Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2018
- 80 participants
- 85 discussions
Hello
I'm working on a management panel for multiple use. In the query. conf
file, I made changes to the queries for the tenant_id arm. But it gives
error in the Acct table. I get a syntax error. Please help me.
I want to do it; Print the tenant_id number that I created in the NAS table
to the TENANT_ID table in the Acct table... as a condition, reellipaddr =%
{Nas-IP-Address}
Thanks
Received Accounting-Request Id 130 from 192.168.7.1:24103 to
192.168.7.237:1813 length 164
NAS-IP-Address = 192.168.22.188
NAS-Identifier = 'pfSense.localdomain'
User-Name = 'emrah'
Acct-Status-Type = Start
Acct-Authentic = RADIUS
NAS-IP-Address = 192.168.22.188
NAS-Identifier = 'pfSense.localdomain'
NAS-Port-Type = Ethernet
NAS-Port = 2012
Acct-Session-Id = '27e89601da582df5'
Framed-IP-Address = 192.168.7.237
Called-Station-Id = '192.168.22.188'
Calling-Station-Id = '08-00-27-78-09-cd'
(65) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(65) preacct {
(65) [preprocess] = ok
(65) acct_unique acct_unique {
(65) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i)
(65) EXPAND %{string:Class}
(65) -->
(65) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(65) else else {
(65) update request {
(65) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(65) --> 35096e6b3a3e563444ee6e26cf7ced1f
(65) Acct-Unique-Session-Id := '"35096e6b3a3e563444ee6e26cf7ced1f"'
(65) } # update request = noop
(65) } # else else = noop
(65) } # acct_unique acct_unique = noop
(65) suffix : No '@' in User-Name = "emrah", looking up realm NULL
(65) suffix : No such realm "NULL"
(65) [suffix] = noop
(65) [files] = noop
(65) } # preacct = ok
(65) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(65) accounting {
(65) detail : EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(65) detail : --> /var/log/freeradius/radacct/192.168.7.1/detail-20180320
(65) detail :
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.7.1/detail-20180320
(65) detail : EXPAND %t
(65) detail : --> Tue Mar 20 17:53:35 2018
(65) [detail] = ok
(65) [unix] = ok
(65) sql : EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(65) sql : --> type.start.query
(65) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (42)
(65) sql : EXPAND %{User-Name}
(65) sql : --> emrah
(65) sql : SQL-User-Name set to 'emrah'
(65) sql : EXPAND INSERT INTO rad_accts (tenant_id, acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES (SELECT nas.tenant_id FROM nas WHERE nas.realipaddr
= '%{NAS-IP-Address}', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')
(65) sql : --> INSERT INTO rad_accts (tenant_id, acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES (SELECT nas.tenant_id FROM nas WHERE nas.realipaddr
= '192.168.22.188', '27e89601da582df5', '35096e6b3a3e563444ee6e26cf7ced1f',
'emrah', '', '192.168.22.188', '2012', 'Ethernet',
FROM_UNIXTIME(1521561215), FROM_UNIXTIME(1521561215), NULL, '0', 'RADIUS',
'', '', '0', '0', '192.168.22.188', '08-00-27-78-09-cd', '', '', '',
'192.168.7.237')
rlm_sql (sql): Executing query: 'INSERT INTO rad_accts (tenant_id,
acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctupdatetime, acctstoptime,
acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES (SELECT nas.tenant_id FROM nas WHERE nas.realipaddr
= '192.168.22.188', '27e89601da582df5', '35096e6b3a3e563444ee6e26cf7ced1f',
'emrah', '', '192.168.22.188', '2012', 'Ethernet',
FROM_UNIXTIME(1521561215), FROM_UNIXTIME(1521561215), NULL, '0', 'RADIUS',
'', '', '0', '0', '192.168.22.188', '08-00-27-78-09-cd', '', '', '',
'192.168.7.237')'
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql (sql): You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
'SELECT nas.tenant_id FROM nas WHERE nas.realipaddr = '192.168.22.188',
'27e89601' at line 1
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql_mysql: Cannot store result
rlm_sql_mysql: MySQL error 'You have an error in your SQL syntax; check the
manual that corresponds to your MariaDB server version for the right syntax
to use near 'SELECT nas.tenant_id FROM nas WHERE nas.realipaddr =
'192.168.22.188', '27e89601' at line 1'
(65) sql : Trying next query...
