 15 09:07:17 2017 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 39 to 10.24.100.41 port 32773
EAP-Message = 0x040b0004
Message-Authenticator = 0x00000000000000000000000000000000
Fri Sep 15 09:07:17 2017 : Debug: Waking up in 3.8 seconds.
--
Z poważaniem / Yours sincerely
Zenon Matuszyk
mobile: 00 48 797 004 938
e-mail: zenon.matuszyk(a)networkers.pl
www: http://www.networkers.pl
2
5
Hi,
I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and
configured the external authentication with 389-DS server using rlm_ldap
module. I would like to authenticate the mac address of all the user which
I have stored in LDAP. The macaddress field in LDAP is a multi value
attribute and the Freeraiud is communicating with LDAP without any issues,
but the freeradius is authenticating only the first macaddress value from
LDAP's multi value field.
I would like to configure the Freeradius to authenticate all the values
from multi value filed. Someone suggested that we can configure this using
rlm_python or rlm_perl module. I am not a coder and I am not able to find
any step by guide to configure the same. Could someone guide me on how to
configure the Freeradius to authenticate Multi-valued LDAP attribute?
Thank you in advance for your time and support.
Regards,
--
Srinivas R
8
18
Peace,
I have free radius 3.0.14 and I managed to authenticate using peap and ttls
using the self signed server certificate. I tried to push it further with
requiring client certificates but that didn't work.
I get the following message in the radius log:
ERROR: (20) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
Wed Sep 13 15:56:33 2017 : Error: tls: TLS_accept: Error in error
Wed Sep 13 15:56:33 2017 : Auth: (20) Login incorrect (eap_peap: TLS Alert
write:fatal:handshake failure): [ameen/<via Auth-Type = eap>] (from client
cisco switch port 50247 cli C3-6F-2F-15-82-3B)
I ducked ducked the internet for the mentioned error and on how to install
client certificates for windows but I couldn't find a solution.
I imagine I correctly imported the server certificate but am unsure about
the client certificate.
I generated the client certificates by editing client.cnf as follows:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/ca.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 1826
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = client
default_bits = 2048
input_password = ameen
output_password = ameen
[client]
countryName = RU
stateOrProvinceName = Samara
localityName = place
organizationName = comp
emailAddress = ameen(a)test.ru <mailto:ameen@test.ru>
commonName = ameen
then I make client .pem and a file named ameen(a)test.ru.pem
<mailto:ameen@test.ru.pem> is generated. For the next certificate I just
change the email and common name and make client.pem again. I tried to
import the client certificate in windows using mmc, then adding the snap-in
certificates and importing ameen(a)test.ru.pem <mailto:ameen@test.ru.pem> to
the trusted root center certificate. I also tried double clicking on
client.p12 and letting it install automatically but that installed in the
private folder. I tried to double click again and import to the trusted root
center certificate but that does the same thing as the pem file and installs
the ameen certificate. I then checked peap in windows and selected to
validate certificate and chose the ca, server and client certificate and
chose mschapv2 as authentication, unchecked use windows logon credentials
and saved the username and password in extra parameters. The username was
saved in mysql using daloradius and it worked fine until I required using
client certificate.
Here is the eap configuration:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
tls-config tls-common {
private_key_password = ameen
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
# auto_chain = yes
# psk_identity = "test"
# psk_hexphrase = "036363823"
dh_file = ${certdir}/dh
random_file = /dev/urandom
# fragment_size = 1024
# include_length = yes
# check_crl = yes
# Check if intermediate CAs have been
revoked.
# check_all_crl = yes
ca_path = ${cadir}
# check_cert_issuer =
"/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
cipher_server_preference = no
# disable_tlsv1_2 = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
#name = "EAP module"
#persist_dir =
"${logdir}/tlscache"
}
## EAP-TLS
#
# As of Version 3.0, the TLS configuration for TLS-based
# EAP types is above in the "tls-config" section.
#
tls {
# Point to the common TLS configuration
tls = tls-common
#
# As part of checking a client certificate,
the EAP-TLS
# sets some attributes such as
TLS-Client-Cert-CN. This
# virtual server has access to these
attributes, and can
# be used to accept or reject the request.
#
# virtual_server = check-eap-tls
}
## EAP-TTLS
#
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
ttls {
# Which tls-config section the TLS
negotiation parameters
# are in - see EAP-TLS above for an
explanation.
