Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2018
- 80 participants
- 85 discussions
Hi all,
Radius version : 2.2 (old, but reliable)
Ive recently ran into a problem with our accounting Radius server which have seen smooth sailing for a long time. Basically every night at 8pm a stop request is generated for all users and then consequently a start to change the package assigned to the customer. Currently our Radius is serving 19000 customers. The problem we are facing is that the NAS which is basically a session and resource controller sends the accounting-requests but the accounting-responses are taking from around 7 to 10 seconds from the time the Acct-requests come in to be dispatched to the NAS as observed from wire shark, please see attachment.
The same is reflected in the radius accounting logs. The problem that occurs due to this is that the NAS when it doesn't receive the response in the given time keeps retrying, sending accounting-requests again and again and eventually errors with retries expired and fails.
Should I increase the ''max_requests'' in radiusd.conf, currently it set to 2048. The comments say it should be 256 multiplied by the number clients. Now by clients does it mean the actual number of customers in my case or the number of NASs that connect to the Radius server. (Apologies for the lack of understanding)
Accounting responses usually take milliseconds but I don't know why it's taking so long in this case. If I could be guided in how to troubleshoot this or any assistance in this regard would be greatly appreciated.
BR/Mustafa
4
5
Hello every body
I made all important configuration to allow Simultaneous-Use attribute working without result .
Modify the /etc/freeradius/sql/mysql/dialup.conf file and unncomment :
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
This is the result when I run freeradius in debug mode , there are no any check for simultaneous-use attribute
rad_recv: Accounting-Request packet from host 10.10.0.130 port 1049, id=231, length=104
Acct-Status-Type = Start
Acct-Session-Id = "3a457fb2"
User-Name = "99625743140"
NAS-Identifier = "ftg"
Framed-IP-Address = 192.168.33.5
Fortinet-Client-IP-Address = 192.168.33.5
Fortinet-Vdom-Name = "root"
Calling-Station-Id = "192.168.33.5"
Event-Timestamp = "Mar 8 2018 12:32:49 +03"
# Executing section preacct from file /etc/freeradius/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing ',NAS-Identifier = "ftg",NAS-IP-Address = 10.10.0.130,Acct-Session-Id = "3a457fb2",User-Name = "99625743140"'
[acct_unique] Acct-Unique-Session-ID = "cd2730cfc5c2adb4".
++[acct_unique] = ok
[suffix] No '@' in User-Name = "99625743140", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
+} # group preacct = ok
# Executing section accounting from file /etc/freeradius/sites-enabled/default
+group accounting {
[detail] expand: %{Packet-Src-IP-Address} -> 10.10.0.130
[detail] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/freeradius/radacct/10.10.0.130/detail-20180308
[detail] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.0.130/detail-20180308
[detail] expand: %t -> Thu Mar 8 12:32:49 2018
++[detail] = ok
[sradutmp] expand: /var/log/freeradius/sradutmp -> /var/log/freeradius/sradutmp
[sradutmp] expand: %{User-Name} -> 99625743140
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[sradutmp] = noop
[sql] expand: %{User-Name} -> 99625743140
[sql] sql_set_user escaped user --> '99625743140'
[sql] expand: %{Acct-Delay-Time} ->
[sql] ... expanding second conditional
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 10
rlm_sql (sql): Released sql socket id: 10
++[sql] = ok
++update control {
sql_xlat
expand: %{User-Name} -> 99625743140
sql_set_user escaped user --> '99625743140'
expand: SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct where acctstarttime >= CURDATE() AND radacct.username='%{User-Name}' -> SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct where acctstarttime >= CURDATE() AND radacct.username='99625743140'
rlm_sql (sql): Reserving sql socket id: 9
sql_xlat finished
rlm_sql (sql): Released sql socket id: 9
expand: %{sql:SELECT (SUM(acctinputoctets)+SUM(acctoutputoctets)) AS Total FROM radacct where acctstarttime >= CURDATE() AND radacct.username='%{User-Name}'} -> 115456
sql_xlat
expand: %{User-Name} -> 99625743140
sql_set_user escaped user --> '99625743140'