(65) sql : EXPAND UPDATE rad_accts SET acctstarttime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctupdatetime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'
(65) sql : --> UPDATE rad_accts SET acctstarttime =
FROM_UNIXTIME(1521561215), acctupdatetime = FROM_UNIXTIME(1521561215),
connectinfo_start = '' WHERE acctsessionid = '27e89601da582df5' AND username =
'emrah' AND nasipaddress = '192.168.22.188'
rlm_sql (sql): Executing query: 'UPDATE rad_accts SET acctstarttime =
FROM_UNIXTIME(1521561215), acctupdatetime = FROM_UNIXTIME(1521561215),
connectinfo_start = '' WHERE acctsessionid = '27e89601da582df5' AND username =
'emrah' AND nasipaddress = '192.168.22.188''
rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0
(65) sql : No records updated
(65) sql : No additional queries configured
rlm_sql (sql): Released connection (42)
rlm_sql (sql): Opening additional connection (43)
rlm_sql_mysql: Starting connect to MySQL server
(65) [sql] = noop
(65) [exec] = noop
(65) attr_filter.accounting_response : EXPAND %{User-Name}
(65) attr_filter.accounting_response : --> emrah
(65) attr_filter.accounting_response : Matched entry DEFAULT at line 12
(65) [attr_filter.accounting_response] = updated
(65) } # accounting = updated
Sending Accounting-Response Id 130 from 192.168.7.237:1813 to
192.168.7.1:24103
(65) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 175 from 192.168.7.1:47006 to 192.168.7.237:1812
length 131
NAS-IP-Address = 192.168.22.188
NAS-Identifier = 'pfSense.localdomain'
User-Name = 'emrah'
User-Password = '123'
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 2012
Framed-IP-Address = 192.168.7.237
Called-Station-Id = '192.168.22.188'
Calling-Station-Id = '08-00-27-78-09-cd'
(66) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(66) authorize {
(66) filter_username filter_username {
(66) if (User-Name != "%{tolower:%{User-Name}}")
(66) EXPAND %{tolower:%{User-Name}}
(66) --> emrah
(66) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(66) if (User-Name =~ / /)
(66) if (User-Name =~ / /) -> FALSE
(66) if (User-Name =~ /@.*@/ )
(66) if (User-Name =~ /@.*@/ ) -> FALSE
(66) if (User-Name =~ /\\.\\./ )
(66) if (User-Name =~ /\\.\\./ ) -> FALSE
(66) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(66) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(66) if (User-Name =~ /\\.$/)
(66) if (User-Name =~ /\\.$/) -> FALSE
(66) if (User-Name =~ /(a)\\./)
(66) if (User-Name =~ /(a)\\./) -> FALSE
(66) } # filter_username filter_username = notfound
(66) [preprocess] = ok
(66) [chap] = noop
(66) [mschap] = noop
(66) [digest] = noop
(66) suffix : No '@' in User-Name = "emrah", looking up realm NULL
(66) suffix : No such realm "NULL"
(66) [suffix] = noop
(66) eap : No EAP-Message, not doing EAP
(66) [eap] = noop
(66) sql : EXPAND %{User-Name}
(66) sql : --> emrah
(66) sql : SQL-User-Name set to 'emrah'
rlm_sql (sql): Reserved connection (43)
(66) sql : EXPAND SELECT rad_checks.id, rad_checks.username,
rad_checks.attribu, rad_checks.value, rad_checks.op, rad_checks.tenant_id,
nas.realipaddr FROM rad_checks INNER JOIN nas ON username =
'%{SQL-User-Name}' AND nas.realipaddr = '%{NAS-IP-Address}' ORDER BY id
(66) sql : --> SELECT rad_checks.id, rad_checks.username,
rad_checks.attribu, rad_checks.value, rad_checks.op, rad_checks.tenant_id,
nas.realipaddr FROM rad_checks INNER JOIN nas ON username = 'emrah' AND
nas.realipaddr = '192.168.22.188' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT rad_checks.id, rad_checks.username,
rad_checks.attribu, rad_checks.value, rad_checks.op, rad_checks.tenant_id,
nas.realipaddr FROM rad_checks INNER JOIN nas ON username = 'emrah' AND
nas.realipaddr = '192.168.22.188' ORDER BY id'
(66) sql : User found in radcheck table
(66) sql : Check items matched
(66) sql : EXPAND SELECT rad_replies.id, rad_replies.username,
rad_replies.attribu, rad_replies.value, rad_replies.op,
rad_replies.tenant_id, nas.realipaddr FROM rad_replies INNER JOIN nas ON
username = '%{SQL-User-Name}' AND nas.realipaddr = '%{NAS-IP-Address}'
ORDER BY id
(66) sql : --> SELECT rad_replies.id, rad_replies.username,
rad_replies.attribu, rad_replies.value, rad_replies.op,
rad_replies.tenant_id, nas.realipaddr FROM rad_replies INNER JOIN nas ON
username = 'emrah' AND nas.realipaddr = '192.168.22.188' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT rad_replies.id,
rad_replies.username, rad_replies.attribu, rad_replies.value,
rad_replies.op, rad_replies.tenant_id, nas.realipaddr FROM rad_replies
