Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2017
- 77 participants
- 100 discussions
New functionality is being added in v4.0.x to allow new sub-requests to be generated by requests received by the server.
The basic format is:
<keyword> [virtual-server.]<packet-type> {
<sub-request-attr0> := <parent attr0>
<sub-request-attr1> += <parent attr1>
<sub-request-attrN> += <parent attrN>
}
There's debate about what <keyword> should be, and whether there should be multiple <keywords> for async - where we split the lifetime of the sub-request from its parent, and synchronous behaviour - where we wait for the sub-request to return before we continue processing.
The original keyword was "fork", and has since been changed to "create". Do people have any opinions on what the easiest to infer and most consistent keyword to use here would be?
Some other ideas were "spawn", and "child".
There's no guarantee that the most popular keyword/idea will be used, but it'll at least inform us of general public opinion :)
-Arran
5
10
In rlm_exec to execute perl script what is
wait = yes
output = none
#input_pairs = request
output_pairs = none
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
3
3
Hello,
I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth
from samba. I use default settings, follow freeradius-active-directory-
integration-howto. All work correctly for username length up to 5
characters, but when I use username, where the length is more than 5
characters, freeradius terminated due memory corruption.
(freeradius v.3.0.15, running on debian Wheezy64).
debug for username length more than 5 characters:
...
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL
(10) ntdomain: No such realm "NULL"
(10) [ntdomain] = noop
(10) update control {
(10) &Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 11 length 6
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [logintime] = noop
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/inner
(10) authenticate {
(10) eap: Expiring EAP session with state 0x00b1f6cf01baecde
(10) eap: Finished EAP session with state 0x00b1f6cf01baecde
(10) eap: Previous EAP request found for state 0x00b1f6cf01baecde, released
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap: Sending EAP Success (code 3) ID 11 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/sites-
enabled/inner
(10) post-auth {
(10) if (1) {
(10) if (1) -> TRUE
(10) if (1) {
(10) update reply {
(10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7
efef0171bb6]
*** glibc detected *** freeradius: free(): invalid next size (fast): 0x
0000000000b61230 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7efef017695c]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7efef159d089]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7efef15998b3]
/usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7
efef2023b56]
/usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x7efef
2263c9d]
freeradius[0x4278ad]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius(modcall+0x43)[0x4286a3]
freeradius(indexed_modcall+0xa5)[0x423205]
freeradius(rad_postauth+0x80)[0x4118a0]
freeradius(rad_virtual_server+0x3d0)[0x4128f0]
/usr/lib/freeradius/rlm_eap_peap.so(eappeap_process+0x772)[0x7efee953c872]
/usr/lib/freeradius/rlm_eap_peap.so(+0x1de2)[0x7efee953ade2]
/usr/lib/freeradius/rlm_eap.so(+0x3bbb)[0x7efeeab60bbb]
/usr/lib/freeradius/rlm_eap.so(eap_method_select+0xc8)[0x7efeeab60e58]
/usr/lib/freeradius/rlm_eap.so(+0x2e15)[0x7efeeab5fe15]
freeradius[0x4283b2]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius(modcall+0x43)[0x4286a3]
freeradius(indexed_modcall+0xa5)[0x423205]
freeradius(rad_authenticate+0x73d)[0x4122bd]
freeradius[0x4368ba]
freeradius[0x4322ad]
freeradius(request_receive+0x337)[0x433f97]
freeradius[0x41d5b9]
freeradius[0x4316ad]
/usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7efef2036
c59]
freeradius(main+0x6af)[0x410dbf]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7efef011aead]
freeradius[0x411105]
======= Memory map: ========
00400000-00463000 r-xp 00000000 01:01 77414 /
usr/sbin/freeradius
00662000-00665000 r--p 00062000 01:01 77414 /
usr/sbin/freeradius
00665000-00669000 rw-p 00065000 01:01 77414 /
usr/sbin/freeradius
00669000-0066a000 rw-p 00000000 00:00 0
00800000-00b9b000 rw-p 00000000 00:00 0
[heap]
...
and now the same situation, username length up to 5 characters:
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "test2", looking up realm NULL
(10) ntdomain: No such realm "NULL"
(10) [ntdomain] = noop
(10) update control {
(10) &Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 64
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [logintime] = noop
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/inner
(10) authenticate {
(10) eap: Expiring EAP session with state 0x3dd92fdb3dd3359e
(10) eap: Finished EAP session with state 0x3dd92fdb3dd3359e
(10) eap: Previous EAP request found for state 0x3dd92fdb3dd3359e, released
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap_mschapv2: # Executing group from file /etc/freeradius/sites-
enabled/inner
(10) eap_mschapv2: authenticate {
(10) mschap: Creating challenge hash with username: test2
(10) mschap: Client is using MS-CHAPv2
(10) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username
=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL} --
challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(10) mschap: EXPAND --username=%{mschap:User-Name:-None}
(10) mschap: --> --username=test2
...
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) } # post-auth = ok
(12) Sent Access-Accept Id 252 from 10.255.246.120:1812 to 10.255.246.253:
1812 length 0
(12) MS-MPPE-Recv-Key = 0x1f4851b2d1ec7efab075df3b8442ee2f92405e46935f2739
e329efbe06bc0e1e
(12) MS-MPPE-Send-Key = 0xe75f33f2f6e0d814306d365d1c2d55da8296b7df034ad29b
762d516c0cc10f7f
(12) EAP-Message = 0x030c0004
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) User-Name = "test2"
(12) EAP-Key-Name := 0x1959b11211ec00b494af0aff7ea172e56e202f0fa593dd5f9b
40334b1906ab90534867b6668b5466cce813501306b028a585698afddf1dafb6937c56a41b
6241ff
(12) Finished request
But when I try radtest with username length more than 5 characters, no
problem:
----------------------------------------------------------------------------
-------------------------
radius-test:~# radtest -t mschap abcdef 12345#W 10.255.246.120 1
SharedSecret
Sent Access-Request Id 238 from 0.0.0.0:52211 to 10.255.246.120:1812 length
132
User-Name = "abcdef"
MS-CHAP-Password = "12345#W"
NAS-IP-Address = 10.255.246.120
NAS-Port = 1
Message-Authenticator = 0x00
Cleartext-Password = "12345#W"
MS-CHAP-Challenge = 0x838e90923dacd16e
MS-CHAP-Response = 0x
0001000000000000000000000000000000000000000000000000ce64b63fc3d55e1391b5f4ac
516373cd10bd09574a21bb8c
Received Access-Accept Id 238 from 10.255.246.120:1812 to 0.0.0.0:0 length
37
Than you for any help, Petr Linke
4
12
Hi
You've enabled the SQL module but that then activates the default
conditional modules, you want to comment out the SQL (well, -sql) in the
authorize etc sections and only use your unlang SQL
This may mean that you need to add SQL to the instantiate section of the
radiusd.conf main file
alan
On 5 Sep 2017 5:29 pm, "Adam Cage" <adamcage27(a)gmail.com> wrote:
Dear Alan and people, I tell you again I succeeded in authorize with LDAP
and authenticate against AD. But when I add the SQL authorization check to
the existing LDAP check, I fail. I've followed Alan's suggestion, and I did
these settings:
1- Installed the freeradius-mysql Debian package
2- Edited /etc/freeradius/sql.conf with the remote DB MySQL parameters (IP,
user, pass, DB name, port). When I start Freeradius, and I execute tcpdump,
I can see traffic to the remote DB on port 3306)
3- Uncommented $INCLUDE sql.conf in /etc/freeradius/radiusd.conf
4- Edited /etc/freeradius/sites-available/default file in this manner:
authorize {
if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ &&
"%{sql:SELECT COUNT(MacAddress) FROM FILTERS WHERE MacAddress =
'%{Calling-Station-Id}'}" > 0) {
update reply {
Reply-Message = "Access enabled to WiFi"
}
ok
}
else {
reject
}
}
5- Edited /etc/freeradius/sites-available/inner-tunnel file in this manner:
authorize {
if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ &&
"%{sql:SELECT COUNT(MacAddress) FROM FILTERS WHERE MacAddress =
'%{outer.request:Calling-Station-Id}'}" > 0) {
update reply {
Reply-Message = "Access enabled to WiFi"
}
ok
}
else {
reject
}
}
Finally, the debug is this....Can you help me please ??? Thanks!!!
# freeradius -X
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built
on Oct 24 2014 at 02:05:28
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/krb5
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.12.1.1 {
require_message_authenticator = no
secret = "xxxxx"
shortname = "WLC"
nastype = "cisco"
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file ?