expand: SELECT value FROM radcheck WHERE attribute='Ftg-Total-Limit' AND username='%{User-Name}' -> SELECT value FROM radcheck WHERE attribute='Ftg-Total-Limit' AND username='99625743140'
rlm_sql (sql): Reserving sql socket id: 8
SQL query did not return any results
rlm_sql (sql): Released sql socket id: 8
expand: %{sql: SELECT value FROM radcheck WHERE attribute='Ftg-Total-Limit' AND username='%{User-Name}'} ->
sql_xlat
expand: %{User-Name} -> 99625743140
sql_set_user escaped user --> '99625743140'
expand: SELECT value FROM radcheck WHERE attribute='Ftg-Total-Limit' AND username='%{User-Name}' -> SELECT value FROM radcheck WHERE attribute='Ftg-Total-Limit' AND username='99625743140'
rlm_sql (sql): Reserving sql socket id: 7
SQL query did not return any results
rlm_sql (sql): Released sql socket id: 7
expand: %{sql: SELECT value FROM radcheck WHERE attribute='Ftg-Total-Limit' AND username='%{User-Name}'} ->
sql_xlat
expand: %{User-Name} -> 99625743140
sql_set_user escaped user --> '99625743140'
expand: select calledstationid from radacct where acctsessionid='%{Acct-Session-Id}' -> select calledstationid from radacct where acctsessionid='3a457fb2'
rlm_sql (sql): Reserving sql socket id: 6
sql_xlat finished
rlm_sql (sql): Released sql socket id: 6
expand: %{sql:select calledstationid from radacct where acctsessionid='%{Acct-Session-Id}'} ->
++} # update control = noop
++? if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}")
expand: %{control:Tmp-Integer-0} -> 115456
expand: %{control:Tmp-String-1} ->
? Evaluating ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}") -> TRUE
++? if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}") -> TRUE
++if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}") {
+++update coa {
expand: %{User-Name} -> 99625743140
expand: %{Framed-IP-Address} -> 192.168.33.5
+++} # update coa = noop
++} # if ("%{control:Tmp-Integer-0}" > "%{control:Tmp-String-1}") = noop
[attr_filter.accounting_response] expand: %{User-Name} -> 99625743140
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Response of id 231 to 10.10.0.130 port 1049
WARNING: Empty pre-proxy section. Using default return values.
Sending CoA-Request of id 235 to 10.10.0.130 port 3799
User-Name = "99625743140"
Framed-IP-Address = 192.168.33.5
Finished request 2.
Cleaning up request 2 ID 231 with timestamp +244
Going to the next request
Waking up in 2.4 seconds.
rad_recv: CoA-NAK packet from host 10.10.0.130 port 3799, id=235, length=50
Error-Cause = Session-Context-Not-Found
Event-Timestamp = "Mar 8 2018 12:32:49 +03"
Message-Authenticator = 0xdecd7dd3d4d82835f93f87c35704f1b9
# Executing section post-proxy from file /etc/freeradius/sites-enabled/default
+group post-proxy {
[eap] No pre-existing handler found
++[eap] = noop
+} # group post-proxy = noop
Finished request 2.
Going to the next request
Waking up in 2.9 seconds.
1
0
Hi,
I did a bit of digging around in the archives, I’m trying to do effectively what Peter was doing in this thread: http://lists.freeradius.org/pipermail/freeradius-devel/2013-April/007974.ht…
Actually not effectively, quite literally, for literally the same service offered by the same provider in the same market :)
I am aware of dhcp_options xlat for *decoding* DHCP options. I am looking to encode DHCP options for transmitting to the NAS.
I note that Arran has implemented an xlat called ‘dhcp’ since then, looks like it’s based on discussions from that thread, but I’m not sure how it should be used. I’ve defined some attributes similar to the thread above, but with the ‘dot notation’ format rather than the ‘BEGIN TLV’ type format. Additionally, I changed the type of ‘DHCP-Vendor’ to ‘tlv’. It was set to “octets # tlv”.. which I’m not sure how to interpret, but FreeRADIUS refused to start when it was set to that as the sub options expect it to be a TLV, which seems reasonable.
This is in my dictionary.dhcp, in amongst everything else - the first lines is modified as I describe above, the others are new.
ATTRIBUTE DHCP-Vendor 43 tlv
ATTRIBUTE DHCP-Vendor-URL 43.1 string
ATTRIBUTE DHCP-Vendor-Pass 43.2 string
ATTRIBUTE DHCP-Vendor-CPEID 43.253 string
If I do ‘ERX-Dhcp-Options = “0x%{dhcp:DHCP-Vendor-URL}”’ after setting DHCP-Vendor-URL, it tells me that it’s not a DHCP option, and I get an empty option. If I try set it to “0x%{dhcp:DHCP-Vendor}”, it gets set to empty, and it doesn’t get transmitted in the RADIUS packet. I have also tried things like %{dhcp:&DHCP-Vendor} and so on, but same result.