INNER JOIN nas ON username = 'emrah' AND nas.realipaddr = '192.168.22.188'
ORDER BY id'
(66) sql : EXPAND SELECT rad_user_groups.groupname, nas.realipaddr FROM
rad_user_groups INNER JOIN nas ON username = '%{SQL-User-Name}' AND
nas.realipaddr = '%{NAS-IP-Address}' ORDER BY priority
(66) sql : --> SELECT rad_user_groups.groupname, nas.realipaddr FROM
rad_user_groups INNER JOIN nas ON username = 'emrah' AND nas.realipaddr =
'192.168.22.188' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT rad_user_groups.groupname,
nas.realipaddr FROM rad_user_groups INNER JOIN nas ON username = 'emrah'
AND nas.realipaddr = '192.168.22.188' ORDER BY priority'
(66) sql : User found in the group table
(66) sql : EXPAND SELECT rad_group_checks.id, rad_group_checks.groupname,
rad_group_checks.attribu, rad_group_checks.Value, rad_group_checks.op,
nas.realipaddr FROM rad_group_checks INNER JOIN nas ON groupname =
'%{Sql-Group}' AND nas.realipaddr = '%{NAS-IP-Address}' ORDER BY id
(66) sql : --> SELECT rad_group_checks.id, rad_group_checks.groupname,
rad_group_checks.attribu, rad_group_checks.Value, rad_group_checks.op,
nas.realipaddr FROM rad_group_checks INNER JOIN nas ON groupname = 'tes'
AND nas.realipaddr = '192.168.22.188' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT rad_group_checks.id,
rad_group_checks.groupname, rad_group_checks.attribu,
rad_group_checks.Value, rad_group_checks.op, nas.realipaddr FROM
rad_group_checks INNER JOIN nas ON groupname = 'tes' AND nas.realipaddr =
'192.168.22.188' ORDER BY id'
(66) sql : Group "tes" check items matched
(66) sql : EXPAND SELECT rad_group_replies.id, rad_group_replies.groupname,
rad_group_replies.attribu, rad_group_replies.Value, rad_group_replies.op,
nas.realipaddr FROM rad_group_replies INNER JOIN nas ON groupname =
'%{Sql-Group}' AND nas.realipaddr = '%{NAS-IP-Address}' ORDER BY id
(66) sql : --> SELECT rad_group_replies.id, rad_group_replies.groupname,
rad_group_replies.attribu, rad_group_replies.Value, rad_group_replies.op,
nas.realipaddr FROM rad_group_replies INNER JOIN nas ON groupname = 'tes'
AND nas.realipaddr = '192.168.22.188' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT rad_group_replies.id,
rad_group_replies.groupname, rad_group_replies.attribu,
rad_group_replies.Value, rad_group_replies.op, nas.realipaddr FROM
rad_group_replies INNER JOIN nas ON groupname = 'tes' AND nas.realipaddr =
'192.168.22.188' ORDER BY id'
(66) sql : Group "tes" reply items processed
rlm_sql (sql): Released connection (43)
(66) [sql] = ok
(66) [expiration] = noop
(66) [logintime] = noop
(66) WARNING: dailycounter : Couldn't find control attribute
'control:Max-Daily-Session'
(66) [dailycounter] = noop
(66) WARNING: noresetcounter : Couldn't find control attribute
'control:Max-All-Session'
(66) [noresetcounter] = noop
(66) WARNING: monthlycounter : Couldn't find control attribute
'control:Max-Monthly-Session'
(66) [monthlycounter] = noop
(66) WARNING: expire_on_login : Couldn't find control attribute
'control:Expire-After'
(66) [expire_on_login] = noop
(66) [pap] = updated
(66) } # authorize = updated
(66) Found Auth-Type = PAP
(66) # Executing group from file /etc/freeradius/sites-enabled/default
(66) Auth-Type PAP {
(66) pap : Login attempt with password
(66) pap : User authenticated successfully
(66) [pap] = ok
(66) } # Auth-Type PAP = ok
(66) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(66) post-auth {
(66) sql : EXPAND .query
(66) sql : --> .query
(66) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (43)
(66) sql : EXPAND %{User-Name}
(66) sql : --> emrah
(66) sql : SQL-User-Name set to 'emrah'
(66) sql : EXPAND INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(66) sql : --> INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( 'emrah', '123', 'Access-Accept', '2018-03-20 17:53:35')
rlm_sql (sql): Executing query: 'INSERT INTO rad_post_auths (username,
pass, reply, authdate) VALUES ( 'emrah', '123', 'Access-Accept',
'2018-03-20 17:53:35')'
rlm_sql (sql): Released connection (43)
(66) [sql] = ok
(66) [exec] = noop
(66) remove_reply_message_if_eap remove_reply_message_if_eap {
(66) if (reply:EAP-Message && reply:Reply-Message)
(66) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(66) else else {
(66) [noop] = noop
(66) } # else else = noop
(66) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(66) } # post-auth = ok
Sending Access-Accept Id 175 from 192.168.7.237:1812 to 192.168.7.1:47006
WISPr-Bandwidth-Max-Down = 10485760
(66) Finished request
Waking up in 0.2 seconds.