#
# In the case that an old configuration
from FreeRADIUS
# v2.x is being used, all the options of
the tls-config
# section may also appear instead in the
'tls' section
# above. If that is done, the tls= option
here (and in
# tls above) MUST be commented out.
#
tls = tls-common
# The tunneled EAP session needs a default
EAP type
# which is separate from the one for the
non-tunneled
# EAP module. Inside of the TTLS tunnel,
we recommend
# using EAP-MD5. If the request does not
contain an
# EAP conversation, then this configuration
entry is
# ignored.
#
default_eap_type = mschapv2
# The tunneled authentication request does
not usually
# contain useful attributes like
'Calling-Station-Id',
# etc. These attributes are outside of the
tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
'yes',
# any attribute which is NOT in the
tunneled
# authentication request, but which IS
available
# outside of the tunnel, is copied to the
tunneled
# request.
#
# allowed values: {no, yes}
#
copy_request_to_tunnel = no
#
# As of version 3.0.5, this configuration
item
# is deprecated. Instead, you should use
#
# update outer.session-state {
# ...
#
# }
#
# This will cache attributes for the final
Access-Accept.
#
# The reply attributes sent to the NAS are
usually
# based on the name of the user 'outside'
of the
# tunnel (usually 'anonymous'). If you
want to send
# the reply attributes based on the user
name inside
# of the tunnel, then set this
configuration entry to
# 'yes', and the reply to the NAS will be
taken from
# the reply to the tunneled request.
#
# allowed values: {no, yes}
#
use_tunneled_reply = no
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This has the same meaning, and
overwrites, the
# same field in the "tls" configuration,
above.
# The default value here is "yes".
#
# include_length = yes
#
# Unlike EAP-TLS, EAP-TTLS does not require
a client
# certificate. However, you can require one
by setting the
# following option. You can also override
this option by
# setting
#
# EAP-TLS-Require-Client-Cert =
Yes
#
# in the control items for a request.
#
require_client_cert = yes
}
## EAP-PEAP
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
# proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
# soh = yes
# soh_virtual_server = "soh-server"
require_client_cert = yes
}
Is any more information needed and what am I doing wrong?
2
3
Hello everybody,
I didn't find a thread with exactly my problem, so I start a new thread.
I'm having problem with new certs in my freeradius server.
I did what README file but didn't work for me.
in radiusd -X log I see this:
(14) Received Access-Request Id 143 from 192.168.100.149:43928 to 10.0.130.23:1812 length 343
(14) User-Name = "usuario"
(14) Called-Station-Id = "C4-E9-84-91-2E-FE:OpenWrt"
(14) NAS-Port-Type = Wireless-802.11
(14) NAS-Port = 1
(14) Calling-Station-Id = "28-56-5A-0B-6D-83"
(14) Connect-Info = "CONNECT 54Mbps 802.11g"
(14) Acct-Session-Id = "59BA907E-00000018"
(14) WLAN-Pairwise-Cipher = 1027076
(14) WLAN-Group-Cipher = 1027076
(14) WLAN-AKM-Suite = 1027073
(14) Framed-MTU = 1400
(14) EAP-Message = 0x02e70090198000000086160301004610000042410492d1ad5ac120e777664ce20c7c650f4e41bc63a2eca81c1dbe4823c38737e4b81569bf9ec7f238534875e6f5b1525501127a1b9d59f780572d294986bb2f82091403010001011603010030d0e814aba78d0c8affc8aca00d5577364bcf5880d8616f
(14) State = 0x64dfe0536738f990f317a982d66da244
(14) Message-Authenticator = 0x5340ff52aba979858d1a8e7d661ac258
(14) session-state: No cached attributes
(14) # Executing section authorize from file /etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (!&User-Name) {
(14) if (!&User-Name) -> FALSE
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@.*@/ ) {
(14) if (&User-Name =~ /@.*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /(a)\./) {
(14) if (&User-Name =~ /(a)\./) -> FALSE
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "usuario", looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 231 length 144
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) authenticate {
(14) eap: Expiring EAP session with state 0x64dfe0536738f990
(14) eap: Finished EAP session with state 0x64dfe0536738f990
(14) eap: Previous EAP request found for state 0x64dfe0536738f990, released from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(14) eap_peap: Got complete TLS record (134 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(14) eap_peap: TLS_accept: SSLv3 read client key exchange A
(14) eap_peap: TLS_accept: SSLv3 read certificate verify A
(14) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(14) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(14) eap_peap: TLS_accept: SSLv3 read finished A
(14) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(14) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(14) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(14) eap_peap: TLS_accept: SSLv3 write finished A
(14) eap_peap: TLS_accept: SSLv3 flush data
(14) eap_peap: (other): SSL negotiation finished successfully
(14) eap_peap: SSL Connection Established
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 232 length 65
(14) eap: EAP session adding &reply:State = 0x64dfe0536037f990
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Sent Access-Challenge Id 143 from 10.0.130.23:1812 to 192.168.100.149:43928 length 0
(14) EAP-Message = 0x01e80041190014030100010116030100307ed7fccb2ae6411aaf4df33748b8b02954729256ddd506ace2d362f9cd28c4e05489136e8cbd84abb28b3d0921f1300a
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x64dfe0536037f990f317a982d66da244
(14) Finished request
(14) Cleaning up request packet ID 143 with timestamp +187
Ready to process requests
up to here, everything seems right.
but when I start service, in service log I see this:
Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A
Thu Sep 14 14:09:13 2017 : ERROR: (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
Thu Sep 14 14:09:13 2017 : Auth: (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [usuario] (from client wrtnicolas.fder port 1 cli 28-56-5A-0B-6D-83)
any help will be wellcome.
saludos/greetings
Nicolás.