The DHCP-Vendor-URL is transmitted in the RADIUS reply as a standard RADIUS VSA which isn’t useful unfortunately, and the NAS gets a bit confused. To get around that, I’m setting those attributes in control - could strip them out later, but, this seemed less cumbersome. I’ve tried leaving them in the reply, but ERX-Dhcp-Options is still not filled and is of course not transmitted.
I can encode this all manually, and doing it by hand once off I do get the effect I’m after, but it’s a bit of a chore as the strings are variable length and of course content, and constructing a TLV structure with xlat by hand seems very fragile, so would rather do this with the purpose built xlat if I can.
I have had a bit of a poke around in the code, but VSAs and particularly TLVs are a bit foreign to me.
Any guidance about how to use this? Happy to write up some docs for the xlat pages or something once I’ve got a handle on how to use it. Looks like the same xlat is in v4 (at the moment) so would be useful for there too I presume. The documentation (http://networkradius.com/doc/3.0.10/raddb/mods-available/dhcp.html) suggesting it was used with ALu boxes and Juniper, but I wasn’t able to find any examples or discussion other than Peter’s above - and I believe it is slightly outdated now that the dhcp xlat has been implemented along side dhcp_options?
Passing DHCP-Vendor-URL, I get an error as mentioned:
(6) update control {
(6) DHCP-Vendor-URL = "http://blah/"
(6) DHCP-Vendor-Pass = ""
(6) EXPAND %{string:request:ADSL-Agent-Remote-Id}
(6) --> CHORUS1636495896B01
(6) DHCP-Vendor-CPEID = CHORUS1636495896B01
(6) } # update control = noop
(6) update reply {
(6) ERROR: DHCP option encoding failed: Attribute "DHCP-Vendor-URL" is not a DHCP option
(6) EXPAND 0x%{dhcp:control:DHCP-Vendor-URL}
(6) --> 0x
(6) ERX-DHCP-Options = 0x
(6) } # update reply = noop
Predictably, this becomes:
(6) Sent Access-Accept Id 75 from 10.55.86.243:1812 to 103.241.56.191:55932 length 0
(6) Framed-IP-Address = 100.74.0.69
(6) Reply-Message := "User authenticated - "
(6) ERX-Virtual-Router-Name = "default:CustomersNat"
(6) Class = 0x61693a3339373463396339613133383737326133313363303335653439383237643432
(6) ERX-Dhcp-Options = 0x
And passing 'DHCP-Vendor’:
(9) update control {
(9) DHCP-Vendor-URL = "http://blah/"
(9) DHCP-Vendor-Pass = ""
(9) EXPAND %{string:request:ADSL-Agent-Remote-Id}
(9) --> CHORUS1636495896B01
(9) DHCP-Vendor-CPEID = CHORUS1636495896B01
(9) } # update control = noop
(9) update reply {
(9) EXPAND 0x%{dhcp:control:DHCP-Vendor}
(9) --> 0x
(9) ERX-DHCP-Options = 0x
(9) } # update reply = noop
Predictably, this becomes:
(9) Sent Access-Accept Id 84 from 10.55.86.243:1812 to 103.241.56.191:55932 length 0
(9) Framed-IP-Address = 100.74.0.69
(9) Reply-Message := "User authenticated - "
(9) ERX-Virtual-Router-Name = "default:CustomersNat"
(9) Class = 0x61693a6261656232323837616639393065366636666239316333623761643536366661
(9) ERX-Dhcp-Options = 0x
(9) Finished request
--
Nathan Ward
3
4
Hi everybody,
I'am using Freeradius 3.0.12 with backend MySQL.
I customized my SQL groupreply request like this:
authorize_group_reply_query = "\
SELECT id, groupname, attribute, \
value, op \
FROM ${groupreply_table} \
WHERE groupname = '%{${group_attribute}}' AND value LIKE '%%%{Called-Station-Id}%%' \
ORDER BY id"
%(Called-Station-Id) can be phone number like +33567897654, and the request sent to MySQL is:
SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = GROUP' AND value LIKE '%=2B33567897654%' ORDER BY id
'+' string was converted to "=2B'.