(65) Cleaning up request packet ID 130 with timestamp +1262
Waking up in 4.7 seconds.
(66) Cleaning up request packet ID 175 with timestamp +1262
3
13
Hi Team.
I am trying to Implement FreeRadius via EAP-TTLS (pap - ldap)
I have looked the guides and have been reading up on this for a week. My instance uses FreeIPA LDAP. (SSHA512)
below is the output.
freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Jul 26 2017 at 15:27:21
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client localhost {
ipaddr = 10.0.2.2
require_message_authenticator = no
secret = "hell0swarm"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "gtc"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "ipa.sandbox.local"
port = 389
password = "Southgate1"
expect_password = yes
identity = "cn=Directory Manager"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "cn=users,cn=accounts,dc=sandbox,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x15d7850
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 35045
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=42, length=163
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029b000b01726164697573
Message-Authenticator = 0x0f1f7c927f6db37977b667e7510a354f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 155 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for radius
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radius
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)
[ldap] expand: cn=users,cn=accounts,dc=sandbox,dc=local -> cn=users,cn=accounts,dc=sandbox,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ipa.sandbox.local:389, authentication 0
[ldap] bind as cn=Directory Manager/Southgate1 to ipa.sandbox.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in cn=users,cn=accounts,dc=sandbox,dc=local, with filter (uid=radius)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA512}ySH+q7QCAIgZTd2xIXSLPsrej/rAUViTnWiw0Zl7N5CE/lWl0Miuh4LaPJnYhAzmwlYce8PF4fi3CcuqJNEOxnkUPcVgbkri"
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Found unknown header {{SSHA512}}: Not doing anything
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 42 to 10.0.2.2 port 34310
EAP-Message = 0x019c00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860ea4727adc5a25aedf2dd369
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=43, length=331
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029c00a115800000009716030100920100008e03035ab2477bedbb703081c1b65a23d01a19d04db4011e48b2ef5d064a9bd6aa54d200002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
State = 0x0e3867860ea4727adc5a25aedf2dd369
Message-Authenticator = 0xeca2aaff8bd094193c66de7b01faa0c4
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 156 length 161
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 151
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0092]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02dc]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 43 to 10.0.2.2 port 34310
EAP-Message = 0x019d040015c00000047a1603030039020000350303f7f6fee4c943e8e4f7547e9299f37d933ab09c1b567045c797d1ba015ce5112f00c03000000dff01000100000b00040300010216030302dc0b0002d80002d50002d2308202ce308201b6a003020102020900fd39d198e112ad9f300d06092a864886f70d01010b0500301f311d301b06035504030c147261646975732e73616e64626f782e6c6f63616c301e170d3138303332313130323332375a170d3238303331383130323332375a301f311d301b06035504030c147261646975732e73616e64626f782e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a02
EAP-Message = 0x82010100ce219bada0c8b6f1a48bc90d496e523570118a889e95f36b136b1e91d50cf8cca976dbf51620dd656261e70466437dc581ec9d99330da2fb1f7047ac458fc0b7779ebbadb572e977668a64c5f709cad94a6a7a6372b45f2c30ac5c290b47787c06e444513161142ac0eb82b0f4e6fab14a382ff1f1cec9d3f46f3a0736e3b8baf9645e89e9886f321631d33ae09c4a1c34af1339fb3bc63ec68eaba9c2bdeb84712f72f328b9174181f3dc9dedd31b64fe72f2082b2ff2101c4e31de36a40d2625317d6670e903035ae405dbaf92933a775f91ce604ad3cf02461fba04881028d94bad652ba648ae199682957f755d11e0bd783851ac6d57ac
EAP-Message = 0x1d13851623b1310203010001a30d300b30090603551d1304023000300d06092a864886f70d01010b05000382010100413ba9e7b8cf26856d848f6a672c3a5dd94c518f684e574fa24f984a004bfcb25b38424341bfe32ac2d091461e194c68a95062236e1ff49b6960146fd872ecefbeae7be43ea5741dea66b535bfdf1b490f71b6b50cc60eaa3e7245f53247b8914fc42a6b2cf42bdfb266ceaf1b3aaa3e851e0e957907b05cbb28ffce88a575ecf8a7846fe645aca916c1c834ebdb26459a7db573d753187baec11f1d6292aac1f369c81c32c9d423d3a440a5303d59615d76cbd74bc300723740de6636835af4341e6023e70f01f04aa03efe6b93
EAP-Message = 0x37d95c5c24c6e75e36e51200314ff603ee4b653d4ff543cfe5e30f688a7b819ee930ddc87fcc801ac1c5cbde2ce24082d34d160303014d0c0001490300174104cd053d5984e96d3d36e72944e2887edf4a012023ffad7d5e90601656a795b6ae9746916786f4df5d89ec9618e5e0b6a0003cbb9b902f526c9a14032dd77f076d0401010097f9597eccd4db59362def5618431b862e55a7878bca6b157702e2e3658eabb5e4508eb983469b522ad9e7a922e3aeae82315df9ac3a38b42eed0ee05a3bc3a4a13708dec33575318363aed88506bf498fcf61e569d90148294dfdbc55e46d0f9362f61afc52bcf86128da341fa3046024f51c04f8ecaba072
EAP-Message = 0x90f02c1a99bfba1cb78a047c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860fa5727adc5a25aedf2dd369
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=44, length=176
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029d00061500
State = 0x0e3867860fa5727adc5a25aedf2dd369
Message-Authenticator = 0xf20af72004f37da09929c90d0125548a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 157 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 44 to 10.0.2.2 port 34310
