Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2018
- 62 participants
- 89 discussions
21 Aug '18
Hello all I have followed previous advice given to me and upgraded my install to FreeRADIUS 3.0.17 . I am trying to achieve a setup where computers are let onto company internet via eap-tls and then are separated into VLANS with ldap after this. Currently I believe I have eap-tls working as my eapol test has been successful. However after adding in the ldap module I am getting a bind error which I know is an LDAP error and not a freeradius one. I was hoping someone here could take a look at my debug info and see if I have overlooked anything. Thank you in advance for the help. I also refrenced this previous thread to help out with some of the configs http://freeradius.1045715.n5.nabble.com/Freeradius-3-x-with-LDAP-authentica….
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/ldap
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client kevintest {
ipaddr = 172.17.17.227
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN.net --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_ldap
# Loading module "ldap" from file /usr/local/etc/raddb/mods-enabled/ldap
ldap {
server = "Domain.net"
identity = "cn=ldap.query,ou=service.accounts,ou=Users,ou=operations,ou=departments,dc=Domain,dc=net"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=Domain,dc=net"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
instantiate {
}
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "HIGH"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
tmpdir = "/tmp/radiusd"
client = "/usr/bin/openssl verify -CApath /usr/local/etc/raddb/certs %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "ldap" from file /usr/local/etc/raddb/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20442
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://Domain.net:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://Domain.net:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://Domain.net:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap): Connecting to ldap://Domain.net:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldap://Domain.net:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:332
} # server inner-tunnel
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 36409
Listening on proxy address :: port 64651
Ready to process requests
(0) Received Access-Request Id 0 from 127.0.0.1:36789 to 127.0.0.1:1812 length 134
(0) User-Name = "client.pem"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x0200000f01636c69656e742e70656d
(0) Message-Authenticator = 0xd00906a3d0648e3a771145edfd1b9f36
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(0) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(0) auth_log: EXPAND %t
(0) auth_log: --> Tue Aug 21 19:09:39 2018
(0) [auth_log] = ok
(0) eap: Peer sent EAP Response (code 2) ID 0 length 15
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new EAP-TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0x8db2a5328db3a858
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:36789 length 0
(0) EAP-Message = 0x010100060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x8db2a5328db3a858fbbf5fa81909ec3c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 127.0.0.1:36789 to 127.0.0.1:1812 length 446
(1) User-Name = "client.pem"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x020101330d0016030101280100012403039c4469b54ea5c4edd45618780c24fa5ca5f8897d2e475569a1553c51469fb9470000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc0
(1) State = 0x8db2a5328db3a858fbbf5fa81909ec3c
(1) Message-Authenticator = 0xae86ca804883a58af655d7ad8ce39609
(1) session-state: No cached attributes
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(1) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(1) auth_log: EXPAND %t
(1) auth_log: --> Tue Aug 21 19:09:39 2018
(1) [auth_log] = ok
(1) eap: Peer sent EAP Response (code 2) ID 1 length 307
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry DEFAULT at line 1
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x8db2a5328db3a858
(1) eap: Finished EAP session with state 0x8db2a5328db3a858
(1) eap: Previous EAP request found for state 0x8db2a5328db3a858, released from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Got final TLS record fragment (301 bytes)
(1) eap_tls: WARNING: Total received TLS record fragments (301 bytes), does not equal indicated TLS record length (0 bytes)
(1) eap_tls: [eaptls verify] = ok
(1) eap_tls: Done initial handshake
(1) eap_tls: (other): before/accept initialization
(1) eap_tls: TLS_accept: before/accept initialization
(1) eap_tls: <<< recv TLS 1.2 [length 0128]
(1) eap_tls: TLS_accept: unknown state
(1) eap_tls: >>> send TLS 1.2 [length 003e]
(1) eap_tls: TLS_accept: unknown state
(1) eap_tls: >>> send TLS 1.2 [length 0885]
(1) eap_tls: TLS_accept: unknown state
(1) eap_tls: >>> send TLS 1.2 [length 014d]
(1) eap_tls: TLS_accept: unknown state
(1) eap_tls: >>> send TLS 1.2 [length 00b6]
(1) eap_tls: TLS_accept: unknown state
(1) eap_tls: TLS_accept: unknown state
(1) eap_tls: TLS_accept: Need to read more data: unknown state
(1) eap_tls: TLS_accept: Need to read more data: unknown state
(1) eap_tls: In SSL Handshake Phase
(1) eap_tls: In SSL Accept mode
(1) eap_tls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 2 length 1024
(1) eap: EAP session adding &reply:State = 0x8db2a5328cb0a858
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:36789 length 0
(1) EAP-Message = 0x010204000dc000000ada160303003e0200003a03031b79870f786030224aafaf12faf3cb11780b455b25fcdd8f3be3c65bd5d54eb400c030000012ff01000100000b000403000102000f00010116030308850b00088100087e0003c0308203bc308202a4a003020102020101300d06092a864886f70d01
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x8db2a5328cb0a858fbbf5fa81909ec3c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 127.0.0.1:36789 to 127.0.0.1:1812 length 143
(2) User-Name = "client.pem"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message = 0x020200060d00
(2) State = 0x8db2a5328cb0a858fbbf5fa81909ec3c
(2) Message-Authenticator = 0x09374abbc754eba45442ae669e219bc7
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(2) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(2) auth_log: EXPAND %t
(2) auth_log: --> Tue Aug 21 19:09:39 2018
(2) [auth_log] = ok
(2) eap: Peer sent EAP Response (code 2) ID 2 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) files: users: Matched entry DEFAULT at line 1
(2) [files] = ok
(2) [expiration] = noop
(2) [logintime] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x8db2a5328cb0a858
(2) eap: Finished EAP session with state 0x8db2a5328cb0a858
(2) eap: Previous EAP request found for state 0x8db2a5328cb0a858, released from the list
(2) eap: Peer sent packet with method EAP TLS (13)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: Peer ACKed our handshake fragment
(2) eap_tls: [eaptls verify] = request
(2) eap_tls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1024
(2) eap: EAP session adding &reply:State = 0x8db2a5328fb1a858
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:36789 length 0
(2) EAP-Message = 0x010304000dc000000ada3fc6f74e554b65096cf1c9576d66e5a1b19b053f667702d6acbfd8730004b8308204b43082039ca003020102020900c600a5ee176d055c300d06092a864886f70d01010b0500308183310b3009060355040613025553310b300906035504080c0257413113301106035504070c
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x8db2a5328fb1a858fbbf5fa81909ec3c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 127.0.0.1:36789 to 127.0.0.1:1812 length 143
(3) User-Name = "client.pem"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x020300060d00
(3) State = 0x8db2a5328fb1a858fbbf5fa81909ec3c
(3) Message-Authenticator = 0x32b0f0985f480c56b06736c57595844b
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(3) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(3) auth_log: EXPAND %t
(3) auth_log: --> Tue Aug 21 19:09:39 2018
(3) [auth_log] = ok
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) files: users: Matched entry DEFAULT at line 1
(3) [files] = ok
(3) [expiration] = noop
(3) [logintime] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x8db2a5328fb1a858
(3) eap: Finished EAP session with state 0x8db2a5328fb1a858
(3) eap: Previous EAP request found for state 0x8db2a5328fb1a858, released from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: Continuing EAP-TLS
(3) eap_tls: Peer ACKed our handshake fragment
(3) eap_tls: [eaptls verify] = request
(3) eap_tls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 760
(3) eap: EAP session adding &reply:State = 0x8db2a5328eb6a858
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:36789 length 0
(3) EAP-Message = 0x010402f80d8000000adaa158fd0cacf5726c80718dfbaa6c75fa64462d6736903610eb5f1638a7ba7c925b858636296265568e5076bed345f273aaa1d83a2e064f5e6d266da1b233d94533b8803e497f4f37900c0cb829a3f04bc6d4b610dee50a8a47dad71eec9a5ba6538c81bf9bb7fae723a0a61b23
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x8db2a5328eb6a858fbbf5fa81909ec3c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 127.0.0.1:36789 to 127.0.0.1:1812 length 1555
(4) User-Name = "client.pem"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x020405800dc000000a1316030308830b00087f00087c0003be308203ba308202a2a003020102020102300d06092a864886f70d01010b0500308183310b3009060355040613025553310b300906035504080c0257413113301106035504070c0a42656c6c696e6768616d31123010060355040a0c094661
(4) State = 0x8db2a5328eb6a858fbbf5fa81909ec3c
(4) Message-Authenticator = 0x9073f436730652ec433ae776fd3f8183
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(4) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(4) auth_log: EXPAND %t
(4) auth_log: --> Tue Aug 21 19:09:39 2018
(4) [auth_log] = ok
(4) eap: Peer sent EAP Response (code 2) ID 4 length 1408
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) files: users: Matched entry DEFAULT at line 1
(4) [files] = ok
(4) [expiration] = noop
(4) [logintime] = noop
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x8db2a5328eb6a858
(4) eap: Finished EAP session with state 0x8db2a5328eb6a858
(4) eap: Previous EAP request found for state 0x8db2a5328eb6a858, released from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: Continuing EAP-TLS
(4) eap_tls: Peer indicated complete TLS record size will be 2579 bytes
(4) eap_tls: Expecting 2 TLS record fragments
(4) eap_tls: Got first TLS record fragment (1398 bytes). Peer indicated more fragments to follow
(4) eap_tls: [eaptls verify] = first fragment
(4) eap_tls: ACKing Peer's TLS record fragment
(4) eap_tls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 6
(4) eap: EAP session adding &reply:State = 0x8db2a53289b7a858
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:36789 length 0
(4) EAP-Message = 0x010500060d00
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x8db2a53289b7a858fbbf5fa81909ec3c
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 5 from 127.0.0.1:36789 to 127.0.0.1:1812 length 1332
(5) User-Name = "client.pem"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message = 0x020504a30d009fd708c7fc4135e2c21b17e472a506e56bec63fd54772c0a3de87ec11d4dac88eeaf28e4c60bb8d1437218453166810fe18d87ca8ea690e9b386b211e159030d338d9af4acfc6b71505764594c6c1b85eced7cf21301ca8c1eca8f2752f3c06098f8efcab9203bb480391976249f12e805
(5) State = 0x8db2a53289b7a858fbbf5fa81909ec3c
(5) Message-Authenticator = 0x2b66063c58bd994f19a3dcc4fae8afdc
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(5) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(5) auth_log: EXPAND %t
(5) auth_log: --> Tue Aug 21 19:09:39 2018
(5) [auth_log] = ok
(5) eap: Peer sent EAP Response (code 2) ID 5 length 1187
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) files: users: Matched entry DEFAULT at line 1
(5) [files] = ok
(5) [expiration] = noop
(5) [logintime] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x8db2a53289b7a858
(5) eap: Finished EAP session with state 0x8db2a53289b7a858
(5) eap: Previous EAP request found for state 0x8db2a53289b7a858, released from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: Continuing EAP-TLS
(5) eap_tls: Got final TLS record fragment (1181 bytes)
(5) eap_tls: [eaptls verify] = ok
(5) eap_tls: Done initial handshake
(5) eap_tls: <<< recv TLS 1.2 [length 0883]
(5) eap_tls: Creating attributes from certificate OIDs
(5) eap_tls: TLS-Cert-Serial := "c600a5ee176d055c"
(5) eap_tls: TLS-Cert-Expiration := "181019201014Z"
(5) eap_tls: TLS-Cert-Subject := "/C=US/ST=WA/L=Town/O=company/emailAddress=admintest(a)email.com/CN=Radius Server"
(5) eap_tls: TLS-Cert-Issuer := "/C=US/ST=WA/L=Town/O=company/emailAddress=admintest(a)email.com/CN=Radius Server"
(5) eap_tls: TLS-Cert-Common-Name := "Radius Server"
(5) eap_tls: Creating attributes from certificate OIDs
(5) eap_tls: TLS-Client-Cert-Serial := "02"
(5) eap_tls: TLS-Client-Cert-Expiration := "181019201107Z"
(5) eap_tls: TLS-Client-Cert-Subject := "/C=US/ST=WA/O=company/CN=kevin.test/emailAddress=kevin.test(a)email.com"
(5) eap_tls: TLS-Client-Cert-Issuer := "/C=US/ST=WA/L=Town/O=company/emailAddress=admintest(a)email.com/CN=Radius Server"
(5) eap_tls: TLS-Client-Cert-Common-Name := "kevin.test"
(5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CApath /usr/local/etc/raddb/certs %{TLS-Client-Cert-Filename}
(5) eap_tls: Executing: /usr/bin/openssl verify -CApath /usr/local/etc/raddb/certs %{TLS-Client-Cert-Filename}:
(5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(5) eap_tls: --> /tmp/radiusd/radiusd.client.XX6sVjt9
(5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.XX6sVjt9: OK'
(5) eap_tls: Client certificate CN kevin.test passed external validation
(5) eap_tls: TLS_accept: unknown state
(5) eap_tls: <<< recv TLS 1.2 [length 0046]
(5) eap_tls: TLS_accept: unknown state
(5) eap_tls: <<< recv TLS 1.2 [length 0108]
(5) eap_tls: TLS_accept: unknown state
(5) eap_tls: <<< recv TLS 1.2 [length 0001]
(5) eap_tls: <<< recv TLS 1.2 [length 0010]
(5) eap_tls: TLS_accept: unknown state
(5) eap_tls: >>> send TLS 1.2 [length 0001]
(5) eap_tls: TLS_accept: unknown state
(5) eap_tls: >>> send TLS 1.2 [length 0010]
(5) eap_tls: TLS_accept: unknown state
(5) eap_tls: TLS_accept: unknown state
(5) eap_tls: (other): SSL negotiation finished successfully
(5) eap_tls: SSL Connection Established
(5) eap_tls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 61
(5) eap: EAP session adding &reply:State = 0x8db2a53288b4a858
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:36789 length 0
(5) EAP-Message = 0x0106003d0d80000000331403030001011603030028381c7e1783d65af09f05df42d3f1b2fed20f91d132889dc662acf7908c7b8dd2a1a9530889f2030a
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x8db2a53288b4a858fbbf5fa81909ec3c
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 6 from 127.0.0.1:36789 to 127.0.0.1:1812 length 143
(6) User-Name = "client.pem"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message = 0x020600060d00
(6) State = 0x8db2a53288b4a858fbbf5fa81909ec3c
(6) Message-Authenticator = 0x3ffc0b16b3614022609b9f298eafda17
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(6) auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20180821
(6) auth_log: EXPAND %t
(6) auth_log: --> Tue Aug 21 19:09:39 2018
(6) [auth_log] = ok
(6) eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) files: users: Matched entry DEFAULT at line 1
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x8db2a53288b4a858
(6) eap: Finished EAP session with state 0x8db2a53288b4a858
(6) eap: Previous EAP request found for state 0x8db2a53288b4a858, released from the list
(6) eap: Peer sent packet with method EAP TLS (13)
(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: Continuing EAP-TLS
(6) eap_tls: Peer ACKed our handshake fragment. handshake is finished
(6) eap_tls: [eaptls verify] = success
(6) eap_tls: [eaptls process] = success
(6) eap: Sending EAP Success (code 3) ID 6 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) } # authenticate = ok
(6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(6) post-auth {
(6) update {
(6) No attributes updated
(6) } # update = noop
(6) ldap: EXPAND .