How can I do to preserve + string
Best Regards,
Tony LEMEUNIER
Tony LEMEUNIER
4
7
Hello:
I'm setting up EAP-TLS for the first time using the test certificates. Can
someone please look at the debug output and help me find what's causing the
failure ? I think I've included the correct snippet:
rad_recv: Access-Request packet from host 192.168.10.22 port 49205, id=37,
length=128
NAS-IP-Address = 192.168.10.22
NAS-Port-Type = Ethernet
NAS-Port = 12
User-Name = "client"
State = 0xda0f395eda0d3de3fa5ad84917a2fd9b
Called-Station-Id = "EC-1D-8B-EC-5C-F7"
Calling-Station-Id = "00-40-8C-BF-28-F4"
EAP-Message = 0x02020006030d
Message-Authenticator = 0x6ffb217a2a4a97d64cd8714d965b7b2b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry client at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 37 to 192.168.10.22 port 49205
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xda0f395edb0c34e3fa5ad84917a2fd9b
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.22 port 49205, id=38,
length=128
NAS-IP-Address = 192.168.10.22
NAS-Port-Type = Ethernet
NAS-Port = 12
User-Name = "client"
State = 0xda0f395edb0c34e3fa5ad84917a2fd9b
Called-Station-Id = "EC-1D-8B-EC-5C-F7"
Calling-Station-Id = "00-40-8C-BF-28-F4"
EAP-Message = 0x020300060300
Message-Authenticator = 0x18eed350fa3d2921bb07065aa89044d8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry client at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Thank you,
Joe
2
1
Hi folks,
About a week ago I popped a near-trivial pull request in against FR
v3.0.x (because this is the version we are using) but it should be more
widely compatible. I haven't heard anything back since - do I need to do
anything else to have it considered for merging?
https://github.com/FreeRADIUS/freeradius-server/pull/2184
Thanks,
Jonathan
1
0
Hello,
I have installed FreeRADIUS on Ubuntu Server 16.04. I can connect to it
with EAP MSCHAPv2 and many other ways but it fails on TTLS MSCHAPv2 which
is the one I need to use. If wanted I can send the debug information from
a working EAP MSCHAPv2.
I try to connect with an android phone through a ASUS router.
Anyone got any idea why it is not working?
root@ubuntuRADIUS:/etc/freeradius# freeradius -X
freeradius: FreeRADIUS Version 2.2.8, for host i686-pc-linux-gnu, built on
Jul 26 2017 at 15:28:44
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/checkval
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.0.2.2 {
ipaddr = 10.0.2.2
require_message_authenticator = no
secret = "testing123"
}
client asus {
ipaddr = 10.0.0.1
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file
/etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 58209
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=131
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0xbeb4b21ce8f441d188a5cfd604ea60f4
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566041d25661548b775c8b93cb3b8ac0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=306
Cleaning up request 0 ID 0 with timestamp +34
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x566041d25661548b775c8b93cb3b8ac0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100ab150016030100a00100009c0303526804514ac801dadb13db30bc913fac38c7cb01a7563c4e87eae08760e0f0e500003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
Message-Authenticator = 0xfa662c8841ae23189146cdb69dcb7064
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0102040015c00000046a1603030039020000350303882e3d0906b3ac53b42c9a46285a2d0ae21d934798a065c56e02ad4103ed1b5800c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
EAP-Message =
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
EAP-Message =
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
EAP-Message =
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c00014903001741041c8714338c965bc7b84cfcb017ba8f7b4ac0b9677bab6c17f25b3d7ae14e08b09a2bedeb5c45f7979bff9eecd8c07b25fd937226555016d601cc60fa422ef751060101006dd90aabf97ea915a14e0e6ef6c57bfe4829db82b1602975b98712ec5db42b3c8b5c79572d5573bcd0a5c7560a03067e2f771494ecafa8a038672befabaf28d49b5f0d9b0a55b8d7d225eb2a11727955c030546f3709e912bc3f1b4d904c979c1fd43b0a325c403a3adc3aeeededdb811a1d55a2f8de44262e62557d74e60789234cd69ce46be1c86a
EAP-Message = 0x6c200c441581cef8c8df6fa0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566041d25762548b775c8b93cb3b8ac0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=141
Cleaning up request 1 ID 0 with timestamp +34
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x566041d25762548b775c8b93cb3b8ac0
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0x9edaf5e9ac1eadb44961e09e6104bcbe