EAP-Message = 0x019e008e15800000047a518b5554214bfa9f8acaefa8bf7b2021038e2f019bd21bc6788acb04f936090b30c4b8d99c6d6dc2c40766289107b4be86de1e03e0a7c8d8433c1735a44da6afbd8526b0d09e6c785023c4d5e95386561705a58df52c5b5a7f5da1d74d430c358475d017ab31aa18b691aecd91c82aad7b9fb1b4d997ff06d911f516030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860ca6727adc5a25aedf2dd369
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=45, length=306
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029e008815800000007e160303004610000042410499f7272fd2b18dd745f5369bc0f61dc19dc4db7e52c37c20fc03b230b3906079a5c78f17176611bff6bebd2c4e84f9b77dcf81d4eaaea4f88299bf9cd47720fd1403030001011603030028d029786083d7f81dfe2d89690a000c3c22bfed6672ad9c284b31fae24755486b1026858e2a163ceb
State = 0x0e3867860ca6727adc5a25aedf2dd369
Message-Authenticator = 0xd2090eacf30fa9bd347d218d065db656
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 158 length 136
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 126
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 45 to 10.0.2.2 port 34310
EAP-Message = 0x019f003d1580000000331403030001011603030028ab9c5933cc6f2f6115097fb866282b2177bebf872b2e0f3cb430c69ba9f9282469c7068aa3ba81f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860da7727adc5a25aedf2dd369
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=46, length=229
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029f003b158000000031170303002cd029786083d7f81ecf4475d575195eeb919015526f00fce51126275ebbe66123da22086d458a9a761cb51a79
State = 0x0e3867860da7727adc5a25aedf2dd369
Message-Authenticator = 0x15221c3c47eb0a82ef58202885172586
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 159 length 59
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 49
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0200000b01726164697573
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of radius
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x0200000b01726164697573
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radius"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for radius
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radius
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)
[ldap] expand: cn=users,cn=accounts,dc=sandbox,dc=local -> cn=users,cn=accounts,dc=sandbox,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,cn=accounts,dc=sandbox,dc=local, with filter (uid=radius)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA512}ySH+q7QCAIgZTd2xIXSLPsrej/rAUViTnWiw0Zl7N5CE/lWl0Miuh4LaPJnYhAzmwlYce8PF4fi3CcuqJNEOxnkUPcVgbkri"
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Found unknown header {{SSHA512}}: Not doing anything
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type gtc
[gtc] expand: Password: -> Password:
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Challenge
EAP-Message = 0x0101000f0650617373776f72643a20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fbf16057fbe1015c9f0c4b7558f94c7
[ttls] Got tunneled Access-Challenge
[ttls] >>> Unknown TLS version [length 0005]
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 46 to 10.0.2.2 port 34310
EAP-Message = 0x01a0003f1580000000351703030030ab9c5933cc6f2f6233fa3e2a6e868a32624fc2ea7b76083ba13b79a2baabe2a705c21d12807f04a6607f426555d86086
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860a98727adc5a25aedf2dd369
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=47, length=233
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02a0003f1580000000351703030030d029786083d7f81f1a470fcec80f928f731047396fe56e8497caeedc114efea5c4d4fbc8c8d2277f51e7d3d98699963b
State = 0x0e3867860a98727adc5a25aedf2dd369
Message-Authenticator = 0x368acb4d6e489fb6ae7b47a9153c8723
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 160 length 63
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 53
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x020100100650617373776f7264313233
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x020100100650617373776f7264313233
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radius"
State = 0x7fbf16057fbe1015c9f0c4b7558f94c7
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 1 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for radius
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radius
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)
[ldap] expand: cn=users,cn=accounts,dc=sandbox,dc=local -> cn=users,cn=accounts,dc=sandbox,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,cn=accounts,dc=sandbox,dc=local, with filter (uid=radius)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA512}ySH+q7QCAIgZTd2xIXSLPsrej/rAUViTnWiw0Zl7N5CE/lWl0Miuh4LaPJnYhAzmwlYce8PF4fi3CcuqJNEOxnkUPcVgbkri"
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Found unknown header {{SSHA512}}: Not doing anything
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[gtc] +group PAP {
[pap] login attempt with password "Password123"
[pap] No password configured for the user. Cannot do authentication
++[pap] = fail
+} # group PAP = fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> radius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Reject
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user radius
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> radius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 47 to 10.0.2.2 port 34310
EAP-Message = 0x04a00004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 42 with timestamp +21
Cleaning up request 1 ID 43 with timestamp +21
Cleaning up request 2 ID 44 with timestamp +21
Cleaning up request 3 ID 45 with timestamp +21
Cleaning up request 4 ID 46 with timestamp +21
Waking up in 1.0 seconds.