(6) ldap: --> .
(6) ldap: EXPAND Authenticated at %S
(6) ldap: --> Authenticated at 2018-08-21 19:09:39
rlm_ldap (ldap): Reserved connection (0)
(6) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(6) ldap: --> (samaccountname=client.pem)
(6) ldap: Performing search in "dc=Domain,dc=net" with filter "(samaccountname=client.pem)", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: ERROR: Failed performing search: Operations error with LDAP database. Please see the LDAP server configuration / documentation for more information.
(6) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580.
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://Domain.net:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(6) [ldap] = fail
(6) } # post-auth = fail
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> client.pem
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) [eap] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # Post-Auth-Type REJECT = updated
(6) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(6) Sending delayed response
(6) Sent Access-Reject Id 6 from 127.0.0.1:1812 to 127.0.0.1:36789 length 44
(6) EAP-Message = 0x03060004
(6) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +4
(1) Cleaning up request packet ID 1 with timestamp +4
(2) Cleaning up request packet ID 2 with timestamp +4
(3) Cleaning up request packet ID 3 with timestamp +4
(4) Cleaning up request packet ID 4 with timestamp +4
(5) Cleaning up request packet ID 5 with timestamp +4
(6) Cleaning up request packet ID 6 with timestamp +4
Ready to process requests
From: Freeradius-Users <freeradius-users-bounces+kevin.virk=faithlife.com(a)lists.freeradius.org> on behalf of freeradius-users-request(a)lists.freeradius.org <freeradius-users-request(a)lists.freeradius.org>
Sent: Tuesday, August 21, 2018 3:00 AM
To: freeradius-users(a)lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 160, Issue 41
Send Freeradius-Users mailing list submissions to
freeradius-users(a)lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request(a)lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner(a)lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Re: Apache with mod_auth_radius starts X requests
(Fajar A. Nugraha)
----------------------------------------------------------------------
Message: 1
Date: Tue, 21 Aug 2018 16:25:50 +0700
From: "Fajar A. Nugraha" <list(a)fajar.net>
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Subject: Re: Re: Apache with mod_auth_radius starts X requests
Message-ID:
<CAG1y0sda1T+K+gGYotwihfd+Ly2RLkPrZd_fCt2Ciiz31q-jQQ(a)mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
On Tue, Aug 21, 2018 at 4:22 PM, Carsten Schulze <
carsten.schulze(a)leuphana.de> wrote:
> Hi,
>
> to finalize.
>
> I installed a PHP Directory Listner to that folder, with that, only one
> request was generated.
>
> If its not possible, you can reduce the index.* (checks) in apache, which
> will reduce the total amount of Radius-Reuqests.
>
> /etc/apache2/mods-enabled/dir.conf
> <IfModule mod_dir.c>
> #DirectoryIndex index.html index.cgi index.pl index.php
> index.xhtml index.htm
> DirectoryIndex index.php
> </IfModule>
>
>
Isn't that basically what
https://github.com/FreeRADIUS/mod_auth_radius#4-some-warnings says?
--
Fajar
------------------------------
Subject: Digest Footer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 160, Issue 41
*************************************************
3
2
Sorry should have mentioned that I changed usernames to standard information. In the output it is client.pem but when I use it is valid AD username.
From: Freeradius-Users <freeradius-users-bounces+kevin.virk=faithlife.com(a)lists.freeradius.org> on behalf of freeradius-users-request(a)lists.freeradius.org <freeradius-users-request(a)lists.freeradius.org>
Sent: Tuesday, August 21, 2018 3:01 PM
To: freeradius-users(a)lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 160, Issue 43
Send Freeradius-Users mailing list submissions to
freeradius-users(a)lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request(a)lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner(a)lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Rlm_Perl not loading in debug mode (Saurabh Lahoti)
2. Re: New to FreeRadius and can't manage to get it to work for
me (Alan Buxey)
3. Re: Apache with mod_auth_radius starts X requests (Alan Buxey)
4. Re: Freeradius 3.0.17 EAP-TLS Authentication with LDAP
Authorization (Алексей Морозенко)
----------------------------------------------------------------------
Message: 1
Date: Tue, 21 Aug 2018 22:33:53 +0200
From: Saurabh Lahoti <saurabh.astronomy(a)gmail.com>
To: freeradius-users(a)lists.freeradius.org
Subject: Re: Rlm_Perl not loading in debug mode
Message-ID:
<CAB5-MqotQYNNN+jPwKOUSH+Mq+nqajm60KquJ51FKxEdzT7jAw(a)mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Dear,
Tried specifying libraries directory during compiling freeradius. Still
error persists...
config dir: /usr/app/radius-new/etc/raddb/
perl lib: /usr/bin/perl/
Where are we missing in configuration..?
----
*Thanks & Kind Regards,*
Saurabh LAHOTI.
*Ideas enlighten Innovation**!!!*
Please consider the environment before printing this mail..!!
------------------------------
Message: 2
Date: Tue, 21 Aug 2018 22:05:14 +0100
From: Alan Buxey <alan.buxey(a)gmail.com>
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Subject: Re: New to FreeRadius and can't manage to get it to work for
me
Message-ID:
<CAOVYXj-S+2O_baCBaHQebES5DdiV6GZOOWmc3Ecf8FRoVkoCpg(a)mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Start by running an up to date version of freeradius
alan
On Mon, 20 Aug 2018, 13:47 Moshe Sakajo, <moshe_s(a)packetlight.com> wrote:
>
> Hi,
>
> I am a QA Engineer and my purpose is to test that my boxes RADIUS support
> feature is functioning right
>
> and that it is OK with the most popular RADIUS servers.
>
>
>
> One of our customers complaint about the fact that he is not able to make
> our boxes authenticated against FreeRadius.
>
>
>
> I have no experience with FreeRadius and I immediately revealed that is
> not a Plug-and-Play RADIUS Server as TekRADIUS (Windows).
>
>
>
> With TekRADIUS I manage to authenticate a user that performs a login into
> our boxes. Actually it is almost Plug-and-Play.
>
> I simply defined a Default (name of the client/group) with a secret and a
> vendor that is general (ietf)
>
> then I defined 3 users (one for each of my privileges). Each user has two
> attributes:
>
> 1. User_Password with a type of Check the Value is the password
> string
>
> 2. Class with a type of Success-Reply which controls the priveleges
> of the users. The Value is an integer (4/2/1)
>
>
>
>
>
> I have set FreeRadius like this:
>
> 1. I added the clients.conf file the following client
>
> client <http://10.0.1.0/8> 10.0.1.0/8<http://10.0.1.0/8> {
>
> secret = test
>
> nastype = other
>
> }
>
> 2. I added a user into the users file
>
> moshe Cleartext-Password := "moshe"
>
> Service-Type = "6"
>
>
>
> 3. The radius.conf was set with the following log {} settings
>
> auth = yes
>
> auth-goodpass = yes
>
>
>
> with all of that said I can also tell the radius.log show that the Login
> attempts are OK but I still
>
> get Access denied from my device, like something is still missing.
>
>
>
> Can you please tell me what might be missing ? Thanks for the support
>
>
>
> Here is the debug info
>
>
>
> root@radius1:/etc/freeradius# freeradius -X
>
> freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built
> on Jul 26 2017 at 15:27:21
>
> Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
>
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>
> PARTICULAR PURPOSE.
>
> You may redistribute copies of FreeRADIUS under the terms of the
>
> GNU General Public License.
>
> For more information about these matters, see the file named COPYRIGHT.
>
> Starting - reading configuration files ...
>
> including configuration file /etc/freeradius/radiusd.conf
>
> including configuration file /etc/freeradius/proxy.conf
>
> including configuration file /etc/freeradius/clients.conf
>
> including files in directory /etc/freeradius/modules/
>
> including configuration file /etc/freeradius/modules/etc_group
>
> including configuration file /etc/freeradius/modules/exec
>
> including configuration file /etc/freeradius/modules/mac2vlan
>
> including configuration file /etc/freeradius/modules/pam
>
> including configuration file /etc/freeradius/modules/wimax
>
> including configuration file /etc/freeradius/modules/unix
>
> including configuration file /etc/freeradius/modules/policy
>
> including configuration file /etc/freeradius/modules/sradutmp
>
> including configuration file /etc/freeradius/modules/checkval
>
> including configuration file /etc/freeradius/modules/krb5
>
> including configuration file /etc/freeradius/modules/perl
>
> including configuration file /etc/freeradius/modules/attr_filter
>
> including configuration file /etc/freeradius/modules/dynamic_clients
>
> including configuration file /etc/freeradius/modules/files
>
> including configuration file /etc/freeradius/modules/preprocess
>
> including configuration file /etc/freeradius/modules/dhcp_sqlippool
>
> including configuration file /etc/freeradius/modules/passwd
>
> including configuration file /etc/freeradius/modules/soh
>
> including configuration file /etc/freeradius/modules/<
> http://detail.example.com>detail.example.com<http://detail.example.com>
>
> including configuration file /etc/freeradius/modules/linelog
>
> including configuration file /etc/freeradius/modules/counter
>
> including configuration file /etc/freeradius/modules/ippool
>
> including configuration file /etc/freeradius/modules/ldap
>
> including configuration file /etc/freeradius/modules/mac2ip
>
> including configuration file /etc/freeradius/modules/sql_log
>
> including configuration file /etc/freeradius/modules/radrelay
>
> including configuration file /etc/freeradius/modules/ntlm_auth
>
> including configuration file /etc/freeradius/modules/expiration
>
> including configuration file /etc/freeradius/modules/cui
>
> including configuration file /etc/freeradius/modules/opendirectory
>
> including configuration file /etc/freeradius/modules/echo
>
> including configuration file /etc/freeradius/modules/expr
>
> including configuration file /etc/freeradius/modules/always
>
> including configuration file /etc/freeradius/modules/cache
>
> including configuration file /etc/freeradius/modules/rediswho
>
> including configuration file /etc/freeradius/modules/digest
>
> including configuration file /etc/freeradius/modules/replicate
>
> including configuration file /etc/freeradius/modules/radutmp
>
> including configuration file /etc/freeradius/modules/detail.log
>
> including configuration file /etc/freeradius/modules/acct_unique
>
> including configuration file /etc/freeradius/modules/chap
>
> including configuration file /etc/freeradius/modules/redis
>
> including configuration file /etc/freeradius/modules/detail
>
> including configuration file /etc/freeradius/modules/realm
>
> including configuration file /etc/freeradius/modules/smsotp
>
> including configuration file /etc/freeradius/modules/inner-eap
>
> including configuration file /etc/freeradius/modules/mschap
>
> including configuration file /etc/freeradius/modules/otp
>
> including configuration file /etc/freeradius/modules/attr_rewrite
>
> including configuration file /etc/freeradius/modules/logintime
>
> including configuration file /etc/freeradius/modules/smbpasswd
>
> including configuration file /etc/freeradius/modules/pap
>
> including configuration file
> /etc/freeradius/modules/sqlcounter_expire_on_login
>
> including configuration file /etc/freeradius/eap.conf
>
> including configuration file /etc/freeradius/policy.conf
>
> including files in directory /etc/freeradius/sites-enabled/
>
> including configuration file /etc/freeradius/sites-enabled/default
>
> including configuration file /etc/freeradius/sites-enabled/inner-tunnel
>
> main {
>
> user = "freerad"
>
> group = "freerad"
>
> allow_core_dumps = no
>
> }
>
> including dictionary file /etc/freeradius/dictionary
>
> main {
>
> name = "freeradius"
>
> prefix = "/usr"
>
> localstatedir = "/var"
>
> sbindir = "/usr/sbin"
>
> logdir = "/var/log/freeradius"
>
> run_dir = "/var/run/freeradius"
>
> libdir = "/usr/lib/freeradius"
>
> radacctdir = "/var/log/freeradius/radacct"
>
> hostname_lookups = no
>
> max_request_time = 30
>
> cleanup_delay = 5
>
> max_requests = 1024
>
> pidfile = "/var/run/freeradius/freeradius.pid"
>
> checkrad = "/usr/sbin/checkrad"
>
> debug_level = 0
>
> proxy_requests = yes
>
> log {
>
> stripped_names = no
>
> auth = yes
>
> auth_badpass = no
>
> auth_goodpass = yes
>
> }
>
> security {
>
> max_attributes = 200
>
> reject_delay = 1
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
------------------------------
Message: 3
Date: Tue, 21 Aug 2018 22:06:30 +0100
From: Alan Buxey <alan.buxey(a)gmail.com>
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Subject: Re: Apache with mod_auth_radius starts X requests
Message-ID:
<CAOVYXj-t-+Os3Qofk8_J5+FpcPo5JzFwsA+HAHpyJAf8xbZMPg(a)mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
What output do you get when trying to run it in debug mode?