modules {
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = ntlm_auth
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-COMPANY}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Instantiating module "ntlm_auth" from file
/etc/freeradius/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=COMPANY
--username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "172.31.18.19"
port = "3306"
login = "usrFiltradoMac"
password = "xxxx"
radius_db = "filtromac"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/freeradius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 32
lifetime = 0
max_queries = 0
sql_user_name = ""
default_user_profile = ""
nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_group_check_query = ""
authorize_group_reply_query = ""
accounting_onoff_query = ""
accounting_update_query = ""
accounting_update_query_alt = ""
accounting_start_query = ""
accounting_start_query_alt = ""
accounting_stop_query = ""
accounting_stop_query_alt = ""
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = ""
postauth_query = ""
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to
usrFiltradoMac@172.31.28.79:3306/filtromac
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): starting 5
rlm_sql (sql): Attempting to connect rlm_sql_mysql #5
rlm_sql_mysql: Starting connect to MySQL server for #5
rlm_sql (sql): Connected new DB handle, #5
rlm_sql (sql): starting 6
rlm_sql (sql): Attempting to connect rlm_sql_mysql #6
rlm_sql_mysql: Starting connect to MySQL server for #6
rlm_sql (sql): Connected new DB handle, #6
rlm_sql (sql): starting 7
rlm_sql (sql): Attempting to connect rlm_sql_mysql #7
rlm_sql_mysql: Starting connect to MySQL server for #7
rlm_sql (sql): Connected new DB handle, #7
rlm_sql (sql): starting 8
rlm_sql (sql): Attempting to connect rlm_sql_mysql #8
rlm_sql_mysql: Starting connect to MySQL server for #8
rlm_sql (sql): Connected new DB handle, #8
rlm_sql (sql): starting 9
rlm_sql (sql): Attempting to connect rlm_sql_mysql #9
rlm_sql_mysql: Starting connect to MySQL server for #9
rlm_sql (sql): Connected new DB handle, #9
rlm_sql (sql): starting 10
rlm_sql (sql): Attempting to connect rlm_sql_mysql #10
rlm_sql_mysql: Starting connect to MySQL server for #10
rlm_sql (sql): Connected new DB handle, #10
rlm_sql (sql): starting 11
rlm_sql (sql): Attempting to connect rlm_sql_mysql #11
rlm_sql_mysql: Starting connect to MySQL server for #11
rlm_sql (sql): Connected new DB handle, #11
rlm_sql (sql): starting 12
rlm_sql (sql): Attempting to connect rlm_sql_mysql #12
rlm_sql_mysql: Starting connect to MySQL server for #12
rlm_sql (sql): Connected new DB handle, #12
rlm_sql (sql): starting 13
rlm_sql (sql): Attempting to connect rlm_sql_mysql #13
rlm_sql_mysql: Starting connect to MySQL server for #13
rlm_sql (sql): Connected new DB handle, #13
rlm_sql (sql): starting 14
rlm_sql (sql): Attempting to connect rlm_sql_mysql #14
rlm_sql_mysql: Starting connect to MySQL server for #14
rlm_sql (sql): Connected new DB handle, #14
rlm_sql (sql): starting 15
rlm_sql (sql): Attempting to connect rlm_sql_mysql #15
rlm_sql_mysql: Starting connect to MySQL server for #15
rlm_sql (sql): Connected new DB handle, #15
rlm_sql (sql): starting 16
rlm_sql (sql): Attempting to connect rlm_sql_mysql #16
rlm_sql_mysql: Starting connect to MySQL server for #16
rlm_sql (sql): Connected new DB handle, #16
rlm_sql (sql): starting 17
rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
rlm_sql_mysql: Starting connect to MySQL server for #17
rlm_sql (sql): Connected new DB handle, #17
rlm_sql (sql): starting 18
rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
rlm_sql_mysql: Starting connect to MySQL server for #18
rlm_sql (sql): Connected new DB handle, #18
rlm_sql (sql): starting 19
rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
rlm_sql_mysql: Starting connect to MySQL server for #19
rlm_sql (sql): Connected new DB handle, #19
rlm_sql (sql): starting 20
rlm_sql (sql): Attempting to connect rlm_sql_mysql #20
rlm_sql_mysql: Starting connect to MySQL server for #20
rlm_sql (sql): Connected new DB handle, #20
rlm_sql (sql): starting 21
rlm_sql (sql): Attempting to connect rlm_sql_mysql #21
rlm_sql_mysql: Starting connect to MySQL server for #21
rlm_sql (sql): Connected new DB handle, #21
rlm_sql (sql): starting 22
rlm_sql (sql): Attempting to connect rlm_sql_mysql #22
rlm_sql_mysql: Starting connect to MySQL server for #22
rlm_sql (sql): Connected new DB handle, #22
rlm_sql (sql): starting 23
rlm_sql (sql): Attempting to connect rlm_sql_mysql #23
rlm_sql_mysql: Starting connect to MySQL server for #23
rlm_sql (sql): Connected new DB handle, #23
rlm_sql (sql): starting 24
rlm_sql (sql): Attempting to connect rlm_sql_mysql #24
rlm_sql_mysql: Starting connect to MySQL server for #24
rlm_sql (sql): Connected new DB handle, #24
rlm_sql (sql): starting 25
rlm_sql (sql): Attempting to connect rlm_sql_mysql #25
rlm_sql_mysql: Starting connect to MySQL server for #25
rlm_sql (sql): Connected new DB handle, #25
rlm_sql (sql): starting 26
rlm_sql (sql): Attempting to connect rlm_sql_mysql #26
rlm_sql_mysql: Starting connect to MySQL server for #26
rlm_sql (sql): Connected new DB handle, #26
rlm_sql (sql): starting 27
rlm_sql (sql): Attempting to connect rlm_sql_mysql #27
rlm_sql_mysql: Starting connect to MySQL server for #27
rlm_sql (sql): Connected new DB handle, #27
rlm_sql (sql): starting 28
rlm_sql (sql): Attempting to connect rlm_sql_mysql #28
rlm_sql_mysql: Starting connect to MySQL server for #28
rlm_sql (sql): Connected new DB handle, #28
rlm_sql (sql): starting 29
rlm_sql (sql): Attempting to connect rlm_sql_mysql #29
rlm_sql_mysql: Starting connect to MySQL server for #29
rlm_sql (sql): Connected new DB handle, #29
rlm_sql (sql): starting 30
rlm_sql (sql): Attempting to connect rlm_sql_mysql #30
rlm_sql_mysql: Starting connect to MySQL server for #30
rlm_sql (sql): Connected new DB handle, #30
rlm_sql (sql): starting 31
rlm_sql (sql): Attempting to connect rlm_sql_mysql #31
rlm_sql_mysql: Starting connect to MySQL server for #31
rlm_sql (sql): Connected new DB handle, #31
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "ldap.company.net"
port = 636
password = "xxx"
expect_password = yes
identity = "cn=connect,ou=Company,dc=company,dc=net"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "OU=Company,DC=company,DC=net"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
chase_referrals = yes
rebind = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = no
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x10e9b30
Module: Linked to module rlm_always
Module: Instantiating module "ok" from file /etc/freeradius/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
Module: Instantiating module "reject" from file
/etc/freeradius/modules/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 51567
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.12.1.1 port 32769, id=238,
length=246
User-Name = "adam"
Calling-Station-Id = "54:27:1e:0c:0b:fc"
Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=ac1f0c620000023159aecc35"
NAS-IP-Address = 10.12.1.1
NAS-Identifier = "WLC"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message = 0x0203000f0165616c6d6f6e61636964
Message-Authenticator = 0x501b12ce48af68714f1030855775ae2a
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "adam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
rlm_sql (sql): Reserving sql socket id: 30
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 30
++[sql] = fail
+} # group authorize = fail
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> adam
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 238 to 10.12.1.1 port 32769
Waking up in 4.9 seconds.
Cleaning up request 1 ID 238 with timestamp +52
Ready to process requests.
2017-09-04 10:28 GMT-03:00 Alan DeKok <aland(a)deployingradius.com>:
> On Sep 4, 2017, at 9:09 AM, Adam Cage <adamcage27(a)gmail.com> wrote:
> >
> > Dear Alan, thanks for your response....just two things for the moment:
> >
> >> You may need to install v3. Honestly, just install 3.0.15, and go with
> > that.
> >
> > Ok, but can I use my current server with version 2.2.5 in order to test
> the
> > SQL authorization or the use of version 3.x is mandatory ???
>
> It's easier with v3.
>
> >> You will need to edit raddb/sites-enabled/default, and also the
> > raddb/mods-enabled/sql
> >
> > Now I have edited default and inner-tunnel files, but you tell me to
edit
> > just default (and also sql module)...inner-tunel is not necessary???
>
> It may be. Some amount of thinking for yourself is useful, too.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
4
6
hello everyone,
have a working installation of FreeRADIUS Version 3.0.15 that "look for AD group matching" to distinguish allowed users per NAS.
shortly, having proof that it is working for many but not all workers have observed that in working case
...........
(2) } # Auth-Type ntlm_auth = ok
(2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(2) post-auth {
(2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") {
(2) Executing: /bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}:
(2) EXPAND %{User-Name}
(2) --> USER1.admin
(2) Program returned code (0) and output '.....list of 38 groups for 850 chars....... MYDOMAYN\UNIX Admins .......... and 11 more groups for 279 chars'
(2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") -> TRUE
(2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") {
(2) update reply {
(2) Service-Type = Administrative-User
(2) Cisco-AVpair = "shell:priv-lvl=15"
(2) }
...........
while in non-working case we have
...............
(1) } # Auth-Type ntlm_auth = ok
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1) post-auth {
(1) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") {
(1) Executing: /bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}:
(1) EXPAND %{User-Name}
(1) --> USER2.admin
(1) Program returned code (0) and output '........list of 81 groups for 1115 chars...... MYDOMAIN\UNIX Admins ....... and 16 more groups for 402 chars......'
(1) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") -> FALSE
............
so, it seem that 1115 is outside some limit (I guess 1024) but am not aware IF and WHERE can I expand it.
as far as I can see (using grep -Ri 1024 *) no textfile in /usr/local/etc/raddb includes a 1024 meaningful for the case (well, src files have some more of them....); so please :
a) confirm if there is a string-length-limit in substring matching
b) if yes suggest where to interact with the system to increase it (at least twice, better 4 times the original value)
regards
Alessandro
2
3
Resending since the other one was rejected for being long. Apologies
On 5 September 2017 at 22:19, Matthew Pulis <mpulis(a)gmail.com> wrote:
> Dear all
>
> Many many thanks for your support. We are moving towards a complete
> solution :)
>
> Windows 10 works fine without the need to install a certificate. The
> certificates on the server were all expired so I renewed everything and Win
> 10 worked out of the box - no need to install anything.
>
> Windows 7 is different. I pushed ca.der to the Win 7 client. Installed it
> using cert util and double checked it via mmc.
>
> Before connecting this is the warning the network showed: The server "The
> Seminary Local Certificate Authority" presented a valid certificate issued
> by "The Seminary Local Certificate Authority", but "The Seminary Local
> Certificate Authority" is not configured as a valid trust anchor for this
> profile. Further, the server "The Seminary Local Certificate Authority" is
> not configured as a valid NPS server to connect to for this profile.
>
> It seems to be a problem with Win 7. Do you have any pointers? Should I
> enable MSCHAPv2 too? or is there something for EAP please?
>
> Should something like this work: https://documentation.
> meraki.com/MR/Encryption_and_Authentication/Enabling_EAP-TLS_in_Windows_7?
>
> Thanks a lot for your help and support!