Cleaning up request 5 ID 47 with timestamp +21
Ready to process requests.
Mitch.Sullivan
mitch.sullivan(a)swarm64.com
IT administrator | Swarm64 AS
Swarm64 AS Zweigstelle Hive
Ullsteinstr. 114 | 12109 Berlin | Germany
3
2
I cant start EAP on FreeRADIUS v4
My config is
eap {
default_eap_type = peap
ignore_unknown_eap_types = yes
md5 {
}
tls-config tls-common {
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
}
verify {
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
}
peap {
tls = tls-common
default_eap_type = mschapv2
}
mschapv2 {
identity = "UNA"
}
}
Freeradus shows it as
Loaded module "rlm_eap"
eap gheap {
default_eap_type = peap
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
}
/opt/freeradius/etc/raddb/mods-enabled/eap[1]: No EAP method configured, module cannot do anything
/opt/freeradius/etc/raddb/mods-enabled/eap[1]: Bootstrap failed for module "gheap"
It does not see methods in config
--
Best regards, Aleksandr Stepanov.
5
18
Hello everybody,
Since my searches didn't work, I would have liked to know if it was possible to couple @mac authentication with the 802.1x protocol to assign dynamic vlan with freeradius?
if so, would you have any research leads for freeradius version 3.0?
Thank you in advance,
2
3
It's possibile to enable autentication with Freeradius server using
MACADDRESS (username) and password (textmode) ?
I've try this:
0014853077be Cleartext-Password := "passwordtest"
Tunnel-Private-Group-ID := 3
Using MACADDRESS for "password" it works fine, but I dont know how to
set password on client (Mac/Linux/windows)
Thanks
Paolo
3
2
Dear team Freeradius,
We're testing the new Freeradius 3.0.16 server software for assigning
static IP's, this works perfectly using the Radius protocol, though we have
an IP flow coming in our production network where clients are using DHCP.
We would like to use Freeradius because we can setup just one server which
will deal with all the assignments so we can use just one MYSQL data table
and doesn't need to restart any services when changes are made.
I've seen a guide for setting this up:
https://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation
But it's referring to Freeradius 2.2.0, I would like to know if there is
any information available to do the same with Freeradius 3.0.16.
*Met vriendelijke groet, kind regards,*
*Wessel de Schrijver*
*Technisch Beheerder - **Technical Engineer*
<https://secure.helpscout.net/mailbox/24be88c0645281b5/new-ticket/170166/www…>
2
3
Radius crashing with "Failed adding event handler for socket: Too many readers"
by Campbell McKenzie 20 Mar '18
by Campbell McKenzie 20 Mar '18
20 Mar '18
Hello,
I'm running Free Radius 3.0.13 on Redhat 7 and the about once or 10 times a day the service will "crash" (Exit with error code 1) with the error message "Failed adding event handler for socket: Too many readers".
The only messages prior to Radius crashing are:
Mar 19 21:37:34 radius1.acme.com radiusd[11344]: ... adding new socket proxy address 202.AA.BB.CC port 57158
Mar 19 21:37:34 radius1.acme.com radiusd[11344]: ... adding new socket proxy address 202.AA.BB.CC port 57158
Mar 19 21:37:34 radius1.acme.com radiusd[11344]:Failed adding event handler for socket: Too many readers
Then systemd picks up the failure:
Mar 19 21:37:34 radius1.acme.com systemd:radiusd.service: main process exited, code=exited, status=1/FAILURE
Mar 19 21:37:34 radius1.acme.com systemd:Unit radiusd.service entered failed state.
Mar 19 21:37:34 radius1.acme.com systemd:radiusd.service failed.
Our configuration consists of about 157 home_servers and about 276 clients and two upstream proxies.
The problem is that the program isn't leaving behind core dumps, I don't know how to / can't actually reproduce the issue, I can't leave the server running in debug mode as it is handling upto 1500-3000 requests per minute (every minute) and finally it doesn't crash everyday, but it does some days - sometimes upto 10x a day.
Probably the only major difference is that we use 'src_ipaddr' directive throughout the whole configuration. This is because all packets are present via an Anycast interface (and obviously we need to reply to the packets from the same IP address).