Alan
On Thu, 16 Aug 2018, 06:38 Carsten Schulze, <carsten.schulze(a)leuphana.de>
wrote:
> Hi,
>
> I'm using Debian9 with Apache + radius_mod_auth to authenticate some
> user while accessing a directory on that server.
>
> But that didn't work.
>
> I can see Radius Access-Request and Access-Accepts via tcpdump, the
> probleme is, that the request never ends. I interrupted the request with
> an Apache restart after 3Minutes and 1500 Radius-Request (still running).
>
> 07:10:14.010157 IP Radius-IP.1812 > 10.19.56.57.1026: RADIUS, Access-Accept
> ....
> 07:13:27.547061 IP 10.19.56.57.1026 > Radius-IP.1812: RADIUS,
> Access-Request (1), id: 0xc2 length: 80
> 07:13:27.674561 IP Radius-IP.1812 > 10.19.56.57.1026: RADIUS,
> Access-Accept (2), id: 0xc2 length: 20
> 3000 packets captured
>
> Any Idea about that?
>
> I used that guid for configuration:
> https://github.com/FreeRADIUS/mod_auth_radius
>
> P.S: I can't turn on the debug option, the server wouldn't start.
>
> Regards
> Carsten
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
------------------------------
Message: 4
Date: Wed, 22 Aug 2018 01:01:27 +0300
From: Алексей Морозенко <alexmorozenko(a)gmail.com>
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Subject: Re: Freeradius 3.0.17 EAP-TLS Authentication with LDAP
Authorization
Message-ID:
<CAPTApSof1aoDW4=GraX=_+a+LHmCbUr8a-RLTb-GDfNwPBFWZw(a)mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Are you sure client.pem is right username to ldap search?
—
вт, 21 авг. 2018 г. в 22:30, Kevin Virk <Kevin.Virk(a)faithlife.com>:
> Hello all I have followed previous advice given to me and upgraded my
> install to FreeRADIUS 3.0.17 . I am trying to achieve a setup where
> computers are let onto company internet via eap-tls and then are separated
> into VLANS with ldap after this. Currently I believe I have eap-tls working
> as my eapol test has been successful. However after adding in the ldap
> module I am getting a bind error which I know is an LDAP error and not a
> freeradius one. I was hoping someone here could take a look at my debug
> info and see if I have overlooked anything. Thank you in advance for the
> help. I also refrenced this previous thread to help out with some of the
> configs
> http://freeradius.1045715.n5.nabble.com/Freeradius-3-x-with-LDAP-authentica…
> .
>
> FreeRADIUS Version 3.0.17
> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/local/share/freeradius/dictionary
> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
> including dictionary file /usr/local/share/freeradius/dictionary.vqp
> including dictionary file /usr/local/etc/raddb/dictionary
> including configuration file /usr/local/etc/raddb/radiusd.conf
> including configuration file /usr/local/etc/raddb/proxy.conf
> including configuration file /usr/local/etc/raddb/clients.conf
> including files in directory /usr/local/etc/raddb/mods-enabled/
> including configuration file /usr/local/etc/raddb/mods-enabled/detail
> including configuration file /usr/local/etc/raddb/mods-enabled/files
> including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
> including configuration file /usr/local/etc/raddb/mods-enabled/realm
> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
> including configuration file
> /usr/local/etc/raddb/mods-enabled/dynamic_clients
> including configuration file /usr/local/etc/raddb/mods-enabled/digest
> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
> including configuration file /usr/local/etc/raddb/mods-enabled/echo
> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
> including configuration file /usr/local/etc/raddb/mods-enabled/eap
> including configuration file /usr/local/etc/raddb/mods-enabled/pap
> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
> including configuration file /usr/local/etc/raddb/mods-enabled/exec
> including configuration file /usr/local/etc/raddb/mods-enabled/unix
> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
> including configuration file /usr/local/etc/raddb/mods-enabled/chap
> including configuration file /usr/local/etc/raddb/mods-enabled/soh
> including configuration file /usr/local/etc/raddb/mods-enabled/date
> including configuration file /usr/local/etc/raddb/mods-enabled/always
> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
> including configuration file /usr/local/etc/raddb/mods-enabled/expr
> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
> including configuration file /usr/local/etc/raddb/mods-enabled/ldap
> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
> including files in directory /usr/local/etc/raddb/policy.d/
> including configuration file /usr/local/etc/raddb/policy.d/cui
> including configuration file /usr/local/etc/raddb/policy.d/accounting
> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
> including configuration file /usr/local/etc/raddb/policy.d/control
> including configuration file /usr/local/etc/raddb/policy.d/dhcp
> including configuration file /usr/local/etc/raddb/policy.d/eap
> including configuration file /usr/local/etc/raddb/policy.d/operator-name
> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
> including configuration file /usr/local/etc/raddb/policy.d/debug
> including configuration file /usr/local/etc/raddb/policy.d/filter
> including configuration file
> /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
> including files in directory /usr/local/etc/raddb/sites-enabled/
> including configuration file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> main {
> security {
> allow_core_dumps = no
> }
> name = "radiusd"
> prefix = "/usr/local"
> localstatedir = "/usr/local/var"
> logdir = "/usr/local/var/log/radius"
> run_dir = "/usr/local/var/run/radiusd"
> }
> main {
> name = "radiusd"
> prefix = "/usr/local"
> localstatedir = "/usr/local/var"
> sbindir = "/usr/local/sbin"
> logdir = "/usr/local/var/log/radius"
> run_dir = "/usr/local/var/run/radiusd"
> libdir = "/usr/local/lib"
> radacctdir = "/usr/local/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 16384
> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/local/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.000000
> status_server = yes
> allow_vulnerable_openssl = "yes"
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client kevintest {
> ipaddr = 172.17.17.227
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost_ipv6 {
> ipv6addr = ::1
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Debugger not attached
> # Creating Auth-Type = ntlm_auth
> # Creating Auth-Type = mschap
> # Creating Auth-Type = eap
> # Creating Auth-Type = PAP
> # Creating Auth-Type = CHAP
> # Creating Auth-Type = MS-CHAP
> radiusd: #### Instantiating modules ####
> modules {
> # Loaded module rlm_detail
> # Loading module "detail" from file
> /usr/local/etc/raddb/mods-enabled/detail
> detail {
> filename =
> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_files
> # Loading module "files" from file
> /usr/local/etc/raddb/mods-enabled/files
> files {
> filename = "/usr/local/etc/raddb/mods-config/files/authorize"
> acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
> preproxy_usersfile =
> "/usr/local/etc/raddb/mods-config/files/pre-proxy"
> }
> # Loaded module rlm_cache
> # Loading module "cache_eap" from file
> /usr/local/etc/raddb/mods-enabled/cache_eap
> cache cache_eap {
> driver = "rlm_cache_rbtree"
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 0
> epoch = 0
> add_stats = no
> }
> # Loaded module rlm_mschap
> # Loading module "mschap" from file
> /usr/local/etc/raddb/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> winbind_retry_with_normalised_username = no
> }
> # Loaded module rlm_realm
> # Loading module "IPASS" from file
> /usr/local/etc/raddb/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "suffix" from file
> /usr/local/etc/raddb/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "realmpercent" from file
> /usr/local/etc/raddb/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "ntdomain" from file
> /usr/local/etc/raddb/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_utf8
> # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
> # Loaded module rlm_attr_filter
> # Loading module "attr_filter.post-proxy" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename =
> "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.pre-proxy" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.access_reject" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename =
> "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.access_challenge" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename =
> "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.accounting_response" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename =
> "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loaded module rlm_dynamic_clients
> # Loading module "dynamic_clients" from file
> /usr/local/etc/raddb/mods-enabled/dynamic_clients
> # Loaded module rlm_digest
> # Loading module "digest" from file
> /usr/local/etc/raddb/mods-enabled/digest
> # Loaded module rlm_exec
> # Loading module "ntlm_auth" from file
> /usr/local/etc/raddb/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN.net
> --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_radutmp
> # Loading module "radutmp" from file
> /usr/local/etc/raddb/mods-enabled/radutmp
> radutmp {
> filename = "/usr/local/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Loaded module rlm_linelog
> # Loading module "linelog" from file
> /usr/local/etc/raddb/mods-enabled/linelog
> linelog {
> filename = "/usr/local/var/log/radius/linelog"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{reply:Packet-Type}:-default}"
> }
> # Loading module "log_accounting" from file
> /usr/local/etc/raddb/mods-enabled/linelog
> linelog log_accounting {
> filename = "/usr/local/var/log/radius/linelog-accounting"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_eap
> # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
> eap {
> default_eap_type = "tls"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 16384
> }
> # Loaded module rlm_pap
> # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loaded module rlm_unpack
> # Loading module "unpack" from file
> /usr/local/etc/raddb/mods-enabled/unpack
> # Loading module "auth_log" from file
> /usr/local/etc/raddb/mods-enabled/detail.log
> detail auth_log {
> filename =
> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "reply_log" from file
> /usr/local/etc/raddb/mods-enabled/detail.log
> detail reply_log {
> filename =
> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "pre_proxy_log" from file
> /usr/local/etc/raddb/mods-enabled/detail.log
> detail pre_proxy_log {
> filename =
> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "post_proxy_log" from file
> /usr/local/etc/raddb/mods-enabled/detail.log
> detail post_proxy_log {
> filename =
> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_unix
> # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
> unix {
> radwtmp = "/usr/local/var/log/radius/radwtmp"
> }
> Creating attribute Unix-Group
> # Loaded module rlm_logintime
> # Loading module "logintime" from file
> /usr/local/etc/raddb/mods-enabled/logintime
> logintime {
> minimum_timeout = 60
> }
> # Loading module "sradutmp" from file
> /usr/local/etc/raddb/mods-enabled/sradutmp
> radutmp sradutmp {
> filename = "/usr/local/var/log/radius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_chap
> # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
> # Loaded module rlm_soh
> # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Loaded module rlm_date
> # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
> date {
> format = "%b %e %Y %H:%M:%S %Z"
> utc = no
> }
> # Loaded module rlm_always
> # Loading module "reject" from file
> /usr/local/etc/raddb/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Loading module "fail" from file
> /usr/local/etc/raddb/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Loading module "handled" from file
> /usr/local/etc/raddb/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Loading module "invalid" from file
> /usr/local/etc/raddb/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Loading module "userlock" from file
> /usr/local/etc/raddb/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Loading module "notfound" from file
> /usr/local/etc/raddb/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Loading module "noop" from file
> /usr/local/etc/raddb/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Loading module "updated" from file
> /usr/local/etc/raddb/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_preprocess
> # Loading module "preprocess" from file
> /usr/local/etc/raddb/mods-enabled/preprocess
> preprocess {
> huntgroups =
> "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
> hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> # Loaded module rlm_expr
> # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
> expr {
> safe_characters =
> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
> /aeouaa?ceeeeiio?uuuayAEOU?AA?CEEEEIIO?UUUY"
> }
> # Loaded module rlm_replicate
> # Loading module "replicate" from file
> /usr/local/etc/raddb/mods-enabled/replicate
> # Loaded module rlm_ldap
> # Loading module "ldap" from file /usr/local/etc/raddb/mods-enabled/ldap
> ldap {
> server = "Domain.net"
> identity =
> "cn=ldap.query,ou=service.accounts,ou=Users,ou=operations,ou=departments,dc=Domain,dc=net"
> password = <<< secret >>>
> sasl {
> }
> user {
> scope = "sub"
> access_positive = yes
> sasl {
> }
> }
> group {
> filter = "(objectClass=posixGroup)"
> scope = "sub"
> name_attribute = "cn"
> membership_attribute = "memberOf"
> cacheable_name = no
> cacheable_dn = no
> }
> client {
> filter = "(objectClass=radiusClient)"
> scope = "sub"
> base_dn = "dc=Domain,dc=net"
> }
> profile {
> }
> options {
> ldap_debug = 40
> chase_referrals = yes
> rebind = yes
> net_timeout = 1
> res_timeout = 10
> srv_timelimit = 3
> idle = 60
> probes = 3
> interval = 3
> }
> tls {
> start_tls = no
> }
> }
> Creating attribute LDAP-Group
> # Loaded module rlm_expiration
> # Loading module "expiration" from file
> /usr/local/etc/raddb/mods-enabled/expiration
> # Loaded module rlm_passwd
> # Loading module "etc_passwd" from file
> /usr/local/etc/raddb/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> instantiate {
> }
> # Instantiating module "detail" from file
> /usr/local/etc/raddb/mods-enabled/detail
> # Instantiating module "files" from file
> /usr/local/etc/raddb/mods-enabled/files
> reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
> reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
> reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
> # Instantiating module "cache_eap" from file
> /usr/local/etc/raddb/mods-enabled/cache_eap
> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
> loaded and linked
> # Instantiating module "mschap" from file
> /usr/local/etc/raddb/mods-enabled/mschap
> rlm_mschap (mschap): using internal authentication
> # Instantiating module "IPASS" from file
> /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "suffix" from file
> /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "realmpercent" from file
> /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "ntdomain" from file
> /usr/local/etc/raddb/mods-enabled/realm
> # Instantiating module "attr_filter.post-proxy" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file
> /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file
> /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file
> /usr/local/etc/raddb/mods-config/attr_filter/access_reject
> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm
> "DEFAULT".