>
> This is the full log
>
> radius@radius:~$ sudo freeradius -X
> FreeRADIUS Version 3.0.15
> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/freeradius/dictionary
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/proxy.conf
> including configuration file /etc/freeradius/clients.conf
> including files in directory /etc/freeradius/mods-enabled/
> including configuration file /etc/freeradius/mods-enabled/mschap
> including configuration file /etc/freeradius/mods-enabled/adldap
> including configuration file /etc/freeradius/mods-enabled/always
> including configuration file /etc/freeradius/mods-enabled/soh
> including configuration file /etc/freeradius/mods-enabled/eap
> including configuration file /etc/freeradius/mods-enabled/dynamic_clients
> including configuration file /etc/freeradius/mods-enabled/logintime
> including configuration file /etc/freeradius/mods-enabled/exec
> including configuration file /etc/freeradius/mods-enabled/realm
> including configuration file /etc/freeradius/mods-enabled/utf8
> including configuration file /etc/freeradius/mods-enabled/date
> including configuration file /etc/freeradius/mods-enabled/echo
> including configuration file /etc/freeradius/mods-enabled/unix
> including configuration file /etc/freeradius/mods-enabled/detail.log
> including configuration file /etc/freeradius/mods-enabled/expr
> including configuration file /etc/freeradius/mods-enabled/ntlm_auth
> including configuration file /etc/freeradius/mods-enabled/pap
> including configuration file /etc/freeradius/mods-enabled/ldap
> including configuration file /etc/freeradius/mods-enabled/digest
> including configuration file /etc/freeradius/mods-enabled/files
> including configuration file /etc/freeradius/mods-enabled/preprocess
> including configuration file /etc/freeradius/mods-enabled/cache_eap
> including configuration file /etc/freeradius/mods-enabled/detail
> including configuration file /etc/freeradius/mods-enabled/expiration
> including configuration file /etc/freeradius/mods-enabled/chap
> including configuration file /etc/freeradius/mods-enabled/sradutmp
> including configuration file /etc/freeradius/mods-enabled/radutmp
> including configuration file /etc/freeradius/mods-enabled/passwd
> including configuration file /etc/freeradius/mods-enabled/linelog
> including configuration file /etc/freeradius/mods-enabled/unpack
> including configuration file /etc/freeradius/mods-enabled/attr_filter
> including configuration file /etc/freeradius/mods-enabled/replicate
> including files in directory /etc/freeradius/policy.d/
> including configuration file /etc/freeradius/policy.d/filter
> including configuration file /etc/freeradius/policy.d/control
> including configuration file /etc/freeradius/policy.d/canonicalization
> including configuration file /etc/freeradius/policy.d/eap
> including configuration file /etc/freeradius/policy.d/debug
> including configuration file /etc/freeradius/policy.d/dhcp
> including configuration file /etc/freeradius/policy.d/
> moonshot-targeted-ids
> including configuration file /etc/freeradius/policy.d/accounting
> including configuration file /etc/freeradius/policy.d/abfab-tr
> including configuration file /etc/freeradius/policy.d/cui
> including configuration file /etc/freeradius/policy.d/operator-name
> including files in directory /etc/freeradius/sites-enabled/
> including configuration file /etc/freeradius/sites-enabled/inner-tunnel
> including configuration file /etc/freeradius/sites-enabled/default
> main {
> security {
> user = "freerad"
> group = "freerad"
> allow_core_dumps = no
> }
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> }
> main {
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> libdir = "/usr/lib/freeradius"
> radacctdir = "/var/log/freeradius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 16384
> pidfile = "/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.000000
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost_ipv6 {
> ipv6addr = ::1
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client 192.168.100.1/24 {
> require_message_authenticator = no
> secret = <<< secret >>>
> shortname = "NAS"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client
> 192.168.100.1/24. Please fix your configuration
> Support for old-style clients will be removed in a future release
> Debugger not attached
> # Creating Auth-Type = eap
> # Creating Auth-Type = PAP
> # Creating Auth-Type = CHAP
> # Creating Auth-Type = MS-CHAP
> # Creating Auth-Type = digest
> radiusd: #### Instantiating modules ####
> modules {
> # Loaded module rlm_mschap
> # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> winbind_retry_with_normalised_username = no
> }
> # Loaded module rlm_ldap
> # Loading module "adldap" from file /etc/freeradius/mods-enabled/adldap
> ldap adldap {
> server = "localhost"
> identity = "cn=admin,dc=seminary,dc=local"
> password = <<< secret >>>
> sasl {
> }
> user {
> scope = "sub"
> access_positive = yes
> sasl {
> }
> }
> group {
> filter = "(objectClass=posixGroup)"
> scope = "sub"
> name_attribute = "cn"
> membership_attribute = "memberOf"
> cacheable_name = no
> cacheable_dn = no
> }
> client {
> filter = "(objectClass=radiusClient)"
> scope = "sub"
> base_dn = "ou=School,dc=seminary,dc=ad"
> }
> profile {
> }
> options {
> ldap_debug = 40
> chase_referrals = yes
> rebind = yes
> net_timeout = 1
> res_timeout = 10
> srv_timelimit = 3
> idle = 60
> probes = 3
> interval = 3
> }
> tls {
> start_tls = no
> }
> }
> Creating attribute adldap-LDAP-Group
> # Loaded module rlm_always
> # Loading module "reject" from file /etc/freeradius/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Loading module "fail" from file /etc/freeradius/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Loading module "ok" from file /etc/freeradius/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Loading module "handled" from file /etc/freeradius/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Loading module "invalid" from file /etc/freeradius/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Loading module "userlock" from file /etc/freeradius/mods-enabled/
> always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Loading module "notfound" from file /etc/freeradius/mods-enabled/
> always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Loading module "noop" from file /etc/freeradius/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Loading module "updated" from file /etc/freeradius/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_soh
> # Loading module "soh" from file /etc/freeradius/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Loaded module rlm_eap
> # Loading module "eap" from file /etc/freeradius/mods-enabled/eap
> eap {
> default_eap_type = "ttls"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 16384
> }
> # Loaded module rlm_dynamic_clients
> # Loading module "dynamic_clients" from file
> /etc/freeradius/mods-enabled/dynamic_clients
> # Loaded module rlm_logintime
> # Loading module "logintime" from file /etc/freeradius/mods-enabled/
> logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_exec
> # Loading module "exec" from file /etc/freeradius/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_realm
> # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/
> realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_utf8
> # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
> # Loaded module rlm_date
> # Loading module "date" from file /etc/freeradius/mods-enabled/date
> date {
> format = "%b %e %Y %H:%M:%S %Z"
> utc = no
> }
> # Loading module "echo" from file /etc/freeradius/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Loaded module rlm_unix
> # Loading module "unix" from file /etc/freeradius/mods-enabled/unix
> unix {
> radwtmp = "/var/log/freeradius/radwtmp"
> }
> Creating attribute Unix-Group
> # Loaded module rlm_detail
> # Loading module "auth_log" from file /etc/freeradius/mods-enabled/
> detail.log
> detail auth_log {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "reply_log" from file /etc/freeradius/mods-enabled/
> detail.log
> detail reply_log {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/
> reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/
> detail.log
> detail pre_proxy_log {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-
> proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/
> detail.log
> detail post_proxy_log {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/
> post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_expr
> # Loading module "expr" from file /etc/freeradius/mods-enabled/expr
> expr {
> safe_characters = "@abcdefghijklmnopqrstuvwxyzABCD
> EFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇ
> ÈÉÊËÎÏÔŒÙÛÜŸ"
> }
> # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/
> ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_pap
> # Loading module "pap" from file /etc/freeradius/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loading module "ldap" from file /etc/freeradius/mods-enabled/ldap
> ldap {
> server = "localhost"
> identity = "cn=admin,dc=seminary,dc=local"
> password = <<< secret >>>
> sasl {
> }
> user {
> scope = "sub"
> access_positive = yes
> sasl {
> }
> }
> group {
> filter = "(objectClass=posixGroup)"
> scope = "sub"
> name_attribute = "cn"
> membership_attribute = "memberOf"
> cacheable_name = no
> cacheable_dn = no
> }
> client {
> filter = "(objectClass=radiusClient)"
> scope = "sub"
> base_dn = "ou=SeminaryOU,dc=seminary,dc=local"
> }
> profile {
> }
> options {
> ldap_debug = 40
> chase_referrals = yes
> rebind = yes
> net_timeout = 1
> res_timeout = 10
> srv_timelimit = 3
> idle = 60
> probes = 3
> interval = 3
> }
> tls {
> start_tls = no
> }
> }
> Creating attribute LDAP-Group
> # Loaded module rlm_digest
> # Loading module "digest" from file /etc/freeradius/mods-enabled/digest
> # Loaded module rlm_files
> # Loading module "files" from file /etc/freeradius/mods-enabled/files
> files {
> filename = "/etc/freeradius/mods-config/files/authorize"
> acctusersfile = "/etc/freeradius/mods-config/files/accounting"
> preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
> }
> # Loaded module rlm_preprocess
> # Loading module "preprocess" from file /etc/freeradius/mods-enabled/
> preprocess
> preprocess {
> huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
> hints = "/etc/freeradius/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> # Loaded module rlm_cache
> # Loading module "cache_eap" from file /etc/freeradius/mods-enabled/
> cache_eap
> cache cache_eap {
> driver = "rlm_cache_rbtree"
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 0
> epoch = 0
> add_stats = no
> }
> # Loading module "detail" from file /etc/freeradius/mods-enabled/detail
> detail {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_expiration
> # Loading module "expiration" from file /etc/freeradius/mods-enabled/
> expiration
> # Loaded module rlm_chap
> # Loading module "chap" from file /etc/freeradius/mods-enabled/chap
> # Loaded module rlm_radutmp
> # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/
> sradutmp
> radutmp sradutmp {
> filename = "/var/log/freeradius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loading module "radutmp" from file /etc/freeradius/mods-enabled/
> radutmp
> radutmp {
> filename = "/var/log/freeradius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_passwd
> # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/
> passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> # Loaded module rlm_linelog
> # Loading module "linelog" from file /etc/freeradius/mods-enabled/
> linelog
> linelog {
> filename = "/var/log/freeradius/linelog"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{reply:Packet-Type}:-default}"
> }
> # Loading module "log_accounting" from file /etc/freeradius/mods-enabled/
> linelog
> linelog log_accounting {
> filename = "/var/log/freeradius/linelog-accounting"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_unpack
> # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
> # Loaded module rlm_attr_filter
> # Loading module "attr_filter.post-proxy" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.pre-proxy" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.access_reject" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.access_challenge" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/freeradius/mods-config/
> attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.accounting_response" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/etc/freeradius/mods-config/attr_filter/accounting_
> response"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loaded module rlm_replicate
> # Loading module "replicate" from file /etc/freeradius/mods-enabled/
> replicate
> instantiate {
> }
> # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/
> mschap
> rlm_mschap (mschap): using internal authentication
> # Instantiating module "adldap" from file /etc/freeradius/mods-enabled/
> adldap
> rlm_ldap: libldap vendor: OpenLDAP, version: 20442
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> }
> post-auth {
> reference = "."