The issue seems to be similar to: http://lists.freeradius.org/pipermail/freeradius-users/2015-July/078835.html and GitHub issue: https://github.com/FreeRADIUS/freeradius-server/issues/1155 - But these issues got patched in August 2015...
I have attached an obfuscated (and truncated) radius debug log. I had to truncate it because it would be 9000 lines before the first request is handled.
Any assistance anyone can provide would be appreciated.
Thanks
Cam.
Radius Debug:
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/eduroam-nrads.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/status
including configuration file /etc/raddb/sites-enabled/auth-reject
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 120
cleanup_delay = 8
max_requests = 65536
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server eau-tlrs1 {
ipaddr = 158.FF.EE.RR
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "202.AA.BB.CC"
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server eau-tlrs2 {
ipaddr = 202.DD.XX.ZZ
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "202.AA.BB.CC"
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server customer-1 {
ipaddr = 178.CC.TT.YY
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "202.AA.BB.CC"
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
-------- 8< ---------------- 8< ---------------- 8< SNIP
home_server conf-1 {
ipaddr = 113.EE.KK.FF
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "202.AA.BB.CC"
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server nwtest-1 {
ipaddr = 202.RR.YY.XX
port = 1812
type = "auth+acct"
secret = <<< secret >>>
src_ipaddr = "202.AA.BB.CC"
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server auth-reject {
virtual_server = "auth-reject"
port = 0
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm LOCAL {
}
home_server_pool auth-reject_pool {
home_server = auth-reject
}
realm NULL {
auth_pool = auth-reject_pool
}
home_server_pool eau-tlrs_authacct {
type = fail-over
home_server = eau-tlrs2
home_server = eau-tlrs1
}
realm DEFAULT {
pool = eau-tlrs_authacct
nostrip
}
-------- 8< ---------------- 8< ---------------- 8< SNIP
}
realm ~\.3gppnetwork\.org$ {
auth_pool = auth-reject_pool
}
radiusd: #### Loading Clients ####
client 127.0.0.1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 202.WW.KK.PP {
ipaddr = 202.WW.KK.PP
require_message_authenticator = no
secret = <<< secret >>>
shortname = "test-cbr-a-ext1-2"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 202.AA.BB.CC {
ipaddr = 202.AA.BB.CC
require_message_authenticator = no
secret = <<< secret >>>
shortname = "eduroam-1.acme.com"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
-------- 8< ---------------- 8< ---------------- 8< ---------------- SNIP
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = Status-Server
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 65536
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server status { # from file /etc/raddb/sites-enabled/status
# Loading authorize {...}
} # server status
server auth-reject { # from file /etc/raddb/sites-enabled/auth-reject
# Loading authorize {...}
} # server auth-reject
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "status"
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on status address 127.0.0.1 port 18120 bound to server status
Listening on proxy address * port 52254
Listening on proxy address :: port 47996
Ready to process requests
(0) Received Access-Request Id 6 from 131.X.Y.Z:1814 to 202.AA.BB.CC:1812 length 294
2
1
EAP-TNC support or any other method to enforce some security policies on client?
by Bogdan Rudas 19 Mar '18
by Bogdan Rudas 19 Mar '18
19 Mar '18
Hello all!
I've found couple of discussions regarding implementation of EAP-TNC in
FreeRADIUS (in 2008 and 2013) as well as some core here:
https://github.com/trustathsh/tnc-fhh
What is a current status of EAP-TNC? Is is integrated into FreeRADIUS? If
so, how can I configure it?
I guess that built-in TNC was abandoned.
Are there any 3rd-party products (probably propriertary) which can extend
my FreeRADIUS deployment with security compliance checks?
I'd like to enforce specific antivirus software for some platforms,
password and screen saver policies mostly for BYOD devices.
Thank you.
--
Bogdan Rudas
Director of IT Europe
Exadel Inc.
http://www.exadel.com/
E-mail: brudas(a)exadel.com
Skype ID: bogdan.rudas
--
CONFIDENTIALITY NOTICE: This email and files attached to it are
confidential. If you are not the intended recipient you are hereby notified
that using, copying, distributing or taking any action in reliance on the
contents of this information is strictly prohibited. If you have received
this email in error please notify the sender and delete this email.