> # Instantiating module "attr_filter.access_challenge" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file
> /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /usr/local/etc/raddb/mods-enabled/attr_filter
> reading pairlist file
> /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
> # Instantiating module "linelog" from file
> /usr/local/etc/raddb/mods-enabled/linelog
> # Instantiating module "log_accounting" from file
> /usr/local/etc/raddb/mods-enabled/linelog
> # Instantiating module "eap" from file
> /usr/local/etc/raddb/mods-enabled/eap
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> verify_depth = 0
> ca_path = "/usr/local/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/usr/local/etc/raddb/certs/server.pem"
> certificate_file = "/usr/local/etc/raddb/certs/server.pem"
> ca_file = "/usr/local/etc/raddb/certs/ca.pem"
> private_key_password = <<< secret >>>
> dh_file = "/usr/local/etc/raddb/certs/dh"
> fragment_size = 1024
> include_length = yes
> auto_chain = yes
> check_crl = no
> check_all_crl = no
> cipher_list = "HIGH"
> cipher_server_preference = no
> ecdh_curve = "prime256v1"
> tls_max_version = ""
> tls_min_version = "1.0"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
> verify {
> skip_if_ocsp_ok = no
> tmpdir = "/tmp/radiusd"
> client = "/usr/bin/openssl verify -CApath
> /usr/local/etc/raddb/certs %{TLS-Client-Cert-Filename}"
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> # Instantiating module "pap" from file
> /usr/local/etc/raddb/mods-enabled/pap
> # Instantiating module "auth_log" from file
> /usr/local/etc/raddb/mods-enabled/detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
> # Instantiating module "reply_log" from file
> /usr/local/etc/raddb/mods-enabled/detail.log
> # Instantiating module "pre_proxy_log" from file
> /usr/local/etc/raddb/mods-enabled/detail.log
> # Instantiating module "post_proxy_log" from file
> /usr/local/etc/raddb/mods-enabled/detail.log
> # Instantiating module "logintime" from file
> /usr/local/etc/raddb/mods-enabled/logintime
> # Instantiating module "reject" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "fail" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "ok" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "handled" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "invalid" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "userlock" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "notfound" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "noop" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "updated" from file
> /usr/local/etc/raddb/mods-enabled/always
> # Instantiating module "preprocess" from file
> /usr/local/etc/raddb/mods-enabled/preprocess
> reading pairlist file
> /usr/local/etc/raddb/mods-config/preprocess/huntgroups
> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
> # Instantiating module "ldap" from file
> /usr/local/etc/raddb/mods-enabled/ldap
> rlm_ldap: libldap vendor: OpenLDAP, version: 20442
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> }
> post-auth {
> reference = "."
> }
> rlm_ldap (ldap): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 32
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> spread = no
> }
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://Domain.net:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://Domain.net:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://Domain.net:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://Domain.net:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://Domain.net:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> # Instantiating module "expiration" from file
> /usr/local/etc/raddb/mods-enabled/expiration
> # Instantiating module "etc_passwd" from file
> /usr/local/etc/raddb/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /usr/local/etc/raddb/radiusd.conf
> } # server
> server inner-tunnel { # from file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> # Skipping contents of 'if' as it is always 'false' --
> /usr/local/etc/raddb/sites-enabled/inner-tunnel:332
> } # server inner-tunnel
> server default { # from file /usr/local/etc/raddb/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
> Listening on auth address * port 1812 bound to server default
> Listening on acct address * port 1813 bound to server default
> Listening on auth address :: port 1812 bound to server default
> Listening on acct address :: port 1813 bound to server default
> Listening on proxy address * port 36409
> Listening on proxy address :: port 64651
> Ready to process requests
> (0) Received Access-Request Id 0 from 127.0.0.1:36789 to 127.0.0.1:1812
> length 134
> (0) User-Name = "client.pem"
> (0) NAS-IP-Address = 127.0.0.1
> (0) Calling-Station-Id = "02-00-00-00-00-01"
> (0) Framed-MTU = 1400
> (0) NAS-Port-Type = Wireless-802.11
> (0) Service-Type = Framed-User
> (0) Connect-Info = "CONNECT 11Mbps 802.11b"
> (0) EAP-Message = 0x0200000f01636c69656e742e70656d
> (0) Message-Authenticator = 0xd00906a3d0648e3a771145edfd1b9f36
> (0) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /(a)\./) {
> (0) if (&User-Name =~ /(a)\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) auth_log: EXPAND
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (0) auth_log: --> /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (0) auth_log:
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (0) auth_log: EXPAND %t
> (0) auth_log: --> Tue Aug 21 19:09:39 2018
> (0) [auth_log] = ok
> (0) eap: Peer sent EAP Response (code 2) ID 0 length 15
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_tls to process data
> (0) eap_tls: Initiating new EAP-TLS session
> (0) eap_tls: Setting verify mode to require certificate from client
> (0) eap_tls: [eaptls start] = request
> (0) eap: Sending EAP Request (code 1) ID 1 length 6
> (0) eap: EAP session adding &reply:State = 0x8db2a5328db3a858
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (0) Challenge { ... } # empty sub-section is ignored
> (0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:36789
> length 0
> (0) EAP-Message = 0x010100060d20
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0x8db2a5328db3a858fbbf5fa81909ec3c
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 1 from 127.0.0.1:36789 to 127.0.0.1:1812
> length 446
> (1) User-Name = "client.pem"
> (1) NAS-IP-Address = 127.0.0.1
> (1) Calling-Station-Id = "02-00-00-00-00-01"
> (1) Framed-MTU = 1400
> (1) NAS-Port-Type = Wireless-802.11
> (1) Service-Type = Framed-User
> (1) Connect-Info = "CONNECT 11Mbps 802.11b"
> (1) EAP-Message =
> 0x020101330d0016030101280100012403039c4469b54ea5c4edd45618780c24fa5ca5f8897d2e475569a1553c51469fb9470000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc0
> (1) State = 0x8db2a5328db3a858fbbf5fa81909ec3c
> (1) Message-Authenticator = 0xae86ca804883a58af655d7ad8ce39609
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /(a)\./) {
> (1) if (&User-Name =~ /(a)\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) auth_log: EXPAND
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (1) auth_log: --> /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (1) auth_log:
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (1) auth_log: EXPAND %t
> (1) auth_log: --> Tue Aug 21 19:09:39 2018
> (1) [auth_log] = ok
> (1) eap: Peer sent EAP Response (code 2) ID 1 length 307
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) files: users: Matched entry DEFAULT at line 1
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0x8db2a5328db3a858
> (1) eap: Finished EAP session with state 0x8db2a5328db3a858
> (1) eap: Previous EAP request found for state 0x8db2a5328db3a858, released
> from the list
> (1) eap: Peer sent packet with method EAP TLS (13)
> (1) eap: Calling submodule eap_tls to process data
> (1) eap_tls: Continuing EAP-TLS
> (1) eap_tls: Got final TLS record fragment (301 bytes)
> (1) eap_tls: WARNING: Total received TLS record fragments (301 bytes),
> does not equal indicated TLS record length (0 bytes)
> (1) eap_tls: [eaptls verify] = ok
> (1) eap_tls: Done initial handshake
> (1) eap_tls: (other): before/accept initialization
> (1) eap_tls: TLS_accept: before/accept initialization
> (1) eap_tls: <<< recv TLS 1.2 [length 0128]
> (1) eap_tls: TLS_accept: unknown state
> (1) eap_tls: >>> send TLS 1.2 [length 003e]
> (1) eap_tls: TLS_accept: unknown state
> (1) eap_tls: >>> send TLS 1.2 [length 0885]
> (1) eap_tls: TLS_accept: unknown state
> (1) eap_tls: >>> send TLS 1.2 [length 014d]
> (1) eap_tls: TLS_accept: unknown state
> (1) eap_tls: >>> send TLS 1.2 [length 00b6]
> (1) eap_tls: TLS_accept: unknown state
> (1) eap_tls: TLS_accept: unknown state
> (1) eap_tls: TLS_accept: Need to read more data: unknown state
> (1) eap_tls: TLS_accept: Need to read more data: unknown state
> (1) eap_tls: In SSL Handshake Phase
> (1) eap_tls: In SSL Accept mode
> (1) eap_tls: [eaptls process] = handled
> (1) eap: Sending EAP Request (code 1) ID 2 length 1024
> (1) eap: EAP session adding &reply:State = 0x8db2a5328cb0a858
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (1) Challenge { ... } # empty sub-section is ignored
> (1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:36789
> length 0
> (1) EAP-Message =
> 0x010204000dc000000ada160303003e0200003a03031b79870f786030224aafaf12faf3cb11780b455b25fcdd8f3be3c65bd5d54eb400c030000012ff01000100000b000403000102000f00010116030308850b00088100087e0003c0308203bc308202a4a003020102020101300d06092a864886f70d01
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0x8db2a5328cb0a858fbbf5fa81909ec3c
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 2 from 127.0.0.1:36789 to 127.0.0.1:1812
> length 143
> (2) User-Name = "client.pem"
> (2) NAS-IP-Address = 127.0.0.1
> (2) Calling-Station-Id = "02-00-00-00-00-01"
> (2) Framed-MTU = 1400
> (2) NAS-Port-Type = Wireless-802.11
> (2) Service-Type = Framed-User
> (2) Connect-Info = "CONNECT 11Mbps 802.11b"
> (2) EAP-Message = 0x020200060d00
> (2) State = 0x8db2a5328cb0a858fbbf5fa81909ec3c
> (2) Message-Authenticator = 0x09374abbc754eba45442ae669e219bc7
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /(a)\./) {
> (2) if (&User-Name =~ /(a)\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) auth_log: EXPAND
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (2) auth_log: --> /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (2) auth_log:
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (2) auth_log: EXPAND %t
> (2) auth_log: --> Tue Aug 21 19:09:39 2018
> (2) [auth_log] = ok
> (2) eap: Peer sent EAP Response (code 2) ID 2 length 6
> (2) eap: No EAP Start, assuming it's an on-going EAP conversation
> (2) [eap] = updated
> (2) files: users: Matched entry DEFAULT at line 1
> (2) [files] = ok
> (2) [expiration] = noop
> (2) [logintime] = noop
> (2) } # authorize = updated
> (2) Found Auth-Type = eap
> (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0x8db2a5328cb0a858
> (2) eap: Finished EAP session with state 0x8db2a5328cb0a858
> (2) eap: Previous EAP request found for state 0x8db2a5328cb0a858, released
> from the list
> (2) eap: Peer sent packet with method EAP TLS (13)
> (2) eap: Calling submodule eap_tls to process data
> (2) eap_tls: Continuing EAP-TLS
> (2) eap_tls: Peer ACKed our handshake fragment
> (2) eap_tls: [eaptls verify] = request
> (2) eap_tls: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 3 length 1024
> (2) eap: EAP session adding &reply:State = 0x8db2a5328fb1a858
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (2) Challenge { ... } # empty sub-section is ignored
> (2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:36789
> length 0
> (2) EAP-Message =
> 0x010304000dc000000ada3fc6f74e554b65096cf1c9576d66e5a1b19b053f667702d6acbfd8730004b8308204b43082039ca003020102020900c600a5ee176d055c300d06092a864886f70d01010b0500308183310b3009060355040613025553310b300906035504080c0257413113301106035504070c
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x8db2a5328fb1a858fbbf5fa81909ec3c
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 3 from 127.0.0.1:36789 to 127.0.0.1:1812
> length 143
> (3) User-Name = "client.pem"
> (3) NAS-IP-Address = 127.0.0.1
> (3) Calling-Station-Id = "02-00-00-00-00-01"
> (3) Framed-MTU = 1400
> (3) NAS-Port-Type = Wireless-802.11
> (3) Service-Type = Framed-User
> (3) Connect-Info = "CONNECT 11Mbps 802.11b"
> (3) EAP-Message = 0x020300060d00
> (3) State = 0x8db2a5328fb1a858fbbf5fa81909ec3c
> (3) Message-Authenticator = 0x32b0f0985f480c56b06736c57595844b
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /(a)\./) {
> (3) if (&User-Name =~ /(a)\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) auth_log: EXPAND
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (3) auth_log: --> /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (3) auth_log:
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (3) auth_log: EXPAND %t
> (3) auth_log: --> Tue Aug 21 19:09:39 2018
> (3) [auth_log] = ok
> (3) eap: Peer sent EAP Response (code 2) ID 3 length 6
> (3) eap: No EAP Start, assuming it's an on-going EAP conversation
> (3) [eap] = updated
> (3) files: users: Matched entry DEFAULT at line 1
> (3) [files] = ok
> (3) [expiration] = noop
> (3) [logintime] = noop
> (3) } # authorize = updated
> (3) Found Auth-Type = eap
> (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x8db2a5328fb1a858
> (3) eap: Finished EAP session with state 0x8db2a5328fb1a858
> (3) eap: Previous EAP request found for state 0x8db2a5328fb1a858, released
> from the list
> (3) eap: Peer sent packet with method EAP TLS (13)
> (3) eap: Calling submodule eap_tls to process data
> (3) eap_tls: Continuing EAP-TLS
> (3) eap_tls: Peer ACKed our handshake fragment
> (3) eap_tls: [eaptls verify] = request
> (3) eap_tls: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 4 length 760
> (3) eap: EAP session adding &reply:State = 0x8db2a5328eb6a858
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (3) Challenge { ... } # empty sub-section is ignored
> (3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:36789
> length 0
> (3) EAP-Message =
> 0x010402f80d8000000adaa158fd0cacf5726c80718dfbaa6c75fa64462d6736903610eb5f1638a7ba7c925b858636296265568e5076bed345f273aaa1d83a2e064f5e6d266da1b233d94533b8803e497f4f37900c0cb829a3f04bc6d4b610dee50a8a47dad71eec9a5ba6538c81bf9bb7fae723a0a61b23
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0x8db2a5328eb6a858fbbf5fa81909ec3c
> (3) Finished request
> Waking up in 4.9 seconds.