> }
> rlm_ldap (adldap): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 32
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> spread = no
> }
> rlm_ldap (adldap): Opening additional connection (0), 1 of 32 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> rlm_ldap (adldap): Opening additional connection (1), 1 of 31 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> rlm_ldap (adldap): Opening additional connection (2), 1 of 30 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> rlm_ldap (adldap): Opening additional connection (3), 1 of 29 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> rlm_ldap (adldap): Opening additional connection (4), 1 of 28 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> # Instantiating module "reject" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "fail" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "ok" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "handled" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "noop" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "updated" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_leap
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> verify_depth = 0
> ca_path = "/etc/freeradius/certs"
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/server.pem"
> certificate_file = "/etc/freeradius/certs/server.pem"
> ca_file = "/etc/freeradius/certs/ca.pem"
> private_key_password = <<< secret >>>
> dh_file = "/etc/freeradius/certs/dh"
> random_file = "/dev/urandom"
> fragment_size = 1024
> include_length = yes
> auto_chain = yes
> check_crl = no
> check_all_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24
> max_entries = 255
> }
> verify {
> skip_if_ocsp_ok = no
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Instantiating module "logintime" from file
> /etc/freeradius/mods-enabled/logintime
> # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/
> realm
> # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/
> realm
> # Instantiating module "realmpercent" from file
> /etc/freeradius/mods-enabled/realm
> # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/
> realm
> # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/
> detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
> # Instantiating module "reply_log" from file
> /etc/freeradius/mods-enabled/detail.log
> # Instantiating module "pre_proxy_log" from file
> /etc/freeradius/mods-enabled/detail.log
> # Instantiating module "post_proxy_log" from file
> /etc/freeradius/mods-enabled/detail.log
> # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
> # Instantiating module "ldap" from file /etc/freeradius/mods-enabled/
> ldap
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> }
> post-auth {
> reference = "."
> }
> rlm_ldap (ldap): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 32
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> spread = no
> }
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> # Instantiating module "files" from file /etc/freeradius/mods-enabled/
> files
> reading pairlist file /etc/freeradius/mods-config/files/authorize
> reading pairlist file /etc/freeradius/mods-config/files/accounting
> reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
> # Instantiating module "preprocess" from file
> /etc/freeradius/mods-enabled/preprocess
> reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
> reading pairlist file /etc/freeradius/mods-config/preprocess/hints
> # Instantiating module "cache_eap" from file
> /etc/freeradius/mods-enabled/cache_eap
> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
> loaded and linked
> # Instantiating module "detail" from file /etc/freeradius/mods-enabled/
> detail
> # Instantiating module "expiration" from file
> /etc/freeradius/mods-enabled/expiration
> # Instantiating module "etc_passwd" from file
> /etc/freeradius/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/
> linelog
> # Instantiating module "log_accounting" from file
> /etc/freeradius/mods-enabled/linelog
> # Instantiating module "attr_filter.post-proxy" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/
> attr_filter/access_reject
> [/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> [/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm
> "DEFAULT".
> # Instantiating module "attr_filter.access_challenge" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/
> attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_
> response
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/freeradius/radiusd.conf
> } # server
> server inner-tunnel { # from file /etc/freeradius/sites-enabled/
> inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> } # server inner-tunnel
> server default { # from file /etc/freeradius/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
> Listening on auth address * port 1812 bound to server default
> Listening on acct address * port 1813 bound to server default
> Listening on auth address :: port 1812 bound to server default
> Listening on acct address :: port 1813 bound to server default
> Listening on proxy address * port 37387
> Listening on proxy address :: port 45616
> Ready to process requests
>
>
>
>
>
>
> TRYING TO LOG IN FROM WINDOWS 7
>
>
>
>
>
>
>
>
>
>
>
>
>
> (0) Received Access-Request Id 1 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 189
> (0) User-Name = "bchristopher848"
> (0) NAS-IP-Address = 10.0.150.19
> (0) NAS-Identifier = "802aa849d031"
> (0) NAS-Port = 0
> (0) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (0) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (0) Framed-MTU = 1400
> (0) NAS-Port-Type = Wireless-802.11
> (0) Connect-Info = "CONNECT 0Mbps 802.11b"
> (0) EAP-Message = 0x0269001401626368726973746f70686572383438
> (0) Message-Authenticator = 0x60dc6e98028e3f9af87c442e20dbd98b
> (0) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /(a)\./) {
> (0) if (&User-Name =~ /(a)\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 105 length 20
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_ttls to process data
> (0) eap_ttls: Initiating new EAP-TLS session
> (0) eap_ttls: Flushing SSL sessions (of #0)
> (0) eap_ttls: [eaptls start] = request
> (0) eap: Sending EAP Request (code 1) ID 106 length 6
> (0) eap: EAP session adding &reply:State = 0xb5449406b52e8100
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found. Ignoring.
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) Sent Access-Challenge Id 1 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (0) EAP-Message = 0x016a00061520
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xb5449406b52e81001eb003264d869845
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 2 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 193
> (1) User-Name = "bchristopher848"
> (1) NAS-IP-Address = 10.0.150.19
> (1) NAS-Identifier = "802aa849d031"
> (1) NAS-Port = 0
> (1) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (1) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (1) Framed-MTU = 1400
> (1) NAS-Port-Type = Wireless-802.11
> (1) Connect-Info = "CONNECT 0Mbps 802.11b"
> (1) EAP-Message = 0x026a00060319
> (1) State = 0xb5449406b52e81001eb003264d869845
> (1) Message-Authenticator = 0x9229ace477f82c7e771de427669cfad1
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /(a)\./) {
> (1) if (&User-Name =~ /(a)\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 106 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (1) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) ldap: --> (cn=bchristopher848)
> (1) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
> filter "(cn=bchristopher848)", scope "sub"
> (1) ldap: Waiting for search result...
> (1) ldap: User object found at DN "cn=bchristopher848,cn=
> Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (1) ldap: Processing user attributes
> (1) ldap: control:Password-With-Header += '{ssha}o1fjrtGMqroWxrIgC8G/
> jwK8GK5BxvANe+pK7w=='
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (1) [ldap] = updated
> rlm_ldap (adldap): Reserved connection (0)
> (1) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) adldap: --> (cn=bchristopher848)
> (1) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter
> "(cn=bchristopher848)", scope "sub"
> (1) adldap: Waiting for search result...
> (1) adldap: The specified DN wasn't found
> (1) adldap: Search returned no results
> rlm_ldap (adldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (adldap): Opening additional connection (5), 1 of 27 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> (1) [adldap] = notfound
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) pap: Converted: &control:Password-With-Header ->
> &control:SSHA1-Password
> (1) pap: Removing &control:Password-With-Header
> (1) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
> bytes
> (1) pap: WARNING: Auth-Type already set. Not setting to PAP
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0xb5449406b52e8100
> (1) eap: Finished EAP session with state 0xb5449406b52e8100
> (1) eap: Previous EAP request found for state 0xb5449406b52e8100, released
> from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Found mutually acceptable type PEAP (25)
> (1) eap: Calling submodule eap_peap to process data
> (1) eap_peap: Initiating new EAP-TLS session
> (1) eap_peap: [eaptls start] = request
> (1) eap: Sending EAP Request (code 1) ID 107 length 6
> (1) eap: EAP session adding &reply:State = 0xb5449406b42f8d00
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found. Ignoring.
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) Sent Access-Challenge Id 2 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (1) EAP-Message = 0x016b00061920
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0xb5449406b42f8d001eb003264d869845
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 3 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 300
> (2) User-Name = "bchristopher848"
> (2) NAS-IP-Address = 10.0.150.19
> (2) NAS-Identifier = "802aa849d031"
> (2) NAS-Port = 0
> (2) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (2) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (2) Framed-MTU = 1400
> (2) NAS-Port-Type = Wireless-802.11
> (2) Connect-Info = "CONNECT 0Mbps 802.11b"
> (2) EAP-Message = 0x026b007119800000006716030100
> 620100005e030159af03804becec9c3cef8903818c79121606d4cc4552b8
> 68a83f76270fc4ef9200001cc014c013003900330035002fc00ac0090038
> 0032000a00130005000401000019000a0006000400170018000b00020100
> 00170000ff01000100
> (2) State = 0xb5449406b42f8d001eb003264d869845
> (2) Message-Authenticator = 0x03f782e6095d0d07dc5d1122f1876d00
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /(a)\./) {
> (2) if (&User-Name =~ /(a)\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 107 length 113
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0xb5449406b42f8d00
> (2) eap: Finished EAP session with state 0xb5449406b42f8d00
> (2) eap: Previous EAP request found for state 0xb5449406b42f8d00, released
> from the list
> (2) eap: Peer sent packet with method EAP PEAP (25)
> (2) eap: Calling submodule eap_peap to process data
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be 103 bytes
> (2) eap_peap: Got complete TLS record (103 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: (other): before/accept initialization
> (2) eap_peap: TLS_accept: before/accept initialization
> (2) eap_peap: <<< recv TLS 1.0 Handshake [length 0062], ClientHello
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 0982], Certificate
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: TLS_accept: Need to read more data: unknown state
> (2) eap_peap: TLS_accept: Need to read more data: unknown state
> (2) eap_peap: In SSL Handshake Phase
> (2) eap_peap: In SSL Accept mode
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 108 length 1004
> (2) eap: EAP session adding &reply:State = 0xb5449406b7288d00
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found. Ignoring.
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) Sent Access-Challenge Id 3 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (2) EAP-Message = 0x016c03ec19c000000b3e16030100
> 5902000055030198325853d6a4ea0a8a0ddc62e8252c55dce33ce836984b
> 265c5d4a2663c775ad20a5464acc7366d8b86f656371288daf4a0e68ce7f
> 820f064ff457b9622cb4e509c01400000dff01000100000b000403000102
> 16030109820b00097e00097b000426
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0xb5449406b7288d001eb003264d869845
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 4 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 193
> (3) User-Name = "bchristopher848"
> (3) NAS-IP-Address = 10.0.150.19
> (3) NAS-Identifier = "802aa849d031"
> (3) NAS-Port = 0
> (3) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (3) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (3) Framed-MTU = 1400
> (3) NAS-Port-Type = Wireless-802.11
> (3) Connect-Info = "CONNECT 0Mbps 802.11b"
> (3) EAP-Message = 0x026c00061900
> (3) State = 0xb5449406b7288d001eb003264d869845
> (3) Message-Authenticator = 0xe754c603a90fd754f21a295dadc62814
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /(a)\./) {
> (3) if (&User-Name =~ /(a)\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 108 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0xb5449406b7288d00
> (3) eap: Finished EAP session with state 0xb5449406b7288d00
> (3) eap: Previous EAP request found for state 0xb5449406b7288d00, released
> from the list
> (3) eap: Peer sent packet with method EAP PEAP (25)
> (3) eap: Calling submodule eap_peap to process data
> (3) eap_peap: Continuing EAP-TLS
> (3) eap_peap: Peer ACKed our handshake fragment
> (3) eap_peap: [eaptls verify] = request
> (3) eap_peap: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 109 length 1000
> (3) eap: EAP session adding &reply:State = 0xb5449406b6298d00
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found. Ignoring.