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0103007e15800000046aac4b2092f7d8e1ea994220a3e8fd64f6d29dd5d76d635dd7ac0895ea388f366812df6a1924dc25d7bb65058b2688fb10a125244fbfb429eddaab8d0bbdd38c76c39129ccddd422eaec8d1f5b478a431a81eeda645fc6502dfb21b1aa3c3a2abe102dd9b84bd475b427489216030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566041d25463548b775c8b93cb3b8ac0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=267
Cleaning up request 2 ID 0 with timestamp +34
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x566041d25463548b775c8b93cb3b8ac0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02030084150016030300461000004241046c37eb48dbbe8b3f2e0d3f4da3132daa81876d95c47c3c705cbf6917fa06d3ded4742817f732475c9c8b95f86670e5e80736e8f8e722d7e5a840d53943d1487d14030300010116030300280000000000000000db7f068e8fcce0d83d6a09d6b3abb56aefe288bc0d88a8c936338de79690e402
Message-Authenticator = 0x73f1ad17bb3790824f1409941692e2c8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0104003d158000000033140303000101160303002848357c1cd4efab5cceee0653c966dd0bf3a945b2ad77d149c6a69feff8cda8dcc4ab0b04d23d59d8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566041d25564548b775c8b93cb3b8ac0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=278
Cleaning up request 3 ID 0 with timestamp +34
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x566041d25564548b775c8b93cb3b8ac0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204008f150017030300840000000000000001adeee8b56ad79d8da4b1679db4746911f0033f5b5d83956312523861b8b2791310d63b269ec0b5eff151f90027dccef0ad6d604f6362e4bec2d7e8329969d05507acde23d18bf5c09ef07eface4cd2cba6c386f193dd76063b912057d569d1a549db5a68e108be0542d58e654e1b61e4716d701605d32b81ac0e5e9c
Message-Authenticator = 0x05dc9439feca7c1d8a89f6cf01ca1fe5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 4 ID 0 with timestamp +34
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=131
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x1c6c04fb8378f1910b9fb507c133e93c
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c457a660c446f12a95d9c7efeb2c3c0
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=306
Cleaning up request 5 ID 0 with timestamp +41
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x0c457a660c446f12a95d9c7efeb2c3c0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100ab150016030100a00100009c03037bd1bcd41a4e58bb2447cae4df3b01e79efc412376c6c44ecd111b633f6da95900003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
Message-Authenticator = 0x26bfb48fc179201a854a456aae91e65c
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0102040015c00000046a16030300390200003503039c0f1bfc9ead4d4ac014ec5aa1165fa6567c65c0de03bd01fde7d800817a142500c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
EAP-Message =
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
EAP-Message =
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
EAP-Message =
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c0001490300174104c9045f5eb696e3bae69ae45f211aa435df203c126a105d4a36ff13d66e0d4a63be257f9607c09181a5937f23017e649418a160a82bd6665ec0c91baf97c6426d06010100929ea9e28c3494ad9133da7258e1b236497833a40dab4df86ddeb1c9d15551ea00a6527607177a2245b04be917f5290ea002cfb420ae25310982a2d28b6db50e72f77b59c971b9952f55452e845b89a799a6de4b20a436d32f8d8b096784af93e77e1173ac2f8f7f93fac69934ee96dae1758470d9da75f2e48bcd9c71552e1da13bb79bbc9757153e
EAP-Message = 0x0a6dd003a8cc5909b776178e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c457a660d476f12a95d9c7efeb2c3c0
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=141
Cleaning up request 6 ID 0 with timestamp +41
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x0c457a660d476f12a95d9c7efeb2c3c0
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0xa934c5d9ef37110127b4f5bde5976891
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0103007e15800000046acb854a80c6735479539ee466b6a78aea03b8217eca2044c6ae68d2abbe534fde390dee64a8f7fd6b3dae8a0df9ac8d0af161c7625e3c3760846bfecd09dd16ee51aa7dcc9fba22300f028808728e22ead32640c245d1a74109ccab548af6f1de2121336a0c96e46418d10716030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c457a660e466f12a95d9c7efeb2c3c0
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=267
Cleaning up request 7 ID 0 with timestamp +41
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x0c457a660e466f12a95d9c7efeb2c3c0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02030084150016030300461000004241040908ad55e927f17918673c168d8477906aabd3bc14038f994d1c1a2f327e121ddf4f448468ff574b1de06a5e5c00123236777eace6353a385d9d6205b8e023d51403030001011603030028000000000000000038383460e069ca3fb477847a834dece115cf0c5f26f01130a5b49d8a3e7e3efc
Message-Authenticator = 0xcf44d9a2c92b07296faf5930c64adb01
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0104003d1580000000331403030001011603030028df04f4b005fc62dedaf73c81ca86bc8d61392e442fd3a85c287b0d0e06972d6e6410ba3fbf7330d1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c457a660f416f12a95d9c7efeb2c3c0