> (4) Received Access-Request Id 4 from 127.0.0.1:36789 to 127.0.0.1:1812
> length 1555
> (4) User-Name = "client.pem"
> (4) NAS-IP-Address = 127.0.0.1
> (4) Calling-Station-Id = "02-00-00-00-00-01"
> (4) Framed-MTU = 1400
> (4) NAS-Port-Type = Wireless-802.11
> (4) Service-Type = Framed-User
> (4) Connect-Info = "CONNECT 11Mbps 802.11b"
> (4) EAP-Message =
> 0x020405800dc000000a1316030308830b00087f00087c0003be308203ba308202a2a003020102020102300d06092a864886f70d01010b0500308183310b3009060355040613025553310b300906035504080c0257413113301106035504070c0a42656c6c696e6768616d31123010060355040a0c094661
> (4) State = 0x8db2a5328eb6a858fbbf5fa81909ec3c
> (4) Message-Authenticator = 0x9073f436730652ec433ae776fd3f8183
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /(a)\./) {
> (4) if (&User-Name =~ /(a)\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) auth_log: EXPAND
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (4) auth_log: --> /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (4) auth_log:
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (4) auth_log: EXPAND %t
> (4) auth_log: --> Tue Aug 21 19:09:39 2018
> (4) [auth_log] = ok
> (4) eap: Peer sent EAP Response (code 2) ID 4 length 1408
> (4) eap: No EAP Start, assuming it's an on-going EAP conversation
> (4) [eap] = updated
> (4) files: users: Matched entry DEFAULT at line 1
> (4) [files] = ok
> (4) [expiration] = noop
> (4) [logintime] = noop
> (4) } # authorize = updated
> (4) Found Auth-Type = eap
> (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0x8db2a5328eb6a858
> (4) eap: Finished EAP session with state 0x8db2a5328eb6a858
> (4) eap: Previous EAP request found for state 0x8db2a5328eb6a858, released
> from the list
> (4) eap: Peer sent packet with method EAP TLS (13)
> (4) eap: Calling submodule eap_tls to process data
> (4) eap_tls: Continuing EAP-TLS
> (4) eap_tls: Peer indicated complete TLS record size will be 2579 bytes
> (4) eap_tls: Expecting 2 TLS record fragments
> (4) eap_tls: Got first TLS record fragment (1398 bytes). Peer indicated
> more fragments to follow
> (4) eap_tls: [eaptls verify] = first fragment
> (4) eap_tls: ACKing Peer's TLS record fragment
> (4) eap_tls: [eaptls process] = handled
> (4) eap: Sending EAP Request (code 1) ID 5 length 6
> (4) eap: EAP session adding &reply:State = 0x8db2a53289b7a858
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (4) Challenge { ... } # empty sub-section is ignored
> (4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:36789
> length 0
> (4) EAP-Message = 0x010500060d00
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x8db2a53289b7a858fbbf5fa81909ec3c
> (4) Finished request
> Waking up in 4.9 seconds.
> (5) Received Access-Request Id 5 from 127.0.0.1:36789 to 127.0.0.1:1812
> length 1332
> (5) User-Name = "client.pem"
> (5) NAS-IP-Address = 127.0.0.1
> (5) Calling-Station-Id = "02-00-00-00-00-01"
> (5) Framed-MTU = 1400
> (5) NAS-Port-Type = Wireless-802.11
> (5) Service-Type = Framed-User
> (5) Connect-Info = "CONNECT 11Mbps 802.11b"
> (5) EAP-Message =
> 0x020504a30d009fd708c7fc4135e2c21b17e472a506e56bec63fd54772c0a3de87ec11d4dac88eeaf28e4c60bb8d1437218453166810fe18d87ca8ea690e9b386b211e159030d338d9af4acfc6b71505764594c6c1b85eced7cf21301ca8c1eca8f2752f3c06098f8efcab9203bb480391976249f12e805
> (5) State = 0x8db2a53289b7a858fbbf5fa81909ec3c
> (5) Message-Authenticator = 0x2b66063c58bd994f19a3dcc4fae8afdc
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /(a)\./) {
> (5) if (&User-Name =~ /(a)\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) auth_log: EXPAND
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (5) auth_log: --> /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (5) auth_log:
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (5) auth_log: EXPAND %t
> (5) auth_log: --> Tue Aug 21 19:09:39 2018
> (5) [auth_log] = ok
> (5) eap: Peer sent EAP Response (code 2) ID 5 length 1187
> (5) eap: No EAP Start, assuming it's an on-going EAP conversation
> (5) [eap] = updated
> (5) files: users: Matched entry DEFAULT at line 1
> (5) [files] = ok
> (5) [expiration] = noop
> (5) [logintime] = noop
> (5) } # authorize = updated
> (5) Found Auth-Type = eap
> (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x8db2a53289b7a858
> (5) eap: Finished EAP session with state 0x8db2a53289b7a858
> (5) eap: Previous EAP request found for state 0x8db2a53289b7a858, released
> from the list
> (5) eap: Peer sent packet with method EAP TLS (13)
> (5) eap: Calling submodule eap_tls to process data
> (5) eap_tls: Continuing EAP-TLS
> (5) eap_tls: Got final TLS record fragment (1181 bytes)
> (5) eap_tls: [eaptls verify] = ok
> (5) eap_tls: Done initial handshake
> (5) eap_tls: <<< recv TLS 1.2 [length 0883]
> (5) eap_tls: Creating attributes from certificate OIDs
> (5) eap_tls: TLS-Cert-Serial := "c600a5ee176d055c"
> (5) eap_tls: TLS-Cert-Expiration := "181019201014Z"
> (5) eap_tls: TLS-Cert-Subject :=
> "/C=US/ST=WA/L=Town/O=company/emailAddress=admintest(a)email.com/CN=Radius
> Server"
> (5) eap_tls: TLS-Cert-Issuer :=
> "/C=US/ST=WA/L=Town/O=company/emailAddress=admintest(a)email.com/CN=Radius
> Server"
> (5) eap_tls: TLS-Cert-Common-Name := "Radius Server"
> (5) eap_tls: Creating attributes from certificate OIDs
> (5) eap_tls: TLS-Client-Cert-Serial := "02"
> (5) eap_tls: TLS-Client-Cert-Expiration := "181019201107Z"
> (5) eap_tls: TLS-Client-Cert-Subject :=
> "/C=US/ST=WA/O=company/CN=kevin.test/emailAddress=kevin.test(a)email.com"
> (5) eap_tls: TLS-Client-Cert-Issuer :=
> "/C=US/ST=WA/L=Town/O=company/emailAddress=admintest(a)email.com/CN=Radius
> Server"
> (5) eap_tls: TLS-Client-Cert-Common-Name := "kevin.test"
> (5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
> Client Authentication"
> (5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
> "1.3.6.1.5.5.7.3.2"
> (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CApath
> /usr/local/etc/raddb/certs %{TLS-Client-Cert-Filename}
> (5) eap_tls: Executing: /usr/bin/openssl verify -CApath
> /usr/local/etc/raddb/certs %{TLS-Client-Cert-Filename}:
> (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (5) eap_tls: --> /tmp/radiusd/radiusd.client.XX6sVjt9
> (5) eap_tls: Program returned code (0) and output
> '/tmp/radiusd/radiusd.client.XX6sVjt9: OK'
> (5) eap_tls: Client certificate CN kevin.test passed external validation
> (5) eap_tls: TLS_accept: unknown state
> (5) eap_tls: <<< recv TLS 1.2 [length 0046]
> (5) eap_tls: TLS_accept: unknown state
> (5) eap_tls: <<< recv TLS 1.2 [length 0108]
> (5) eap_tls: TLS_accept: unknown state
> (5) eap_tls: <<< recv TLS 1.2 [length 0001]
> (5) eap_tls: <<< recv TLS 1.2 [length 0010]
> (5) eap_tls: TLS_accept: unknown state
> (5) eap_tls: >>> send TLS 1.2 [length 0001]
> (5) eap_tls: TLS_accept: unknown state
> (5) eap_tls: >>> send TLS 1.2 [length 0010]
> (5) eap_tls: TLS_accept: unknown state
> (5) eap_tls: TLS_accept: unknown state
> (5) eap_tls: (other): SSL negotiation finished successfully
> (5) eap_tls: SSL Connection Established
> (5) eap_tls: [eaptls process] = handled
> (5) eap: Sending EAP Request (code 1) ID 6 length 61
> (5) eap: EAP session adding &reply:State = 0x8db2a53288b4a858
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (5) Challenge { ... } # empty sub-section is ignored
> (5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:36789
> length 0
> (5) EAP-Message =
> 0x0106003d0d80000000331403030001011603030028381c7e1783d65af09f05df42d3f1b2fed20f91d132889dc662acf7908c7b8dd2a1a9530889f2030a
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x8db2a53288b4a858fbbf5fa81909ec3c
> (5) Finished request
> Waking up in 4.9 seconds.