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) Sent Access-Challenge Id 4 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (3) EAP-Message = 0x016d03e81940380fa68fefb0adb1
> 60bf876008cdd25df7f1bb575a26398125bf6a36bcf24e3cf136422c1048
> b034887efbcce1ad27c885f67ae13c739af72b5bbff6b9f7cc41b9b006ed
> dd88d6cf5d54f66bb9884ac2f40853d3af5d741bb79faa72df0324c58d44
> 8bd2c5583caee59c318907018948f4
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0xb5449406b6298d001eb003264d869845
> (3) Finished request
> Waking up in 4.9 seconds.
> (4) Received Access-Request Id 5 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 193
> (4) User-Name = "bchristopher848"
> (4) NAS-IP-Address = 10.0.150.19
> (4) NAS-Identifier = "802aa849d031"
> (4) NAS-Port = 0
> (4) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (4) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (4) Framed-MTU = 1400
> (4) NAS-Port-Type = Wireless-802.11
> (4) Connect-Info = "CONNECT 0Mbps 802.11b"
> (4) EAP-Message = 0x026d00061900
> (4) State = 0xb5449406b6298d001eb003264d869845
> (4) Message-Authenticator = 0x1308f82dd9c153d060e2d3f92f0e47c9
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /(a)\./) {
> (4) if (&User-Name =~ /(a)\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 109 length 6
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0xb5449406b6298d00
> (4) eap: Finished EAP session with state 0xb5449406b6298d00
> (4) eap: Previous EAP request found for state 0xb5449406b6298d00, released
> from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer ACKed our handshake fragment
> (4) eap_peap: [eaptls verify] = request
> (4) eap_peap: [eaptls process] = handled
> (4) eap: Sending EAP Request (code 1) ID 110 length 896
> (4) eap: EAP session adding &reply:State = 0xb5449406b12a8d00
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found. Ignoring.
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) Sent Access-Challenge Id 5 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (4) EAP-Message = 0x016e038019003081b5310b300906
> 0355040613024d543111300f06035504080c0849722d5261626174311230
> 1006035504070c0954616c2d566972747531223020060355040a0c195468
> 652041726368626973686f70732053656d696e6172792e3128302606092a
> 864886f70d0109011619746563686e
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0xb5449406b12a8d001eb003264d869845
> (4) Finished request
> Waking up in 4.9 seconds.
> (5) Received Access-Request Id 6 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 331
> (5) User-Name = "bchristopher848"
> (5) NAS-IP-Address = 10.0.150.19
> (5) NAS-Identifier = "802aa849d031"
> (5) NAS-Port = 0
> (5) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (5) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (5) Framed-MTU = 1400
> (5) NAS-Port-Type = Wireless-802.11
> (5) Connect-Info = "CONNECT 0Mbps 802.11b"
> (5) EAP-Message = 0x026e009019800000008616030100
> 46100000424104f8835ccc6647e01b6ec2e669280021622082e4c4d31a30
> ed462cac3b447792cb9763fb1c6f5547b7650c9216b8a36641f100200f17
> d1246ba46fc9eb9cef2cbf140301000101160301003036330cfdd1b9bd52
> 1432d38a6be17cb4205d318a83802a
> (5) State = 0xb5449406b12a8d001eb003264d869845
> (5) Message-Authenticator = 0x7e43591038f26410ddbfc952608bf3e1
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /(a)\./) {
> (5) if (&User-Name =~ /(a)\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 110 length 144
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0xb5449406b12a8d00
> (5) eap: Finished EAP session with state 0xb5449406b12a8d00
> (5) eap: Previous EAP request found for state 0xb5449406b12a8d00, released
> from the list
> (5) eap: Peer sent packet with method EAP PEAP (25)
> (5) eap: Calling submodule eap_peap to process data
> (5) eap_peap: Continuing EAP-TLS
> (5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
> (5) eap_peap: Got complete TLS record (134 bytes)
> (5) eap_peap: [eaptls verify] = length included
> (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: (other): SSL negotiation finished successfully
> (5) eap_peap: SSL Connection Established
> (5) eap_peap: [eaptls process] = handled
> (5) eap: Sending EAP Request (code 1) ID 111 length 65
> (5) eap: EAP session adding &reply:State = 0xb5449406b02b8d00
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found. Ignoring.
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) Sent Access-Challenge Id 6 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (5) EAP-Message = 0x016f004119001403010001011603
> 01003094086787833117af433bc1c929281ae2f5f7cd6692f7cc59d0a0bf
> 65c818294d2b79cc16f11ac9f86e10a67a7fdb1a6b
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0xb5449406b02b8d001eb003264d869845
> (5) Finished request
> Waking up in 4.9 seconds.
> (6) Received Access-Request Id 7 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 193
> (6) User-Name = "bchristopher848"
> (6) NAS-IP-Address = 10.0.150.19
> (6) NAS-Identifier = "802aa849d031"
> (6) NAS-Port = 0
> (6) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (6) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (6) Framed-MTU = 1400
> (6) NAS-Port-Type = Wireless-802.11
> (6) Connect-Info = "CONNECT 0Mbps 802.11b"
> (6) EAP-Message = 0x026f00061900
> (6) State = 0xb5449406b02b8d001eb003264d869845
> (6) Message-Authenticator = 0x89f89025177c0801e5cd47b689bb35ec
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /(a)\./) {
> (6) if (&User-Name =~ /(a)\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 111 length 6
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0xb5449406b02b8d00
> (6) eap: Finished EAP session with state 0xb5449406b02b8d00
> (6) eap: Previous EAP request found for state 0xb5449406b02b8d00, released
> from the list
> (6) eap: Peer sent packet with method EAP PEAP (25)
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: Continuing EAP-TLS
> (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
> (6) eap_peap: [eaptls verify] = success
> (6) eap_peap: [eaptls process] = success
> (6) eap_peap: Session established. Decoding tunneled attributes
> (6) eap_peap: PEAP state TUNNEL ESTABLISHED
> (6) eap: Sending EAP Request (code 1) ID 112 length 43
> (6) eap: EAP session adding &reply:State = 0xb5449406b3348d00
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found. Ignoring.
> (6) # Executing group from file /etc/freeradius/sites-enabled/default
> (6) Sent Access-Challenge Id 7 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (6) EAP-Message = 0x0170002b1900170301002091eabc
> 824030fa0d118d08413389ff5a78d63a9561aa4704edb36913865e9641
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0xb5449406b3348d001eb003264d869845
> (6) Finished request
> Waking up in 2.6 seconds.
> (7) Received Access-Request Id 8 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 246
> (7) User-Name = "bchristopher848"
> (7) NAS-IP-Address = 10.0.150.19
> (7) NAS-Identifier = "802aa849d031"
> (7) NAS-Port = 0
> (7) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (7) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (7) Framed-MTU = 1400
> (7) NAS-Port-Type = Wireless-802.11
> (7) Connect-Info = "CONNECT 0Mbps 802.11b"
> (7) EAP-Message = 0x0270003b19001703010030c8fbf0
> 015e3e5a875a826ccd41cd45b083183d0fbf452e6e4ccdc2b10c2d758557
> f2bf2ba865abb148620ece26115524
> (7) State = 0xb5449406b3348d001eb003264d869845
> (7) Message-Authenticator = 0x0ec21e66dd7cd4e0a4858c79afabd736
> (7) session-state: No cached attributes
> (7) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 112 length 59
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0xb5449406b3348d00
> (7) eap: Finished EAP session with state 0xb5449406b3348d00
> (7) eap: Previous EAP request found for state 0xb5449406b3348d00, released
> from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: Continuing EAP-TLS
> (7) eap_peap: [eaptls verify] = ok
> (7) eap_peap: Done initial handshake
> (7) eap_peap: [eaptls process] = ok
> (7) eap_peap: Session established. Decoding tunneled attributes
> (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (7) eap_peap: Identity - bchristopher848
> (7) eap_peap: Got inner identity 'bchristopher848'
> (7) eap_peap: Setting default EAP type for tunneled EAP session
> (7) eap_peap: Got tunneled request
> (7) eap_peap: EAP-Message = 0x0270001401626368726973746f70686572383438
> (7) eap_peap: Setting User-Name to bchristopher848
> (7) eap_peap: Sending tunneled request to inner-tunnel
> (7) eap_peap: EAP-Message = 0x0270001401626368726973746f70686572383438
> (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_peap: User-Name = "bchristopher848"
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message = 0x0270001401626368726973746f70686572383438
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = "bchristopher848"
> (7) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (7) server inner-tunnel {
> (7) # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 112 length 20
> (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/sites-enabled/
> inner-tunnel
> (7) authenticate {
> (7) eap: Peer sent packet with method EAP Identity (1)
> (7) eap: Calling submodule eap_mschapv2 to process data
> (7) eap_mschapv2: Issuing Challenge
> (7) eap: Sending EAP Request (code 1) ID 113 length 43
> (7) eap: EAP session adding &reply:State = 0x38f91b6e38880129
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) EAP-Message = 0x0171002b1a01710026100f1b0f77
> 8f0e5ff10d130bcde3f0a1f0667265657261646975732d332e302e3135
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x38f91b6e38880129b3a6b459c0f91610
> (7) eap_peap: Got tunneled reply code 11
> (7) eap_peap: EAP-Message = 0x0171002b1a01710026100f1b0f77
> 8f0e5ff10d130bcde3f0a1f0667265657261646975732d332e302e3135
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x38f91b6e38880129b3a6b459c0f91610
> (7) eap_peap: Got tunneled reply RADIUS code 11
> (7) eap_peap: EAP-Message = 0x0171002b1a01710026100f1b0f77
> 8f0e5ff10d130bcde3f0a1f0667265657261646975732d332e302e3135
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x38f91b6e38880129b3a6b459c0f91610
> (7) eap_peap: Got tunneled Access-Challenge
> (7) eap: Sending EAP Request (code 1) ID 113 length 75
> (7) eap: EAP session adding &reply:State = 0xb5449406b2358d00
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) Post-Auth-Type sub-section not found. Ignoring.