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=278
Cleaning up request 8 ID 0 with timestamp +41
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x0c457a660f416f12a95d9c7efeb2c3c0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204008f1500170303008400000000000000010b253d2220ac2acfe53e1fd5fbf2f2598a92443873a876f42e99da95a7bb051826a9c1c5dffc5c67c16c586df567d560ca07a7241921db2556e8d2a66f422b1932cfb3e1eb112d1fc6d3ba616889e05555c878940ee3f351d7a15a49586714bdd55276e3cdeab9ed113e4e460db718e3924ebd328bdf9a3e3236b6fc
Message-Authenticator = 0x1af17b63a64f47fcbc3a0ec16717a910
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 9 ID 0 with timestamp +41
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=131
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x676ec42b20976a91a8bd7ab0d8cb999f
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x983a0f7a983b1a9e70d1786f6677e705
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=306
Cleaning up request 10 ID 0 with timestamp +49
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x983a0f7a983b1a9e70d1786f6677e705
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100ab150016030100a00100009c0303a27710c867999b0722e29b8d455b6f41806830d2b5785a86ef947bc76d4ef04a00003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
Message-Authenticator = 0x4494d20d1a8cb27ec272148c29dfc456
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0102040015c00000046a160303003902000035030338d451eebc70f7a6865019f0f9fe971d97d29dbbf259f8c9fd51f0aa6f931c6000c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
EAP-Message =
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
EAP-Message =
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
EAP-Message =
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c0001490300174104d4bc9b3384651e6ecdfedf74bd004c614a51dfeeae36a9fc6b3f3e9d756da259a0d153ef55332cb9350c545c4cad7b3b96f4c0a5e04abc0475aca9a2494dd0bf06010100bb47844ba03bc1969c891a1e37a8a99e1310d97835b5be102a13ddf1b84b3a7a4840fad85e9c6e272ab4a5e2d1afc31d0f2f6edb69d42dc73bd33bc93566a2f5b3a6c3f7468b951c623115a75f9e74d98369e4aa8f2be02b4ccbde2bd4c438a7cc780a035d0dbc5a5ff14f9761fc1068db76a5fceff260f5a1cd60d261c535af2676a2ca2e0cb2d15d
EAP-Message = 0xc9ea0b7bf4dc7b16b042bed8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x983a0f7a99381a9e70d1786f6677e705
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=141
Cleaning up request 11 ID 0 with timestamp +49
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x983a0f7a99381a9e70d1786f6677e705
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0x29ca321bf5207e566bdfbde431c392df
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0103007e15800000046a4e10b776a37915fcf4f2dde3685940dbfea0542c5769819c4b948a1eaea41a55547f1fba0cd678ad5fd9868549d4ad9ba86131ccde39ca1a54e8d4ff6135f1da87c7649d577be682838374dc3922358785cbb92f67427b573e3447c30ec5f00758b9bda56bbde8b5b5f7af16030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x983a0f7a9a391a9e70d1786f6677e705
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=267
Cleaning up request 12 ID 0 with timestamp +49
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x983a0f7a9a391a9e70d1786f6677e705
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0203008415001603030046100000424104939c1ca8205736e62176faa470a2ddd4cc4732bdfb0a91a3c69756ff20227f99c8be39ae3ee90aef2cfd6ee33ee90a00d5a6009982426148bf7cf50eaaf9649c14030300010116030300280000000000000000cb752cedfefbb76538cb2a753067821926acc5a82e1587251a9ae55e49270d99
Message-Authenticator = 0x48305bf93df8cdc7213e51a97981a74b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0104003d15800000003314030300010116030300280b1a10be1e4e65a7c37a795524033677856ba37e47405ca76d6d047a8119d2116f56dc72c6053901
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x983a0f7a9b3e1a9e70d1786f6677e705
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=278
Cleaning up request 13 ID 0 with timestamp +49
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x983a0f7a9b3e1a9e70d1786f6677e705
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204008f15001703030084000000000000000181f59453f45ff9351d0eb09f8559ad492ab457ecade0e6c6c30f1a8e547e2dd5f00316175c390c1f26d1aaa61eaa1a25735804b47041bede97df420c9eef1e806739cc77f680dbca690661abb5c7e3d19a7dc4f892452d4a704a7f7bd4d89fd81f982735b50be5c35f6f0b45d340a01c9384319974ad53e68a8fcf73
Message-Authenticator = 0x6f40d71d85b6f299fd688e265aa1ce7a
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 14 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 14
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 14 ID 0 with timestamp +49
Ready to process requests.