3
4
Hi FreeRadius experts,
I would like to seek advice at configuring freeradius to overcome an issue that we had encountered recently. We noticed recently that login into our switches/routers took considerably longer than before.
The VM (CentOS 7, with freeradius 3.04) didn't have much load at all:
load average: 0.00, 0.01, 0.05
After some more trouble shooting, I realized that the problem was related to writing detail accounting files:
Wed Sep 6 13:22:38 2017 : ERROR: (219185) ERROR: detail : Couldn't open file /var/log/radius/radacct/10.1.1.26/detail-20170906: Too many different filenames
By searchin online, it appears that there is a hard coded limit of 64 files in log.c
lf->max_entries = 64;
When we hit that limit, login into our switches/routers become slow.
Our normal work load usually does not trig this problem. A handful of network admins log into switches and routers when we need to until we examine switch issue by using a script via cron (with ~40 parallel login into different switches at a time every 10 minutes), then we started to encounter slow login while these jobs were busy.
Now that we know the root cause of the problem, we could mitigate the problem by
1. recompile the code with high max_entries number.
2. add more radius servers and randomize switch radius server configuration.
3. optizime freeradius configuration.
Our current setup is very basic, unix (nis) authentication, detail file accounting. I would like to hear recommendations of resolving \
this accounting issue, preferably not patching/recompiling code from time to time.
Shall we configure MySQL/PostgreSQL database for accounting only?
Thank you very much for your help.
Zhi-Wei Lu
IET-CR-Network Operations Center
University of California, Davis
(530) 752-0155
2
6
Hi,
I'm using the freeradius rest module to convert form json to radius format.
I have a TLV attribute with several sub-attributes and I want to control
the order that the rest module puts the sub attributes.
For example, lets say I have an example TLV (tlv_example) with 2 sub
attributes, a string (*sub1*) and an integer (*sub2*).
I want to create 2 instances of the *tlv_example*, each with its own 2 sub
attributes. How should I send the information to the rest module in a way
that it would generate 2 seperate AVPs (one for each tlv) and how can I
control the order of the sub-attributes inside each AVP?
The format I used so far was sending an array for each sub attribute and
this created a single AVP that contained all of the sub attributes in the
follwoing order:
<sub1_instance1><sub1_instance2><sub2_instance1><sub2_instance2>
Meaning all instances of the same sub attribute were grouped together and i
would like the format to be:
<sub1_instance1<sub2_instance1>><sub1_instance2><sub2_instance2>
Meaning all sub attributes of the same instance to be grouped (in a
seperate TLV).
What is the json format I need to use for that to happen?
Thanks,
Avner
4
13
EAP-TLS: Strategies for getting the right certificate to the right user
by Chevalier Violet 13 Sep '17
by Chevalier Violet 13 Sep '17
13 Sep '17
I've been googling around and kind of surprised to not be seeing a ton of
resources about this. Maybe you all can help!
EAP-TLS: Strategies for getting the right certificate to the right user. It
needs to be relatively automated. I do have users coming by with BYOD
devices, e.g. iPhones (omg they're super finicky about the freeradius setup
but that's another story!), frequently when I'm not around to set them up.
Users are starting with no internet access.
I was thinking maybe of the following:
1) Use some kind of TTLS-MSCHAPv2 thing with a standard user & password
for guests that would change every so often. Maybe let them use the
internet either i) for a few minutes at a time or ii) only to access a page
on the internal network from which they could download the guest
certificate that would allow them to connect via EAP-TLS? 3) the certs
would expire after a few days.
I have been struggling to get even my own iPhone to have the proper cert!
On the bright side, my two linux machines are now working with EAP-TLS so
there's hope for me! I wish I could just put the certs on a USB key but
that doesn't work for phones. And it's a bunch of Linux machines, no
Windows or Macs around. Excuse me if this is a n00b question.
Thanks everyone!
PS At this link:
https://github.com/FreeRADIUS/freeradius-server/issues/2045#
issuecomment-324641610
Arr2036 mentions that the hot spot 2.0 standards set out how this could
work, with auto-renewing certs and the whole 9 yards. I wasn't able to find
how to make that work for linux, for instance with freeradius. Thanks!
5
9