> (6) Received Access-Request Id 6 from 127.0.0.1:36789 to 127.0.0.1:1812
> length 143
> (6) User-Name = "client.pem"
> (6) NAS-IP-Address = 127.0.0.1
> (6) Calling-Station-Id = "02-00-00-00-00-01"
> (6) Framed-MTU = 1400
> (6) NAS-Port-Type = Wireless-802.11
> (6) Service-Type = Framed-User
> (6) Connect-Info = "CONNECT 11Mbps 802.11b"
> (6) EAP-Message = 0x020600060d00
> (6) State = 0x8db2a53288b4a858fbbf5fa81909ec3c
> (6) Message-Authenticator = 0x3ffc0b16b3614022609b9f298eafda17
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /(a)\./) {
> (6) if (&User-Name =~ /(a)\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) auth_log: EXPAND
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (6) auth_log: --> /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (6) auth_log:
> /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /usr/local/var/log/radius/radacct/
> 127.0.0.1/auth-detail-20180821
> (6) auth_log: EXPAND %t
> (6) auth_log: --> Tue Aug 21 19:09:39 2018
> (6) [auth_log] = ok
> (6) eap: Peer sent EAP Response (code 2) ID 6 length 6
> (6) eap: No EAP Start, assuming it's an on-going EAP conversation
> (6) [eap] = updated
> (6) files: users: Matched entry DEFAULT at line 1
> (6) [files] = ok
> (6) [expiration] = noop
> (6) [logintime] = noop
> (6) } # authorize = updated
> (6) Found Auth-Type = eap
> (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x8db2a53288b4a858
> (6) eap: Finished EAP session with state 0x8db2a53288b4a858
> (6) eap: Previous EAP request found for state 0x8db2a53288b4a858, released
> from the list
> (6) eap: Peer sent packet with method EAP TLS (13)
> (6) eap: Calling submodule eap_tls to process data
> (6) eap_tls: Continuing EAP-TLS
> (6) eap_tls: Peer ACKed our handshake fragment. handshake is finished
> (6) eap_tls: [eaptls verify] = success
> (6) eap_tls: [eaptls process] = success
> (6) eap: Sending EAP Success (code 3) ID 6 length 4
> (6) eap: Freeing handler
> (6) [eap] = ok
> (6) } # authenticate = ok
> (6) # Executing section post-auth from file
> /usr/local/etc/raddb/sites-enabled/default
> (6) post-auth {
> (6) update {
> (6) No attributes updated
> (6) } # update = noop
> (6) ldap: EXPAND .
> (6) ldap: --> .
> (6) ldap: EXPAND Authenticated at %S
> (6) ldap: --> Authenticated at 2018-08-21 19:09:39
> rlm_ldap (ldap): Reserved connection (0)
> (6) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (6) ldap: --> (samaccountname=client.pem)
> (6) ldap: Performing search in "dc=Domain,dc=net" with filter
> "(samaccountname=client.pem)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: ERROR: Failed performing search: Operations error with LDAP
> database. Please see the LDAP server configuration / documentation for
> more information.
> (6) ldap: ERROR: Server said: 000004DC: LdapErr: DSID-0C0907C2, comment:
> In order to perform this operation a successful bind must be completed on
> the connection., data 0, v2580.
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://Domain.net:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (6) [ldap] = fail
> (6) } # post-auth = fail
> (6) Using Post-Auth-Type Reject
> (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> (6) Post-Auth-Type REJECT {
> (6) attr_filter.access_reject: EXPAND %{User-Name}
> (6) attr_filter.access_reject: --> client.pem
> (6) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (6) [attr_filter.access_reject] = updated
> (6) [eap] = noop
> (6) policy remove_reply_message_if_eap {
> (6) if (&reply:EAP-Message && &reply:Reply-Message) {
> (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (6) else {
> (6) [noop] = noop
> (6) } # else = noop
> (6) } # policy remove_reply_message_if_eap = noop
> (6) } # Post-Auth-Type REJECT = updated
> (6) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (6) Sending delayed response
> (6) Sent Access-Reject Id 6 from 127.0.0.1:1812 to 127.0.0.1:36789 length
> 44
> (6) EAP-Message = 0x03060004
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 0 with timestamp +4
> (1) Cleaning up request packet ID 1 with timestamp +4
> (2) Cleaning up request packet ID 2 with timestamp +4
> (3) Cleaning up request packet ID 3 with timestamp +4
> (4) Cleaning up request packet ID 4 with timestamp +4
> (5) Cleaning up request packet ID 5 with timestamp +4
> (6) Cleaning up request packet ID 6 with timestamp +4
> Ready to process requests
>
>
>
> From: Freeradius-Users <freeradius-users-bounces+kevin.virk=
> faithlife.com(a)lists.freeradius.org> on behalf of
> freeradius-users-request(a)lists.freeradius.org <
> freeradius-users-request(a)lists.freeradius.org>
> Sent: Tuesday, August 21, 2018 3:00 AM
> To: freeradius-users(a)lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 160, Issue 41
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Re: Apache with mod_auth_radius starts X requests
> (Fajar A. Nugraha)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 21 Aug 2018 16:25:50 +0700
> From: "Fajar A. Nugraha" <list(a)fajar.net>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Re: Apache with mod_auth_radius starts X requests
> Message-ID:
> <CAG1y0sda1T+K+gGYotwihfd+Ly2RLkPrZd_fCt2Ciiz31q-jQQ(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On Tue, Aug 21, 2018 at 4:22 PM, Carsten Schulze <
> carsten.schulze(a)leuphana.de> wrote:
>
> > Hi,
> >
> > to finalize.
> >
> > I installed a PHP Directory Listner to that folder, with that, only one
> > request was generated.
> >
> > If its not possible, you can reduce the index.* (checks) in apache, which
> > will reduce the total amount of Radius-Reuqests.
> >
> > /etc/apache2/mods-enabled/dir.conf
> > <IfModule mod_dir.c>
> > #DirectoryIndex index.html index.cgi index.pl index.php
> > index.xhtml index.htm
> > DirectoryIndex index.php
> > </IfModule>
> >
> >
> Isn't that basically what
> https://github.com/FreeRADIUS/mod_auth_radius#4-some-warnings says?
>
> --
> Fajar
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 160, Issue 41
> *************************************************
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
Best regards, Alex Morozenko
------------------------------
Subject: Digest Footer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 160, Issue 43
*************************************************
1
0
Hi,
I'm using Debian9 with Apache + radius_mod_auth to authenticate some
user while accessing a directory on that server.
But that didn't work.
I can see Radius Access-Request and Access-Accepts via tcpdump, the
probleme is, that the request never ends. I interrupted the request with
an Apache restart after 3Minutes and 1500 Radius-Request (still running).
07:10:14.010157 IP Radius-IP.1812 > 10.19.56.57.1026: RADIUS, Access-Accept
....
07:13:27.547061 IP 10.19.56.57.1026 > Radius-IP.1812: RADIUS,
Access-Request (1), id: 0xc2 length: 80
07:13:27.674561 IP Radius-IP.1812 > 10.19.56.57.1026: RADIUS,
Access-Accept (2), id: 0xc2 length: 20
3000 packets captured
Any Idea about that?
I used that guid for configuration:
https://github.com/FreeRADIUS/mod_auth_radius
P.S: I can't turn on the debug option, the server wouldn't start.
Regards
Carsten
4
6
Hi,
I am a QA Engineer and my purpose is to test that my boxes RADIUS support feature is functioning right
and that it is OK with the most popular RADIUS servers.
One of our customers complaint about the fact that he is not able to make our boxes authenticated against FreeRadius.
I have no experience with FreeRadius and I immediately revealed that is not a Plug-and-Play RADIUS Server as TekRADIUS (Windows).
With TekRADIUS I manage to authenticate a user that performs a login into our boxes. Actually it is almost Plug-and-Play.
I simply defined a Default (name of the client/group) with a secret and a vendor that is general (ietf)
then I defined 3 users (one for each of my privileges). Each user has two attributes:
1. User_Password with a type of Check the Value is the password string
2. Class with a type of Success-Reply which controls the priveleges of the users. The Value is an integer (4/2/1)
I have set FreeRadius like this:
1. I added the clients.conf file the following client
client <http://10.0.1.0/8> 10.0.1.0/8<http://10.0.1.0/8> {
secret = test
nastype = other
}
2. I added a user into the users file
moshe Cleartext-Password := "moshe"
Service-Type = "6"
3. The radius.conf was set with the following log {} settings
auth = yes
auth-goodpass = yes
with all of that said I can also tell the radius.log show that the Login attempts are OK but I still
get Access denied from my device, like something is still missing.
Can you please tell me what might be missing ? Thanks for the support
Here is the debug info
root@radius1:/etc/freeradius# freeradius -X
freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Jul 26 2017 at 15:27:21
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/<http://detail.example.com>detail.example.com<http://detail.example.com>
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
3
2
Dear,
Post reinstalling freeradius 3.0.17 package along with freeradius-perl
packages, while running freeradius in debug mode getting below error:
Failed to link to module 'rlm_perl':
/usr/app/radius-new/lib/rlm_perl.so: cannot open shared object file: No
such file or directory
Following a suggestion of earlier post in similar context, installed perl
distribution package & reinstalling freeradius didn't suffice..
Could someone guide her please..?
----
*Thanks & Kind Regards,*
Saurabh LAHOTI.
*Ideas enlighten Innovation**!!!*
Please consider the environment before printing this mail..!!
2
1
Hi,
Starting from a scenario with 3 servers, where all 3 methods are properly
configured, what would be the safest method?
--
Elias Pereira
2
2
Hey everyone,
After running FreeRADIUS for a while (3.0.17 built from GitHub release page), I noticed that the server ends up in a loop writing out following messages:
Fri Aug 17 17:33:05 2018 : Debug: (0) Reading from socket 33
Fri Aug 17 17:33:05 2018 : Debug: (0) Reading pending buffered data
Fri Aug 17 17:33:05 2018 : Debug: (0) Failed writing 0 bytes to SSL BIO: -1
Fri Aug 17 17:33:05 2018 : Debug: (0) Application data status 4
I have RadSec configured for the RADIUS (TLS tunnel). When I was running 3.0.15 version, this wasn't happening. Any idea what could be happening?
Thanks a lot,
Jan
2
2
Hello,
I am wondering whether there is any standard SQL schema for IPv6 radius
accounting, and standard queries?
I understand from doing a bit of research that to store the IPv6 schema
we have to manually add fields to the SQL database and the queries to
the queries.conf. That is certainly doable and is easy enough, however
instead of naming them what I want, I would rather have some official
guidance as to what the fields should be named and what the queries
should be. The reason is that we use some third party software that
reads accounting data directly out out of the FreeRADIUS radacct table,
and it expects the standard field names to be used - unfortunately there
seem to not be standardized field names for SQL for IPv6 RADIUS
accounting yet, and it would simply save us some future headache if we
had this. They seem to not want to build support for IPv6 until there is
some standard schema released by FreeRADIUS that gives the MySQL field
names for IPv6 accounting info.
Also small ISPs are beginning to roll out IPv6 more and more, ISPs that
use FreeRADIUS, so it might be good to add those into the standard
install at some point? Just an idea.
Thanks!
5
22
Thank you Nathan Ward,
Actually i want to make daily usage report, but if that session is older
than one or two days than i dont get proper daily data usage report. For
now, i was make script that disconnect all users with pod at midnight 12.
Any other way to achieve this idea without disconnecting users.
Warm Regard's
Imdadali Kadiwala
On Sun 19 Aug, 2018, 11:19 AM , <
freeradius-users-request(a)lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Renew the session at midnight 12 o clock (Imdad Hasan)
> 2. Re: Renew the session at midnight 12 o clock (Nathan Ward)
> 3. Re: IPv6 accounting RADIUS SQL schema? (Nathan Ward)
> 4. Re: IPv6 accounting RADIUS SQL schema? (Michael Ducharme)
> 5. Re: IPv6 accounting RADIUS SQL schema? (Nathan Ward)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 19 Aug 2018 03:04:18 +0530
> From: Imdad Hasan <imdadalikadiwala0(a)gmail.com>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Renew the session at midnight 12 o clock
> Message-ID:
> <
> CAPidyMV-OmZWUxBwrH8RvxfP5COBVpTcUZu2gAfmCUvCZoq-rA(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Respected All,
>
> How can i kill old accounting sessions and generate new sessions without
> disconnect the users at every midnight 12 o clock.
>
>
> Warm Regard's
> Imdadali Kadiwala
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 19 Aug 2018 15:21:48 +1200
> From: Nathan Ward <lists+freeradius(a)daork.net>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: Renew the session at midnight 12 o clock
> Message-ID: <33845DBE-D464-4713-B980-0479726912C9(a)daork.net>
> Content-Type: text/plain; charset=utf-8
>
>
> > On 19/08/2018, at 9:34 AM, Imdad Hasan <imdadalikadiwala0(a)gmail.com>
> wrote:
> >
> > Respected All,
> >
> > How can i kill old accounting sessions and generate new sessions without
> > disconnect the users at every midnight 12 o clock.
>
> Accounting sessions are managed by the NAS and distinguished by
> Acct-Session-Id etc., so, you can’t really unless your NAS can do this -
> but I’ve never seen such a “feature”.
>
> Often we return a “Class” in an Access-Accept message, which is included
> in Accounting requests and is what FreeRADIUS uses to distinguish unique
> sessions. **Maybe** you can update Class in a CoA, but, that would almost
> certainly be NAS specific. Additionally, this would not cause the NAS to
> reset the counters to zero, nor send an accounting start type message.