> (7) # Executing group from file /etc/freeradius/sites-enabled/default
> (7) Sent Access-Challenge Id 8 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (7) EAP-Message = 0x0171004b190017030100403a39fb
> 1bbb95a5bdae36dec7bbaf48cd6d67436cc6fa144c66482d9a55dee6efc1
> 22c2ae145e37423201a0becee44924132e0e197859e4e437513ae27427e3a6
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xb5449406b2358d001eb003264d869845
> (7) Finished request
> Waking up in 2.6 seconds.
> (8) Received Access-Request Id 9 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 294
> (8) User-Name = "bchristopher848"
> (8) NAS-IP-Address = 10.0.150.19
> (8) NAS-Identifier = "802aa849d031"
> (8) NAS-Port = 0
> (8) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (8) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (8) Framed-MTU = 1400
> (8) NAS-Port-Type = Wireless-802.11
> (8) Connect-Info = "CONNECT 0Mbps 802.11b"
> (8) EAP-Message = 0x0271006b19001703010060dc68da
> 606888205a8249468c13811c37cc426f2ad4ed4ed80b369f946ab0e0029d
> 069f9b903b244d4822ebf72b429433c990dcfef3af28b8871c7653e7c286
> d1c4ad435ad1812458eaec44dc637bf173969928be0946944de2762170de365dc0
> (8) State = 0xb5449406b2358d001eb003264d869845
> (8) Message-Authenticator = 0xf489ba028df4298dc612460d97cc98ee
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /(a)\./) {
> (8) if (&User-Name =~ /(a)\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) eap: Peer sent EAP Response (code 2) ID 113 length 107
> (8) eap: Continuing tunnel setup
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/sites-enabled/default
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0x38f91b6e38880129
> (8) eap: Finished EAP session with state 0xb5449406b2358d00
> (8) eap: Previous EAP request found for state 0xb5449406b2358d00, released
> from the list
> (8) eap: Peer sent packet with method EAP PEAP (25)
> (8) eap: Calling submodule eap_peap to process data
> (8) eap_peap: Continuing EAP-TLS
> (8) eap_peap: [eaptls verify] = ok
> (8) eap_peap: Done initial handshake
> (8) eap_peap: [eaptls process] = ok
> (8) eap_peap: Session established. Decoding tunneled attributes
> (8) eap_peap: PEAP state phase2
> (8) eap_peap: EAP method MSCHAPv2 (26)
> (8) eap_peap: Got tunneled request
> (8) eap_peap: EAP-Message = 0x0271004a1a027100453136aadef2
> a35125429a547478d2433260000000000000000026bd920d94eca847c70d
> 9775f4afe71538b455e9932097c600626368726973746f70686572383438
> (8) eap_peap: Setting User-Name to bchristopher848
> (8) eap_peap: Sending tunneled request to inner-tunnel
> (8) eap_peap: EAP-Message = 0x0271004a1a027100453136aadef2
> a35125429a547478d2433260000000000000000026bd920d94eca847c70d
> 9775f4afe71538b455e9932097c600626368726973746f70686572383438
> (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (8) eap_peap: User-Name = "bchristopher848"
> (8) eap_peap: State = 0x38f91b6e38880129b3a6b459c0f91610
> (8) Virtual server inner-tunnel received request
> (8) EAP-Message = 0x0271004a1a027100453136aadef2
> a35125429a547478d2433260000000000000000026bd920d94eca847c70d
> 9775f4afe71538b455e9932097c600626368726973746f70686572383438
> (8) FreeRADIUS-Proxied-To = 127.0.0.1
> (8) User-Name = "bchristopher848"
> (8) State = 0x38f91b6e38880129b3a6b459c0f91610
> (8) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (8) server inner-tunnel {
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /(a)\./) {
> (8) if (&User-Name =~ /(a)\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) &Proxy-To-Realm := LOCAL
> (8) } # update control = noop
> (8) eap: Peer sent EAP Response (code 2) ID 113 length 74
> (8) eap: No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> rlm_ldap (ldap): Reserved connection (1)
> (8) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap: --> (cn=bchristopher848)
> (8) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
> filter "(cn=bchristopher848)", scope "sub"
> (8) ldap: Waiting for search result...
> (8) ldap: User object found at DN "cn=bchristopher848,cn=
> Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (8) ldap: Processing user attributes
> (8) ldap: control:Password-With-Header += '{ssha}o1fjrtGMqroWxrIgC8G/
> jwK8GK5BxvANe+pK7w=='
> rlm_ldap (ldap): Released connection (1)
> Need 4 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (8) [ldap] = updated
> rlm_ldap (adldap): Reserved connection (1)
> (8) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) adldap: --> (cn=bchristopher848)
> (8) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter
> "(cn=bchristopher848)", scope "sub"
> (8) adldap: Waiting for search result...
> (8) adldap: The specified DN wasn't found
> (8) adldap: Search returned no results
> rlm_ldap (adldap): Released connection (1)
> Need 4 more connections to reach 10 spares
> rlm_ldap (adldap): Opening additional connection (6), 1 of 26 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> (8) [adldap] = notfound
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) pap: Converted: &control:Password-With-Header ->
> &control:SSHA1-Password
> (8) pap: Removing &control:Password-With-Header
> (8) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
> bytes
> (8) pap: WARNING: Auth-Type already set. Not setting to PAP
> (8) [pap] = noop
> (8) } # authorize = updated
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/sites-enabled/
> inner-tunnel
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0x38f91b6e38880129
> (8) eap: Finished EAP session with state 0x38f91b6e38880129
> (8) eap: Previous EAP request found for state 0x38f91b6e38880129, released
> from the list
> (8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (8) eap: Calling submodule eap_mschapv2 to process data
> (8) eap_mschapv2: # Executing group from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (8) eap_mschapv2: Auth-Type MS-CHAP {
> (8) mschap: WARNING: No Cleartext-Password configured. Cannot create
> NT-Password
> (8) mschap: WARNING: No Cleartext-Password configured. Cannot create
> LM-Password
> (8) mschap: Creating challenge hash with username: bchristopher848
> (8) mschap: Client is using MS-CHAPv2
> (8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
> authentication
> (8) mschap: ERROR: MS-CHAP2-Response is incorrect
> (8) [mschap] = reject
> (8) } # Auth-Type MS-CHAP = reject
> (8) eap: Sending EAP Failure (code 4) ID 113 length 4
> (8) eap: Freeing handler
> (8) [eap] = reject
> (8) } # authenticate = reject
> (8) Failed to authenticate the user
> (8) Using Post-Auth-Type Reject
> (8) # Executing group from file /etc/freeradius/sites-enabled/
> inner-tunnel
> (8) Post-Auth-Type REJECT {
> (8) attr_filter.access_reject: EXPAND %{User-Name}
> (8) attr_filter.access_reject: --> bchristopher848
> (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (8) [attr_filter.access_reject] = updated
> (8) update outer.session-state {
> (8) &Module-Failure-Message := &request:Module-Failure-Message ->
> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
> (8) } # update outer.session-state = noop
> (8) } # Post-Auth-Type REJECT = updated
> (8) } # server inner-tunnel
> (8) Virtual server sending reply
> (8) MS-CHAP-Error = "qE=691 R=1 C=523d66a28c934a7937a449415ae8f8ad V=3
> M=Authentication failed"
> (8) EAP-Message = 0x04710004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Got tunneled reply code 3
> (8) eap_peap: MS-CHAP-Error = "qE=691 R=1 C=
> 523d66a28c934a7937a449415ae8f8ad V=3 M=Authentication failed"
> (8) eap_peap: EAP-Message = 0x04710004
> (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Got tunneled reply RADIUS code 3
> (8) eap_peap: MS-CHAP-Error = "qE=691 R=1 C=
> 523d66a28c934a7937a449415ae8f8ad V=3 M=Authentication failed"
> (8) eap_peap: EAP-Message = 0x04710004
> (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Tunneled authentication was rejected
> (8) eap_peap: FAILURE
> (8) eap: Sending EAP Request (code 1) ID 114 length 43
> (8) eap: EAP session adding &reply:State = 0xb5449406bd368d00
> (8) [eap] = handled
> (8) } # authenticate = handled
> (8) Using Post-Auth-Type Challenge
> (8) Post-Auth-Type sub-section not found. Ignoring.
> (8) # Executing group from file /etc/freeradius/sites-enabled/default
> (8) session-state: Saving cached attributes
> (8) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.
> Cannot perform authentication"
> (8) Sent Access-Challenge Id 9 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (8) EAP-Message = 0x0172002b190017030100207447ef
> 7e889f505a2467ece5e23e6132aabd5ae2a2b62f44232ce0581e567dc8
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) State = 0xb5449406bd368d001eb003264d869845
> (8) Finished request
> Waking up in 2.6 seconds.
> (9) Received Access-Request Id 10 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 230
> (9) User-Name = "bchristopher848"
> (9) NAS-IP-Address = 10.0.150.19
> (9) NAS-Identifier = "802aa849d031"
> (9) NAS-Port = 0
> (9) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (9) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (9) Framed-MTU = 1400
> (9) NAS-Port-Type = Wireless-802.11
> (9) Connect-Info = "CONNECT 0Mbps 802.11b"
> (9) EAP-Message = 0x0272002b19001703010020c6855d
> 5f0630c6486963b3a872b1ce4479a9d9748bb1a8d28a488183707339de
> (9) State = 0xb5449406bd368d001eb003264d869845
> (9) Message-Authenticator = 0xe32f0f6506920ee010991cab23cdc592
> (9) Restoring &session-state
> (9) &session-state:Module-Failure-Message := "mschap: FAILED: No
> NT/LM-Password. Cannot perform authentication"
> (9) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (9) authorize {
> (9) policy filter_username {
> (9) if (&User-Name) {
> (9) if (&User-Name) -> TRUE
> (9) if (&User-Name) {
> (9) if (&User-Name =~ /@[^@]*@/ ) {
> (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (9) if (&User-Name =~ /\.\./ ) {
> (9) if (&User-Name =~ /\.\./ ) -> FALSE
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (9) if (&User-Name =~ /\.$/) {
> (9) if (&User-Name =~ /\.$/) -> FALSE
> (9) if (&User-Name =~ /(a)\./) {
> (9) if (&User-Name =~ /(a)\./) -> FALSE
> (9) } # if (&User-Name) = notfound
> (9) } # policy filter_username = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (9) suffix: No such realm "NULL"
> (9) [suffix] = noop
> (9) eap: Peer sent EAP Response (code 2) ID 114 length 43
> (9) eap: Continuing tunnel setup
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = eap
> (9) # Executing group from file /etc/freeradius/sites-enabled/default
> (9) authenticate {
> (9) eap: Expiring EAP session with state 0xb5449406bd368d00
> (9) eap: Finished EAP session with state 0xb5449406bd368d00
> (9) eap: Previous EAP request found for state 0xb5449406bd368d00, released
> from the list
> (9) eap: Peer sent packet with method EAP PEAP (25)
> (9) eap: Calling submodule eap_peap to process data
> (9) eap_peap: Continuing EAP-TLS
> (9) eap_peap: [eaptls verify] = ok
> (9) eap_peap: Done initial handshake
> (9) eap_peap: [eaptls process] = ok
> (9) eap_peap: Session established. Decoding tunneled attributes
> (9) eap_peap: PEAP state send tlv failure
> (9) eap_peap: Received EAP-TLV response
> (9) eap_peap: ERROR: The users session was previously rejected:
> returning reject (again.)