4
8
Enabling core dumps for ASSERT FAILED src/main/detail.c[545]: data->vps == NULL
by Vikash Badal (IS) 19 Mar '18
by Vikash Badal (IS) 19 Mar '18
19 Mar '18
Greetings
Please advise as to what i've done wrong, im trying to get a core dump for an
ASSERT FAILED src/main/detail.c[545]: data->vps == NULL
logs show:
Mar 16 23:24:50 gsm-radius-cellc1 radiusd[36300]: ASSERT FAILED
src/main/detail.c[545]: data->vps == NULL
Mar 16 23:24:50 gsm-radius-cellc1 radiusd[36690]: Changing value of PR_DUMPABLE
not supported on this system
Mar 16 23:24:50 gsm-radius-cellc1 radiusd[36690]: Core dumps are enabled
--
Mar 16 23:31:34 gsm-radius-cellc1 radiusd[36690]: ASSERT FAILED
src/main/detail.c[545]: data->vps == NULL
Mar 16 23:31:34 gsm-radius-cellc1 radiusd[37453]: Changing value of PR_DUMPABLE
not supported on this system
Mar 16 23:31:34 gsm-radius-cellc1 radiusd[37453]: Core dumps are enabled
in radius.conf i have:
panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee
${logdir}/gdb-${name}-%p.log"
allow_core_dumps = yes
Freeradius: 3.0.16
FreeBSD : 11.1-RELEASE
coredumps are allowed on OS, yet i don't have and dumps
root@gsm-radius-cellc1:~ # sysctl -a | grep kern.core
kern.corefile: %N.core
kern.coredump: 1
kern.coredump_pack_vmmapinfo: 1
kern.coredump_pack_fileinfo: 1
Thanks
Vikash
Regards
Vikash Badal
Senior Technical Systems Engineer
T +27 11 5750825
C +27 83 6774915
www.is.co.za
Internet Solutions is a division of Dimension Data
Disclaimer: https://www.is.co.za/legal/#e-mail-confidentiality-notice-and-disclaimer
3
4
Hi,
I am setting up 2factor auth and we use Strongswan as our VPN server. I
use FreeRADIUS as backend of Strongwan.
This is the setup
mac osx (ikev2 with eap-mschapv2) ---> Strongswan ---> FreeRADIUS -->
multiotp
First I tried with clear text password in /etc/raddb/users and it is
successful. For 2factor I need to pair it with multiOTP. I followed the doc
https://wiki.freeradius.org/guide/multiOTP-HOWTO
and it is successfully working
*# radtest -t mschap kumar `oathtool --totp 3683453456769abc3452`
127.0.0.1 0 testing123*
*Sent Access-Request Id 1 from 0.0.0.0:53097 <http://0.0.0.0:53097> to
127.0.0.1:1812 <http://127.0.0.1:1812> length 131*
* User-Name = "kumar"*
* MS-CHAP-Password = "987897"*
* NAS-IP-Address = 127.0.0.1*
* NAS-Port = 0*
* Message-Authenticator = 0x00*
* Cleartext-Password = "987897"*
* MS-CHAP-Challenge = 0xcb76ef02a264e636*
* MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000021c2d6262c11c88b4265e63da64e4f80dc46364e75d90df*
*Received Access-Reject Id 1 from 127.0.0.1:1812 <http://127.0.0.1:1812> to
0.0.0.0:0 <http://0.0.0.0:0> length 61*
*(0) multiotp: Executing: /usr/bin/multiotp %{User-Name} %{User-Password}
-src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge}
-chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}:*
*(0) multiotp: EXPAND %{User-Name}*
*(0) multiotp: --> kumar*
*(0) multiotp: EXPAND %{User-Password}*
*(0) multiotp: -->*
*(0) multiotp: EXPAND -src=%{Packet-Src-IP-Address}*
*(0) multiotp: --> -src=127.0.0.1*
*(0) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge}*
*(0) multiotp: --> -chap-challenge=*
*(0) multiotp: EXPAND -chap-password=%{CHAP-Password}*
*(0) multiotp: --> -chap-password=*
*(0) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge}*
*(0) multiotp: --> -ms-chap-challenge=0xcb76ef02a264e636*
*(0) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response}*
*(0) multiotp: -->
-ms-chap-response=0x0001000000000000000000000000000000000000000000000000021c2d6262c11c88b4265e63da64e4f80dc46364e75d90df*
*(0) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response}*
*(0) multiotp: --> -ms-chap2-response=*
*(0) multiotp: Program returned code (0) and output ''*
*(0) multiotp: Program executed successfully*
*(0) [multiotp] = ok*
But when I use Strongswan, there is no MS-CHAP-Challenge (i tried with
%{mschap:Challenge})
*(1) multiotp: Executing: /usr/bin/multiotp %{User-Name} %{User-Password}
-request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}:*
*(1) multiotp: EXPAND %{User-Name}*
*(1) multiotp: --> karthik*
*(1) multiotp: EXPAND %{User-Password}*
*(1) multiotp: -->*
*(1) multiotp: EXPAND -src=%{Packet-Src-IP-Address}*
*(1) multiotp: --> -src=127.0.0.1*
*(1) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge}*
*(1) multiotp: --> -chap-challenge=*
*(1) multiotp: EXPAND -chap-password=%{CHAP-Password}*
*(1) multiotp: --> -chap-password=*
*(1) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge}*
*(1) multiotp: --> -ms-chap-challenge=*
*(1) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response}*
*(1) multiotp: --> -ms-chap-response=*
*(1) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response}*
*(1) multiotp: --> -ms-chap2-response=*
Any help on this please ?
Thanks
4
12