2
2
Hi,
I need Help to try to create a new table (MariaDB) with one row from each
user identified by day on the radacct.
Because radacct is growing fast I need to store a new table with the visits
per day by username.
Something like visits_table
idVisits_table
username
date_visit
with username and date_visit unique keys.
Also a need to store this table in a different server from the server where
is installed the radius_db.
I've been reading and I can do a trigger on radius_db and every insert on
radacct fire an insert-update on the new visits_table.
Also a I can create this visits_table as a FederatedX table on the other
MariaDB machine.
I would like to know if someone have done this before and can give me a
little bit of light on how to solve this.
I think with the trigger and plus the FederatedX maybe a slow down to much
the database, maybe some code (need help in this) on the radius part will do
the job better.
If anyone can give me a hand will be appreciate.
Thanks.
Oscar
2
2
I’m hoping someone can give me a helping hand. I’ve got an older version of FreeRADIUS (2.2.0) running on an internal legacy system. The server is scheduled to be replaced by the summer so at this point it would be a waste to try to upgrade it. I do however need to make a change to the configuration to hack for a requirement of the server that’s being replaced first… and I’ve been kind of going/googling around in circles. Have tried 4 or 5 different things that I’ve found but I think a few of them may be for newer versions of FreeRADIUS… and the ones I thought were old enough didn’t accomplish anything either 😊
Essentially what I need to do is run one script after a user is authenticated to which will extract the username and the IP address they’ve been assigned (and possibly the NAS IP/port) (in the current test script this info is just echoed to a file so that I can tell when it’s working). And then a different script (with the same parameters) when they log off. From reading I’m guessing accounting-start and accounting-stop is the point where I want to be doing this, but I’m open to input on that as well if there’s somewhere more appropriate.
What is the best/right way to accomplish this in FreeRADIUS 2.2.0?
Cheers,
Mike
3
4
Hello,
I have been setting up freeradius-3.0.15 (from PPA) under Ubuntu 16.04,
and using mod_krb5 to authenticate against Samba4. There are four
freeradius servers, each with a Samba replica behind it.
Once every few days, I get alerts from nagios saying one or more RADIUS
servers has stopped working for a few minutes, and then they recover.
There are two nagios servers making RADIUS checks across all four RADIUS
servers, and both nagios servers see the problem simultaneously.