> (9) eap_peap: This means you need to read the PREVIOUS messages in the
> debug output
> (9) eap_peap: to find out the reason why the user was rejected
> (9) eap_peap: Look for "reject" or "fail". Those earlier messages will
> tell you
> (9) eap_peap: what went wrong, and how to fix the problem
> (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
> failed
> (9) eap: Sending EAP Failure (code 4) ID 114 length 4
> (9) eap: Failed in EAP select
> (9) [eap] = invalid
> (9) } # authenticate = invalid
> (9) Failed to authenticate the user
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /etc/freeradius/sites-enabled/default
> (9) Post-Auth-Type REJECT {
> (9) attr_filter.access_reject: EXPAND %{User-Name}
> (9) attr_filter.access_reject: --> bchristopher848
> (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (9) [attr_filter.access_reject] = updated
> (9) [eap] = noop
> (9) policy remove_reply_message_if_eap {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (9) else {
> (9) [noop] = noop
> (9) } # else = noop
> (9) } # policy remove_reply_message_if_eap = noop
> (9) } # Post-Auth-Type REJECT = updated
> (9) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (9) Sending delayed response
> (9) Sent Access-Reject Id 10 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 44
> (9) EAP-Message = 0x04720004
> (9) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1.6 seconds.
> (0) Cleaning up request packet ID 1 with timestamp +30
> (1) Cleaning up request packet ID 2 with timestamp +30
> (2) Cleaning up request packet ID 3 with timestamp +30
> (3) Cleaning up request packet ID 4 with timestamp +30
> (4) Cleaning up request packet ID 5 with timestamp +30
> (5) Cleaning up request packet ID 6 with timestamp +30
> Waking up in 2.2 seconds.
> (6) Cleaning up request packet ID 7 with timestamp +32
> (7) Cleaning up request packet ID 8 with timestamp +32
> (8) Cleaning up request packet ID 9 with timestamp +32
> (9) Cleaning up request packet ID 10 with timestamp +32
> Ready to process requests
> (10) Received Accounting-Request Id 1 from 192.168.100.115:52712 to
> 192.168.100.201:1813 length 90
> (10) Acct-Status-Type = Accounting-Off
> (10) Acct-Authentic = RADIUS
> (10) NAS-IP-Address = 10.0.148.205
> (10) NAS-Identifier = "802aa849cbcc"
> (10) Called-Station-Id = "80-2A-A8-4A-CB-CC:SeminaryWiFi"
> (10) Acct-Terminate-Cause = NAS-Reboot
> (10) # Executing section preacct from file /etc/freeradius/sites-enabled/
> default
> (10) preacct {
> (10) [preprocess] = ok
> (10) policy acct_unique {
> (10) update request {
> (10) &Tmp-String-9 := "ai:"
> (10) } # update request = noop
> (10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
> (10) EXPAND %{hex:&Class}
> (10) -->
> (10) EXPAND ^%{hex:&Tmp-String-9}
> (10) --> ^61693a
> (10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
> (10) else {
> (10) update request {
> (10) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-
> Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
> (10) --> 3fbd256e7d3667dda249cdebb204aa6c
> (10) &Acct-Unique-Session-Id := 3fbd256e7d3667dda249cdebb204aa6c
> (10) } # update request = noop
> (10) } # else = noop
> (10) } # policy acct_unique = noop
> (10) [suffix] = noop
> (10) [files] = noop
> (10) } # preacct = ok
> (10) # Executing section accounting from file
> /etc/freeradius/sites-enabled/default
> (10) accounting {
> (10) detail: EXPAND /var/log/freeradius/radacct/%{
> %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> (10) detail: --> /var/log/freeradius/radacct/19
> 2.168.100.115/detail-20170905
> (10) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to
> /var/log/freeradius/radacct/192.168.100.115/detail-20170905
> (10) detail: EXPAND %t
> (10) detail: --> Tue Sep 5 22:05:39 2017
> (10) [detail] = ok
> (10) [unix] = noop
> (10) [exec] = noop
> (10) attr_filter.accounting_response: EXPAND %{User-Name}
> (10) attr_filter.accounting_response: -->
> (10) [attr_filter.accounting_response] = noop
> (10) } # accounting = ok
> (10) Sent Accounting-Response Id 1 from 192.168.100.201:1813 to
> 192.168.100.115:52712 length 0
> (10) Finished request
> (10) Cleaning up request packet ID 1 with timestamp +44
> Ready to process requests
> (11) Received Accounting-Request Id 1 from 192.168.100.115:41826 to
> 192.168.100.201:1813 length 90
> (11) Acct-Status-Type = Accounting-Off
> (11) Acct-Authentic = RADIUS
> (11) NAS-IP-Address = 10.0.148.205
> (11) NAS-Identifier = "802aa849cbcc"
> (11) Called-Station-Id = "82-2A-A8-4B-CB-CC:SeminaryWiFi"
> (11) Acct-Terminate-Cause = NAS-Reboot
> (11) # Executing section preacct from file /etc/freeradius/sites-enabled/
> default
> (11) preacct {
> (11) [preprocess] = ok
> (11) policy acct_unique {
> (11) update request {
> (11) &Tmp-String-9 := "ai:"
> (11) } # update request = noop
> (11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
> (11) EXPAND %{hex:&Class}
> (11) -->
> (11) EXPAND ^%{hex:&Tmp-String-9}
> (11) --> ^61693a
> (11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
> (11) else {
> (11) update request {
> (11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-
> Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
> (11) --> 3fbd256e7d3667dda249cdebb204aa6c
> (11) &Acct-Unique-Session-Id := 3fbd256e7d3667dda249cdebb204aa6c
> (11) } # update request = noop
> (11) } # else = noop
> (11) } # policy acct_unique = noop
> (11) [suffix] = noop
> (11) [files] = noop
> (11) } # preacct = ok
> (11) # Executing section accounting from file
> /etc/freeradius/sites-enabled/default
> (11) accounting {
> (11) detail: EXPAND /var/log/freeradius/radacct/%{
> %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> (11) detail: --> /var/log/freeradius/radacct/19
> 2.168.100.115/detail-20170905
> (11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to
> /var/log/freeradius/radacct/192.168.100.115/detail-20170905
> (11) detail: EXPAND %t
> (11) detail: --> Tue Sep 5 22:05:40 2017
> (11) [detail] = ok
> (11) [unix] = noop
> (11) [exec] = noop
> (11) attr_filter.accounting_response: EXPAND %{User-Name}
> (11) attr_filter.accounting_response: -->
> (11) [attr_filter.accounting_response] = noop
> (11) } # accounting = ok
> (11) Sent Accounting-Response Id 1 from 192.168.100.201:1813 to
> 192.168.100.115:41826 length 0
> (11) Finished request
> (11) Cleaning up request packet ID 1 with timestamp +45
> Ready to process requests
>
>
>
>
>
> Matthew Pulis
> mobile / WhatsApp: +356 79539404 <+356%207953%209404>
>
>
>
2
3
Hi
How do I enable/disable different modules like exec modules, ldap module in freeeadius3 ?
Is it in default file ?
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
2
2
Hi,
I am facing random issue while free radius generate cdr.
Sep 6 05:29:38 OS2 /usr/local/sbin/opensips[21470]: rc_send_server:
recvfrom: 127.0.0.1:1813: reply is too short
Sep 6 05:29:38 OS2 /usr/local/sbin/opensips[21470]:
ERROR:aaa_radius:resume_send_acct: radius authentication message failed
with ERROR
It will be appreciable if any help.
Thank you.
--
Regards,
Suresh Talasaniya.
Software Developer.
Ecosmob Technologies Pvt. Ltd.
Contact : +91-9724264776
Skype : suresh.ecosmob
2
1
People, good morning...I have a Freeradius with AD authentication and LDAP
authorization working OK.
Now I have to authorize users that belong to GROUP1 and have SSID = Free, I
have these definitions:
- GROUP1 is a group defined in the AD
- SSID comes with Called-Station-Id in the form MAC Address:SSID, for
example "51:bc:11:e1:34:70:Free", and it's not defined i the AD
- The clause defined in default and inner-tunnel files is:
if (LDAP-Group == "GROUP1" && Called-Station-Id == "*:Free") {
update reply {
Reply-Message = "Hello %{User-Name}: Access
allowed"
}
ok
}
else {
reject
After testing, I fail and this is the debug:
Wed Aug 23 09:34:58 2017 : Debug: rlm_ldap::ldap_groupcmp: User found in
group GROUP1
Wed Aug 23 09:34:58 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (LDAP-Group == "GROUP1" ) ->
TRUE
Wed Aug 23 09:34:58 2017 : Info: (Attribute Called-Station-Id was not
found)
Wed Aug 23 09:34:58 2017 : Info: ? Evaluating (Called-Station-Id ==
"*:Free") -> FALSE
Wed Aug 23 09:34:58 2017 : Info: ++? if (LDAP-Group == "GROUP1" &&
Called-Station-Id == "*:Free") -> FALSE
Wed Aug 23 09:34:58 2017 : Info: ++else else {
Wed Aug 23 09:34:58 2017 : Info: +++[reject] = reject
Wed Aug 23 09:34:58 2017 : Info: ++} # else else = reject
Wed Aug 23 09:34:58 2017 : Info: +} # group authorize = reject
Wed Aug 23 09:34:58 2017 : Info: Using Post-Auth-Type REJECT
Wed Aug 23 09:34:58 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Wed Aug 23 09:34:58 2017 : Info: +group REJECT {
Can you help me please?
Thanks in advance.