>
> This is quite a specific question - short answer is “you can’t” - but
> perhaps we can help if we know what you are doing. What are you looking to
> achieve? Why do you want new accounting sessions?
>
> --
> Nathan Ward
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 19 Aug 2018 15:37:23 +1200
> From: Nathan Ward <lists+freeradius(a)daork.net>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: IPv6 accounting RADIUS SQL schema?
> Message-ID: <786ED99C-8491-4A52-AEB3-B9D9FCC3E540(a)daork.net>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> > On 19/08/2018, at 9:11 AM, Michael Ducharme <mducharme(a)gmail.com> wrote:
> >
> > I would say it is even more complicated:
> >
> > If assigning framed prefixes is enabled on the NAS, each customer is
> given a /64 prefix and router advertisements are sent out so that the CPE
> can get a global address via SLAAC (reported as Framed-IPv6-Prefix and
> Framed-Interface-Id).
> >
> > If DHCPv6-PD is enabled on the NAS, each customer who requests a prefix
> will be assigned one, typically a /56 (reported as Delegated-IPv6-Prefix).
> If DHCPv6 address assignment is enabled, then the CPE can get a global IP
> through DHCPv6 (reported as Framed-IPv6-Address).
>
> Yep that’s right - in my prev. message, the /128 is a CIDR, so can be any
> length. If one uses SLAAC for CPE WAN interfaces, the prefix for that needs
> to be unique per subscriber so you can identify them, as SLAAC doesn’t give
> the BNG any indication of the address(es) which are selected.
>
> > So if the customer has a router that supports everything and has
> everything enabled, it could get two addresses on its WAN port, one via
> SLAAC and one via DHCPv6, and then a prefix via DHCPv6-PD for use on the
> internal network (LAN ports, guest wifi, etc.). If only routers are
> connecting via PPP and not customer computers directly, you can look at the
> Delegated-IPv6-Prefix to see what prefix the customer's computers are
> using. If customer computers connected directly to the NAS (ex. through an
> L2TP VPN), then the computer will use either a global address via SLAAC
> (found in the Framed-IPv6-Prefix and Framed-Interface-Id accounting) or a
> global address via DHCPv6 (found in Framed-IPv6-Address), or both.
>
> While I agree that this is technically possible, it is unusual to have
> both SLAAC and DHCPv6 IA-NA at the same time on one device. DHCPv6 is
> triggered by flags in the RA. If you’ve got a broadband type environment
> where both happen, I would suggest changing that to support only SLAAC, or
> only DHCPv6 IA-NA.
>
> Regardless, this is possible, so is something that should probably be
> permitted.
>
> > Because, depending on the exact situation, the end user device may be on
> an address in the Delegated-IPv6-Prefix (this is the case if they go
> through a router) or an address in the Framed-IPv6-Prefix (if they are on
> SLAAC) or an address in Framed-IPv6-Address (if they receive an address
> through DHCPv6 address assignment), all three fields must be stored. As an
> ISP, we are required to forward copyright infringement notices to
> customers, and in order to look up the address on the notice, we need to
> search all three fields (unlike in IPv4 where we only search one field).
>
> Additionally, it is common that WAN side addresses are not assigned at all
> - and only DHCPv6 IA-PD is assigned - and there may even be multiple IA-PD
> assigned.
>
> I think the short story is that a RADIUS “session” can have 0+ IPv6
> addresses/prefixes. This is I suppose similar to IPv4, if you use
> Framed-Route to give customers additional addresses - these can exist in
> Accounting-Request messages.
>
> I don’t know if this is something that FreeRADIUS should attempt to solve
> in a generic way, or if there should perhaps be some examples and have it
> left up to the operator. If it is solved in a generic way, how would that
> be done?
> - Additional tables for prefix assignments?
> - ARRAY support in SQL? (Not in MySQL, but is in other SQL DBs)
> - JSON or some other serialisation of an array in to text?
> - ARRAY for most DBs, JSON blob for others?
>
> --
> Nathan Ward
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Sat, 18 Aug 2018 22:21:19 -0700
> From: Michael Ducharme <mducharme(a)gmail.com>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Re: IPv6 accounting RADIUS SQL schema?
> Message-ID: <5f9b3c0e-23ee-f7c0-46aa-5618b2274cd3(a)gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi,
>
> On 8/18/2018 8:37 PM, Nathan Ward wrote:
> > Additionally, it is common that WAN side addresses are not assigned at
> all - and only DHCPv6 IA-PD is assigned - and there may even be multiple
> IA-PD assigned.
> Yes, I am aware - we do not assign WAN side addresses. An unfortunate
> side effect of this is that *many* consumer routers will then not
> function - quite a few consumer routers ask for address and prefix, and
> if offered a prefix with no address, will refuse it instead of correctly
> accepting the prefix. Once our NAS vendor adds proper RADIUS accounting
> support for IPv6, we might assign WAN-side addresses for that reason only.
>
> We are only starting to provide managed residential gateways to our
> customers - our network has been historically BYOR
> (bring-your-own-router), and we even have some customers who have no
> computer and no router, only an xbox plugged into their modem configured
> with the PPPoE credentials. At the moment, the way our network is
> configured, those xbox customers are out of luck for IPv6, since the
> xbox is unlikely to request a prefix via DHCPv6-PD. Given our
> environment, as long as we have decent RADIUS accounting, we are likely
> to enable both SLAAC framed-prefix and DHCPv6 address provisioning, if
> only to provide working IPv6 connectivity to as many customers as
> possible, given the plethora of different ways they can connect.
>
> > I think the short story is that a RADIUS “session” can have 0+ IPv6
> addresses/prefixes. This is I suppose similar to IPv4, if you use
> Framed-Route to give customers additional addresses - these can exist in
> Accounting-Request messages.
> The big difference with Framed-Route in IPv4 is there is not generally a
> mechanism for customers to be automatically assigned their own prefix
> with IPv4 -- at least I have never heard of a means to do so. The only
> way that the customer is going to get an IPv4 prefix is if the attribute
> is provided via RADIUS in the Access-Accept packet, and in that event,
> you don't necessarily need the accounting to know that the customer has
> that prefix (since somewhere else in the same RADIUS database there is
> the attribute that provided it in the first place). This is different
> with IPv6, where the customer can get a Delegated-IPv6-Prefix and/or
> Framed-IPv6-Prefix by automatic means without that prefix having been
> originally assigned via RADIUS, and having the accounting record is
> therefore more crucial.
> >
> > I don’t know if this is something that FreeRADIUS should attempt to
> solve in a generic way, or if there should perhaps be some examples and
> have it left up to the operator. If it is solved in a generic way, how
> would that be done?
> > - Additional tables for prefix assignments?
> > - ARRAY support in SQL? (Not in MySQL, but is in other SQL DBs)
> > - JSON or some other serialisation of an array in to text?
> > - ARRAY for most DBs, JSON blob for others?
>
> I considered the idea of another table, because it is tempting to have
> the idea of a structure that represents IPv6 addresses that the customer
> has in a single place, but that increases complexity in its own way. If
> you did have a second table, however, it would be even more tempting to
> have it store all other attributes that aren't recorded elsewhere, with
> fields for radacctid (to associate it with the correct accounting
> record), attribute name, and attribute value. It's always a weakness of
> the DB-field-per-attribute SQL approach that you aren't recording all
> accounting fields in the database, and the separate table would provide
> that - the database could record every value that the NAS provides.
> Alternatively as you suggest, you could have a JSON blob that records
> the remaining attributes. I don't personally like the idea of using a
> type like ARRAY that MySQL doesn't support, especially since it is
> probably the case that most FreeRADIUS SQL implementations out there are
> using MySQL.
>
> However, I don't think it is necessarily a technical problem to have
> three different fields to store the IPv6 address and searching across
> three fields. The biggest risk is going to be lack of understanding of
> what the fields are for, where developers who create billing systems or
> web interfaces that offer some kind of address search function may only
> program it to search one of the three fields, not understanding the
> purpose of the different fields. I expect that a developer extending
> their billing system or web interface to IPv6, not having an
> understanding of some of the technicalities, would think that search of
> a "framedipv6address" field was sufficient and not bother to search the
> "framedipv6prefix" and "delegatedipv6prefix" fields, and that would end
> up creating issues for end users.
>
> Michael
>
>
> ------------------------------
>
> Message: 5
> Date: Sun, 19 Aug 2018 17:49:21 +1200
> From: Nathan Ward <lists+freeradius(a)daork.net>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: IPv6 accounting RADIUS SQL schema?
> Message-ID: <1BF16ACE-882B-4F49-A696-A2E1685F9A62(a)daork.net>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> > On 19/08/2018, at 5:21 PM, Michael Ducharme <mducharme(a)gmail.com> wrote:
> >
> > However, I don't think it is necessarily a technical problem to have
> three different fields to store the IPv6 address and searching across three
> fields. The biggest risk is going to be lack of understanding of what the
> fields are for, where developers who create billing systems or web
> interfaces that offer some kind of address search function may only program
> it to search one of the three fields, not understanding the purpose of the
> different fields. I expect that a developer extending their billing system
> or web interface to IPv6, not having an understanding of some of the
> technicalities, would think that search of a "framedipv6address" field was
> sufficient and not bother to search the "framedipv6prefix" and
> "delegatedipv6prefix" fields, and that would end up creating issues for end
> users.
>
>
> If this would be the approach then I think it’s best left as examples of
> what could be done, rather than change the standard schema - a standard
> schema needs to support 0+ of each of the fields you suggest here, not
> simply 0-1.
>
> --
> Nathan Ward
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 160, Issue 33
> *************************************************
>
3
4
Thanks Nathan Ward,
Sure,
Say for example:
if any user "XYZ" have a one accounting session with the acct-start-time =
"2018-08-16 05:00:00" and acct-stop-time = " 2018-08-19 11:16:46". Ok.
Means only one accounting session 3 days. So, in this example how can i
calculate OR get the "2018-08-17" OR "2018-08-18" s' data usage of that
"XYZ" user?
Warm Regard's
Imdadali Kadiwala
On Sun, Aug 19, 2018 at 3:18 PM, <
freeradius-users-request(a)lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: IPv6 accounting RADIUS SQL schema? (Michael Ducharme)
> 2. Re: Freeradius-Users Digest, Vol 160, Issue 33 (Imdad Hasan)
> 3. Re: daily usage report (Nathan Ward)
> 4. Re: IPv6 accounting RADIUS SQL schema? (Nathan Ward)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 18 Aug 2018 23:57:19 -0700
> From: Michael Ducharme <mducharme(a)gmail.com>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Re: IPv6 accounting RADIUS SQL schema?
> Message-ID: <2ac45a24-7dbf-7c03-c31e-b70cf41f5b60(a)gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 8/18/2018 10:49 PM, Nathan Ward wrote:
> > If this would be the approach then I think it’s best left as examples
> > of what could be done, rather than change the standard schema - a
> > standard schema needs to support 0+ of each of the fields you suggest
> > here, not simply 0-1.
> There *needs* to be a standard schema for IPv6 soon, the billing system
> we use does not support IPv6 RADIUS accounting yet mainly because there
> are no standard FreeRADIUS/MySQL field names to read the data from
> (hence the reason for my question and my pull request). How can I get
> our billing system vendor to support IPv6 RADIUS accounting in
> FreeRADIUS/MySQL when there are not even standard fields for storing
> this data?
>
> And, regarding 0+ instead of 0-1, even though the attributes may
> technically be usable multiple times, how often does this happen in
> practice? I would expect extremely rarely, based on what I have seen,
> especially in an automated sense. If there are multiple
> Delegated-IPv6-Prefix attributes, chances are that it is not due to an
> automated system but instead due to RADIUS assignment of
> Delegated-IPv6-Prefix, and that case is like the IPv4 Framed-Route
> attribute. If Delegated-IPv6-Prefix is assigned via RADIUS from the
> beginning, then at least there is a record that that prefix was assigned
> to that customer besides the accounting record.
>
> I just don't want this to turn into a "lets do nothing" situation, due
> to a few potential corner case situations, because then nothing is going
> to happen.
>
> Michael
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 19 Aug 2018 15:08:21 +0530
> From: Imdad Hasan <imdadalikadiwala0(a)gmail.com>
> To: freeradius-users(a)lists.freeradius.org
> Subject: Re: Freeradius-Users Digest, Vol 160, Issue 33
> Message-ID:
> <CAPidyMX7ZM-8f4gujFTiQK84ZuhLmZAFPihoEvA=E
> Jr1d+OdKA(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Thank you Nathan Ward,
>
> Actually i want to make daily usage report, but if that session is older
> than one or two days than i dont get proper daily data usage report. For
> now, i was make script that disconnect all users with pod at midnight 12.
>
> Any other way to achieve this idea without disconnecting users.