I now have authentication logging turn on, and at the time of the last
event I see:
... all OK
Thu Feb 22 17:21:51 2018 : Auth: (273) Login OK: [nagiostest] (from
client ix_nagios port 0)
Thu Feb 22 17:22:38 2018 : Auth: (274) Login OK: [nagiostest] (from
client wrn_mon2 port 0)
Thu Feb 22 17:23:00 2018 : Error: Unresponsive child for request 275, in
component authenticate module krb5
Thu Feb 22 17:23:10 2018 : WARNING: (275) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:23:38 2018 : Auth: (276) Login OK: [nagiostest] (from
client wrn_mon2 port 0)
Thu Feb 22 17:24:00 2018 : Error: Unresponsive child for request 277, in
component authenticate module krb5
Thu Feb 22 17:24:01 2018 : WARNING: (277) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:24:46 2018 : Error: Unresponsive child for request 278, in
component authenticate module krb5
Thu Feb 22 17:24:52 2018 : Info: Need 1 more connections to reach 5 spares
Thu Feb 22 17:24:52 2018 : Info: rlm_krb5 (krb5): Opening additional
connection (5), 1 of 5 pending slots used
Thu Feb 22 17:24:52 2018 : WARNING: (278) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:25:00 2018 : Error: Unresponsive child for request 279, in
component authenticate module krb5
Thu Feb 22 17:25:01 2018 : WARNING: (279) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:25:45 2018 : Info: rlm_krb5 (krb5): Closing connection
(4), from 1 unused connections
Thu Feb 22 17:25:45 2018 : Auth: (280) Login OK: [nagiostest] (from
client wrn_mon2 port 0)
Thu Feb 22 17:26:00 2018 : Error: Unresponsive child for request 281, in
component authenticate module krb5
Thu Feb 22 17:26:10 2018 : WARNING: (281) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:26:46 2018 : Error: Unresponsive child for request 282, in
component authenticate module krb5
Thu Feb 22 17:26:56 2018 : Info: Need 1 more connections to reach 5 spares
Thu Feb 22 17:26:56 2018 : Info: rlm_krb5 (krb5): Opening additional
connection (6), 1 of 5 pending slots used
Thu Feb 22 17:26:56 2018 : WARNING: (282) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:27:00 2018 : Error: Unresponsive child for request 283, in
component authenticate module krb5
Thu Feb 22 17:27:10 2018 : WARNING: (283) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:27:43 2018 : Info: rlm_krb5 (krb5): Closing connection
(1), from 1 unused connections
Thu Feb 22 17:27:43 2018 : Auth: (284) Login OK: [nagiostest] (from
client wrn_mon2 port 0)
Thu Feb 22 17:28:00 2018 : Auth: (285) Login OK: [nagiostest] (from
client ix_nagios port 0)
... all OK again
I'm not sure about the meaning of the message "became unblocked".
Looking at the source of call_modsingle()
blocked = (request->master_state == REQUEST_STOP_PROCESSING);
if (blocked) return RLM_MODULE_NOOP;
...
blocked = (request->master_state == REQUEST_STOP_PROCESSING);
if (blocked) {
RWARN("Module %s became unblocked",
sp->modinst->entry->name);
}
It seems to me that the module has unexpectedly become blocked (not
unblocked!) But does this simply mean that the module is taking longer
to respond than expected? Or if not, what else does it indicate?
Apart from this: I wondered if you had any pointers to narrowing down
the problem. There are four servers so I can probably leave one running
under freeradius -X until it recurs.
Now, of course the problem *could* be with Samba4. However I have a
separate nagios script (below) which performs LDAP queries using krb5
authentication, and it never reports a problem - not even an occasional
"soft" error; that suggests that KRB5 is reliable.
It considered if it was a problem with the RADIUS checking plugin
(check_radius_adv), but this seems very unlikely given that (a) both
nagios servers see the same problem simultaneously, and (b) freeradius
itself is logging problems around the time of the issue.
I have:
[radiusd.conf]
max_request_time = 10
thread pool {
start_servers = 3
-----------
#!/bin/sh
host="$1"
if [ "$host" = "" ]; then
echo "Missing hostname"
exit 2
fi
export KRB5_CONFIG="/tmp/krb5.config.$$"
export KRB5CCNAME="/tmp/krb5.cc_cache.$$"
if expr "$host" : ".*:" >/dev/null; then
khost="[$host]"
else
khost="$host"
fi
cat <<EOS >"$KRB5_CONFIG"
[realms]
AD.EXAMPLE.NET = {
kdc = $khost
}
EOS
# 1. Can we get a ticket from this host?
kinit -k -t /etc/nagiostest.keytab nagiostest(a)AD.EXAMPLE.NET
if [ "$?" != "0" ]; then
echo "KINIT FAILED"
rm "$KRB5_CONFIG"
exit 2
fi
# 2. Can we use this ticket to do an LDAP query to this host?
res="$(ldapsearch -LLLQ -Y GSSAPI -h "$host" -b
"cn=users,dc=ad,dc=example,dc=net" "(samaccountname=nagiostest)"
samaccountname userprincipalname)"
if [ "$?" != "0" ]; then
echo "LDAPSEARCH FAILED"
kdestroy
rm "$KRB5_CONFIG"
exit 2
fi
if ! expr "$res" : ".*userPrincipalName: nagiostest(a)ad.example.net"
>/dev/null; then
echo "LDAPSEARCH BAD RESULT: $res"
kdestroy
rm "$KRB5_CONFIG"
exit 2
fi
# 3. Clean up
kdestroy
rm "$KRB5_CONFIG"
echo "OK"
5
8