ADAM
4
14
Have you taken the default config and modified it as required or just
copied the old config from old server (you can't do that for a migration to
3.x) . I'm not doing any further guesswork so provide config file rather
than terse few lines of output
alan
On 4 Sep 2017 11:57 pm, "Bhagwat, Shrikant" <shrbhagw(a)med.umich.edu> wrote:
migrate-idmauth-preprod08:/etc/raddb/mods-enabled # radiusd -X
radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built on
Dec 19 2016 at 11:19
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/ldap
No such configuration item ..base_dn
/etc/raddb/mods-enabled/ldap[157]: Reference "${..base_dn}" not found
Errors reading or parsing /etc/raddb/radiusd.conf
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+shrbhagw=med.umich.
edu(a)lists.freeradius.org] On Behalf Of Alan Buxey
Sent: Monday, September 04, 2017 6:45 PM
To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
Subject: Re: Enable LDAP Module in Free Radius 3.0
dont care about your old config.
the server clearly shows that no ldap module is being read in the
mods-enabled directory - ensure you put a symlink to mods-available/ldap in
there...
then, you should see is load up and no more "Ignoring "ldap" (see
raddb/mods-available/README.rst)" errors...
alan
On 4 September 2017 at 22:13, Bhagwat, Shrikant <shrbhagw(a)med.umich.edu>
wrote:
> Hi
>
> No sure whether LDAP Module is enabled. My Radius Server supposed to
> connect to LDAP Server
>
> Below is my config freeradius 1.0
> # Lightweight Directory Access Protocol (LDAP)
> #
> # This module definition allows you to use LDAP for
> # authorization and authentication (Auth-Type := LDAP)
> #
> # See doc/rlm_ldap for description of configuration options
> # and sample authorize{} and authenticate{} blocks
> ldap ldapmed {
> server = "ldap.company.com"
> port = 636
> # defualt identity is anonymous
> identity = "cn=radius,o=services"
> password = XXXXX
> basedn = "dc=XXX,dc=XXXX"
> filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=
radiusprofile))"
> # base_filter = "(objectclass=radiusprofile)"
>
> # app config
> logFILEname = "/var/log/radius/mycompany.log"
>
> # level-1 config
> level-1_server = "ldap.company.com"
> level-1_basedn = "ou=xxx,dc=xxx,dc=xxxx"
> level-1_kdc = "xxxxx"
>
> start_tls = no
>
>
>
> radiusd -X
> radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu,
> built on Dec 19 2016 at 11:19 Copyright (C) 1999-2014 The FreeRADIUS
> server project and contributors There is NO warranty; not even for
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may
> redistribute copies of FreeRADIUS under the terms of the GNU General
> Public License For more information about these matters, see the file
> named COPYRIGHT Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary including
> dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/raddb/dictionary including
> configuration file /etc/raddb/radiusd.conf including configuration
> file /etc/raddb/proxy.conf including configuration file
> /etc/raddb/clients.conf including files in directory
> /etc/raddb/mods-enabled/ including configuration file
> /etc/raddb/mods-enabled/linelog including configuration file
> /etc/raddb/mods-enabled/expr including configuration file
> /etc/raddb/mods-enabled/expiration
> including configuration file /etc/raddb/mods-enabled/unix including
> configuration file /etc/raddb/mods-enabled/always including
> configuration file /etc/raddb/mods-enabled/exec including
> configuration file /etc/raddb/mods-enabled/sradutmp including
> configuration file /etc/raddb/mods-enabled/radutmp including
> configuration file /etc/raddb/mods-enabled/eap including configuration
> file /etc/raddb/mods-enabled/echo including configuration file
> /etc/raddb/mods-enabled/soh including configuration file
> /etc/raddb/mods-enabled/dhcp including configuration file
> /etc/raddb/mods-enabled/cache_eap including configuration file
> /etc/raddb/mods-enabled/mschap including configuration file
> /etc/raddb/mods-enabled/chap including configuration file
> /etc/raddb/mods-enabled/realm including configuration file
> /etc/raddb/mods-enabled/passwd including configuration file
> /etc/raddb/mods-enabled/digest including configuration file
> /etc/raddb/mods-enabled/preprocess
> including configuration file /etc/raddb/mods-enabled/logintime
> including configuration file /etc/raddb/mods-enabled/replicate
> including configuration file /etc/raddb/mods-enabled/detail including
> configuration file /etc/raddb/mods-enabled/ntlm_auth including
> configuration file /etc/raddb/mods-enabled/dynamic_clients
> including configuration file /etc/raddb/mods-enabled/utf8 including
> configuration file /etc/raddb/mods-enabled/detail.log
> including configuration file /etc/raddb/mods-enabled/files including
> configuration file /etc/raddb/mods-enabled/unpack including
> configuration file /etc/raddb/mods-enabled/attr_filter
> including configuration file /etc/raddb/mods-enabled/pap including
> files in directory /etc/raddb/policy.d/ including configuration file
> /etc/raddb/policy.d/eap including configuration file
> /etc/raddb/policy.d/dhcp including configuration file
> /etc/raddb/policy.d/control including configuration file
> /etc/raddb/policy.d/cui including configuration file
> /etc/raddb/policy.d/filter including configuration file
> /etc/raddb/policy.d/canonicalization
> including configuration file /etc/raddb/policy.d/accounting including
> configuration file /etc/raddb/policy.d/operator-name including files
> in directory /etc/raddb/sites-enabled/ including configuration file
> /etc/raddb/sites-enabled/default including configuration file
> /etc/raddb/sites-enabled/inner-tunnel
> main {
> security {
> allow_core_dumps = no
> }
> }
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> allow_vulnerable_openssl = "no"
> }
> }
> radiusd: #### Loading Realms and Home Servers #### proxy server {
> retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120
> wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1
> port = 1812 type = "auth"
> secret = <<< secret >>>
> response_window = 20
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> radiusd: #### Instantiating modules #### instantiate { } modules {
> # Loaded module rlm_linelog
> # Instantiating module "linelog" from file /etc/raddb/mods-enabled/
linelog
> linelog {
> filename = "/var/log/radius/linelog"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{Packet-Type}:-default}"
> }
> # Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
> linelog log_accounting {
> filename = "/var/log/radius/linelog-accounting"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_expr
> # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
> expr {
> safe_characters = "@abcdefghijklmnopqrstuvwxyzABCD
EFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
> }
> # Loaded module rlm_expiration
> # Instantiating module "expiration" from file /etc/raddb/mods-enabled/
expiration
> # Loaded module rlm_unix
> # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
> unix {
> radwtmp = "/var/log/radius/radwtmp"
> }
> # Loaded module rlm_always
> # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "handled" from file
/etc/raddb/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "invalid" from file
/etc/raddb/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "userlock" from file
/etc/raddb/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "notfound" from file
/etc/raddb/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "updated" from file
/etc/raddb/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_exec
> # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_radutmp
> # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/
sradutmp
> radutmp sradutmp {
> filename = "/var/log/radius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/
radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_eap
> # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> mod_accounting_username_bug = no
> max_sessions = 1024
> }
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_leap
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> ca_path = "/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/etc/raddb/certs/server.pem"
> certificate_file = "/etc/raddb/certs/server.pem"
> ca_file = "/etc/raddb/certs/ca.pem"
> private_key_password = <<< secret >>>
> dh_file = "/etc/raddb/certs/dh"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = yes
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
> Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_method = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Loaded module rlm_soh
> # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Loaded module rlm_dhcp
> # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
> # Loaded module rlm_cache
> # Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
> cache cache_eap {
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 16384
> epoch = 0
> add_stats = no
> }
> # Loaded module rlm_mschap
> # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> }
> # Loaded module rlm_chap
> # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
> # Loaded module rlm_realm
> # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "ntdomain" from file
/etc/raddb/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_passwd
> # Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Loaded module rlm_digest
> # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
> # Loaded module rlm_preprocess
> # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/
preprocess
> preprocess {
> huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
> hints = "/etc/raddb/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
> reading pairlist file /etc/raddb/mods-config/preprocess/hints
> # Loaded module rlm_logintime
> # Instantiating module "logintime" from file /etc/raddb/mods-enabled/
logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_replicate
> # Instantiating module "replicate" from file /etc/raddb/mods-enabled/
replicate
> # Loaded module rlm_detail
> # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
> detail {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "ntlm_auth" from file
/etc/raddb/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_dynamic_clients
> # Instantiating module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
> # Loaded module rlm_utf8
> # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
> # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/
detail.log
> detail auth_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
> # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/
detail.log
> detail reply_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
> detail pre_proxy_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
> detail post_proxy_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Loaded module rlm_files
> # Instantiating module "files" from file /etc/raddb/mods-enabled/files
> files {
> filename = "/etc/raddb/mods-config/files/authorize"
> usersfile = "/etc/raddb/mods-config/files/authorize"
> acctusersfile = "/etc/raddb/mods-config/files/accounting"
> preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
> compat = "cistron"
> }
> reading pairlist file /etc/raddb/mods-config/files/authorize
> [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks
for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks
for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
for entry DEFAULT ...
> reading pairlist file /etc/raddb/mods-config/files/authorize
> [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks
for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks
for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
for entry DEFAULT ...
> reading pairlist file /etc/raddb/mods-config/files/accounting
> reading pairlist file /etc/raddb/mods-config/files/pre-proxy
> # Loaded module rlm_unpack
> # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
> # Loaded module rlm_attr_filter
> # Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/raddb/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
> # Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_
filter/accounting_response
> # Loaded module rlm_pap
> # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
> pap {
> normalise = yes
> }
> } # modules
> radiusd: #### Loading Virtual Servers #### server { # from file
> /etc/raddb/radiusd.conf } # server server default { # from file
> /etc/raddb/sites-enabled/default # Creating Auth-Type = digest #
> Loading authenticate {...} # Loading authorize {...} Ignoring "sql"
> (see raddb/mods-available/README.rst) Ignoring "ldap" (see
> raddb/mods-available/README.rst) # Loading preacct {...} # Loading
> accounting {...} # Loading post-proxy {...} # Loading post-auth {...}
> } # server default server inner-tunnel { # from file
> /etc/raddb/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server inner-tunnel
> radiusd: #### Opening IP addresses and Ports #### listen {
> type = "auth"
> ipaddr = 10.30.23.214
> port = 1812
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = 10.30.23.214
> port = 1813
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> Listening on auth address 10.30.23.214 port 1812 as server default
> Listening on acct address 10.30.23.214 port 1813 as server default
> Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
> Opening new proxy socket 'proxy address * port 0'
> Listening on proxy address * port 37421 Ready to process requests.
>
>
> **********************************************************
> Electronic Mail is not secure, may not be read every day, and should
> not be used for urgent or sensitive issues
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be
used for urgent or sensitive issues
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
3
3