>
> Warm Regard's
> Imdadali Kadiwala
>
> On Sun 19 Aug, 2018, 11:19 AM , <
> freeradius-users-request(a)lists.freeradius.org> wrote:
>
> > Send Freeradius-Users mailing list submissions to
> > freeradius-users(a)lists.freeradius.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > freeradius-users-request(a)lists.freeradius.org
> >
> > You can reach the person managing the list at
> > freeradius-users-owner(a)lists.freeradius.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Renew the session at midnight 12 o clock (Imdad Hasan)
> > 2. Re: Renew the session at midnight 12 o clock (Nathan Ward)
> > 3. Re: IPv6 accounting RADIUS SQL schema? (Nathan Ward)
> > 4. Re: IPv6 accounting RADIUS SQL schema? (Michael Ducharme)
> > 5. Re: IPv6 accounting RADIUS SQL schema? (Nathan Ward)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Sun, 19 Aug 2018 03:04:18 +0530
> > From: Imdad Hasan <imdadalikadiwala0(a)gmail.com>
> > To: freeradius-users(a)lists.freeradius.org
> > Subject: Renew the session at midnight 12 o clock
> > Message-ID:
> > <
> > CAPidyMV-OmZWUxBwrH8RvxfP5COBVpTcUZu2gAfmCUvCZoq-rA(a)mail.gmail.com>
> > Content-Type: text/plain; charset="UTF-8"
> >
> > Respected All,
> >
> > How can i kill old accounting sessions and generate new sessions without
> > disconnect the users at every midnight 12 o clock.
> >
> >
> > Warm Regard's
> > Imdadali Kadiwala
> >
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Sun, 19 Aug 2018 15:21:48 +1200
> > From: Nathan Ward <lists+freeradius(a)daork.net>
> > To: FreeRadius users mailing list
> > <freeradius-users(a)lists.freeradius.org>
> > Subject: Re: Renew the session at midnight 12 o clock
> > Message-ID: <33845DBE-D464-4713-B980-0479726912C9(a)daork.net>
> > Content-Type: text/plain; charset=utf-8
> >
> >
> > > On 19/08/2018, at 9:34 AM, Imdad Hasan <imdadalikadiwala0(a)gmail.com>
> > wrote:
> > >
> > > Respected All,
> > >
> > > How can i kill old accounting sessions and generate new sessions
> without
> > > disconnect the users at every midnight 12 o clock.
> >
> > Accounting sessions are managed by the NAS and distinguished by
> > Acct-Session-Id etc., so, you can’t really unless your NAS can do this -
> > but I’ve never seen such a “feature”.
> >
> > Often we return a “Class” in an Access-Accept message, which is included
> > in Accounting requests and is what FreeRADIUS uses to distinguish unique
> > sessions. **Maybe** you can update Class in a CoA, but, that would almost
> > certainly be NAS specific. Additionally, this would not cause the NAS to
> > reset the counters to zero, nor send an accounting start type message.
> >
> > This is quite a specific question - short answer is “you can’t” - but
> > perhaps we can help if we know what you are doing. What are you looking
> to
> > achieve? Why do you want new accounting sessions?
> >
> > --
> > Nathan Ward
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Sun, 19 Aug 2018 15:37:23 +1200
> > From: Nathan Ward <lists+freeradius(a)daork.net>
> > To: FreeRadius users mailing list
> > <freeradius-users(a)lists.freeradius.org>
> > Subject: Re: IPv6 accounting RADIUS SQL schema?
> > Message-ID: <786ED99C-8491-4A52-AEB3-B9D9FCC3E540(a)daork.net>
> > Content-Type: text/plain; charset=utf-8
> >
> > Hi,
> >
> > > On 19/08/2018, at 9:11 AM, Michael Ducharme <mducharme(a)gmail.com>
> wrote:
> > >
> > > I would say it is even more complicated:
> > >
> > > If assigning framed prefixes is enabled on the NAS, each customer is
> > given a /64 prefix and router advertisements are sent out so that the CPE
> > can get a global address via SLAAC (reported as Framed-IPv6-Prefix and
> > Framed-Interface-Id).
> > >
> > > If DHCPv6-PD is enabled on the NAS, each customer who requests a prefix
> > will be assigned one, typically a /56 (reported as
> Delegated-IPv6-Prefix).
> > If DHCPv6 address assignment is enabled, then the CPE can get a global IP
> > through DHCPv6 (reported as Framed-IPv6-Address).
> >
> > Yep that’s right - in my prev. message, the /128 is a CIDR, so can be any
> > length. If one uses SLAAC for CPE WAN interfaces, the prefix for that
> needs
> > to be unique per subscriber so you can identify them, as SLAAC doesn’t
> give
> > the BNG any indication of the address(es) which are selected.
> >
> > > So if the customer has a router that supports everything and has
> > everything enabled, it could get two addresses on its WAN port, one via
> > SLAAC and one via DHCPv6, and then a prefix via DHCPv6-PD for use on the
> > internal network (LAN ports, guest wifi, etc.). If only routers are
> > connecting via PPP and not customer computers directly, you can look at
> the
> > Delegated-IPv6-Prefix to see what prefix the customer's computers are
> > using. If customer computers connected directly to the NAS (ex. through
> an
> > L2TP VPN), then the computer will use either a global address via SLAAC
> > (found in the Framed-IPv6-Prefix and Framed-Interface-Id accounting) or a
> > global address via DHCPv6 (found in Framed-IPv6-Address), or both.
> >
> > While I agree that this is technically possible, it is unusual to have
> > both SLAAC and DHCPv6 IA-NA at the same time on one device. DHCPv6 is
> > triggered by flags in the RA. If you’ve got a broadband type environment
> > where both happen, I would suggest changing that to support only SLAAC,
> or
> > only DHCPv6 IA-NA.
> >
> > Regardless, this is possible, so is something that should probably be
> > permitted.
> >
> > > Because, depending on the exact situation, the end user device may be
> on
> > an address in the Delegated-IPv6-Prefix (this is the case if they go
> > through a router) or an address in the Framed-IPv6-Prefix (if they are on
> > SLAAC) or an address in Framed-IPv6-Address (if they receive an address
> > through DHCPv6 address assignment), all three fields must be stored. As
> an
> > ISP, we are required to forward copyright infringement notices to
> > customers, and in order to look up the address on the notice, we need to
> > search all three fields (unlike in IPv4 where we only search one field).
> >
> > Additionally, it is common that WAN side addresses are not assigned at
> all
> > - and only DHCPv6 IA-PD is assigned - and there may even be multiple
> IA-PD
> > assigned.
> >
> > I think the short story is that a RADIUS “session” can have 0+ IPv6
> > addresses/prefixes. This is I suppose similar to IPv4, if you use
> > Framed-Route to give customers additional addresses - these can exist in
> > Accounting-Request messages.
> >
> > I don’t know if this is something that FreeRADIUS should attempt to solve
> > in a generic way, or if there should perhaps be some examples and have it
> > left up to the operator. If it is solved in a generic way, how would that
> > be done?
> > - Additional tables for prefix assignments?
> > - ARRAY support in SQL? (Not in MySQL, but is in other SQL DBs)
> > - JSON or some other serialisation of an array in to text?
> > - ARRAY for most DBs, JSON blob for others?
> >
> > --
> > Nathan Ward
> >
> >
> >
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Sat, 18 Aug 2018 22:21:19 -0700
> > From: Michael Ducharme <mducharme(a)gmail.com>
> > To: freeradius-users(a)lists.freeradius.org
> > Subject: Re: IPv6 accounting RADIUS SQL schema?
> > Message-ID: <5f9b3c0e-23ee-f7c0-46aa-5618b2274cd3(a)gmail.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> > Hi,
> >
> > On 8/18/2018 8:37 PM, Nathan Ward wrote:
> > > Additionally, it is common that WAN side addresses are not assigned at
> > all - and only DHCPv6 IA-PD is assigned - and there may even be multiple
> > IA-PD assigned.
> > Yes, I am aware - we do not assign WAN side addresses. An unfortunate
> > side effect of this is that *many* consumer routers will then not
> > function - quite a few consumer routers ask for address and prefix, and
> > if offered a prefix with no address, will refuse it instead of correctly
> > accepting the prefix. Once our NAS vendor adds proper RADIUS accounting
> > support for IPv6, we might assign WAN-side addresses for that reason
> only.
> >
> > We are only starting to provide managed residential gateways to our
> > customers - our network has been historically BYOR
> > (bring-your-own-router), and we even have some customers who have no
> > computer and no router, only an xbox plugged into their modem configured
> > with the PPPoE credentials. At the moment, the way our network is
> > configured, those xbox customers are out of luck for IPv6, since the
> > xbox is unlikely to request a prefix via DHCPv6-PD. Given our
> > environment, as long as we have decent RADIUS accounting, we are likely
> > to enable both SLAAC framed-prefix and DHCPv6 address provisioning, if
> > only to provide working IPv6 connectivity to as many customers as
> > possible, given the plethora of different ways they can connect.
> >
> > > I think the short story is that a RADIUS “session” can have 0+ IPv6
> > addresses/prefixes. This is I suppose similar to IPv4, if you use
> > Framed-Route to give customers additional addresses - these can exist in
> > Accounting-Request messages.
> > The big difference with Framed-Route in IPv4 is there is not generally a
> > mechanism for customers to be automatically assigned their own prefix
> > with IPv4 -- at least I have never heard of a means to do so. The only
> > way that the customer is going to get an IPv4 prefix is if the attribute
> > is provided via RADIUS in the Access-Accept packet, and in that event,
> > you don't necessarily need the accounting to know that the customer has
> > that prefix (since somewhere else in the same RADIUS database there is
> > the attribute that provided it in the first place). This is different
> > with IPv6, where the customer can get a Delegated-IPv6-Prefix and/or
> > Framed-IPv6-Prefix by automatic means without that prefix having been
> > originally assigned via RADIUS, and having the accounting record is
> > therefore more crucial.
> > >
> > > I don’t know if this is something that FreeRADIUS should attempt to
> > solve in a generic way, or if there should perhaps be some examples and
> > have it left up to the operator. If it is solved in a generic way, how
> > would that be done?
> > > - Additional tables for prefix assignments?
> > > - ARRAY support in SQL? (Not in MySQL, but is in other SQL DBs)
> > > - JSON or some other serialisation of an array in to text?
> > > - ARRAY for most DBs, JSON blob for others?
> >
> > I considered the idea of another table, because it is tempting to have
> > the idea of a structure that represents IPv6 addresses that the customer
> > has in a single place, but that increases complexity in its own way. If
> > you did have a second table, however, it would be even more tempting to
> > have it store all other attributes that aren't recorded elsewhere, with
> > fields for radacctid (to associate it with the correct accounting
> > record), attribute name, and attribute value. It's always a weakness of
> > the DB-field-per-attribute SQL approach that you aren't recording all
> > accounting fields in the database, and the separate table would provide
> > that - the database could record every value that the NAS provides.
> > Alternatively as you suggest, you could have a JSON blob that records
> > the remaining attributes. I don't personally like the idea of using a
> > type like ARRAY that MySQL doesn't support, especially since it is
> > probably the case that most FreeRADIUS SQL implementations out there are
> > using MySQL.
> >
> > However, I don't think it is necessarily a technical problem to have
> > three different fields to store the IPv6 address and searching across
> > three fields. The biggest risk is going to be lack of understanding of
> > what the fields are for, where developers who create billing systems or
> > web interfaces that offer some kind of address search function may only
> > program it to search one of the three fields, not understanding the
> > purpose of the different fields. I expect that a developer extending
> > their billing system or web interface to IPv6, not having an
> > understanding of some of the technicalities, would think that search of
> > a "framedipv6address" field was sufficient and not bother to search the
> > "framedipv6prefix" and "delegatedipv6prefix" fields, and that would end
> > up creating issues for end users.
> >
> > Michael
> >
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Sun, 19 Aug 2018 17:49:21 +1200
> > From: Nathan Ward <lists+freeradius(a)daork.net>
> > To: FreeRadius users mailing list
> > <freeradius-users(a)lists.freeradius.org>
> > Subject: Re: IPv6 accounting RADIUS SQL schema?
> > Message-ID: <1BF16ACE-882B-4F49-A696-A2E1685F9A62(a)daork.net>
> > Content-Type: text/plain; charset=utf-8
> >
> > Hi,
> >
> > > On 19/08/2018, at 5:21 PM, Michael Ducharme <mducharme(a)gmail.com>
> wrote:
> > >
> > > However, I don't think it is necessarily a technical problem to have
> > three different fields to store the IPv6 address and searching across
> three
> > fields. The biggest risk is going to be lack of understanding of what the
> > fields are for, where developers who create billing systems or web
> > interfaces that offer some kind of address search function may only
> program
> > it to search one of the three fields, not understanding the purpose of
> the
> > different fields. I expect that a developer extending their billing
> system
> > or web interface to IPv6, not having an understanding of some of the
> > technicalities, would think that search of a "framedipv6address" field
> was
> > sufficient and not bother to search the "framedipv6prefix" and
> > "delegatedipv6prefix" fields, and that would end up creating issues for
> end
> > users.
> >
> >
> > If this would be the approach then I think it’s best left as examples of
> > what could be done, rather than change the standard schema - a standard
> > schema needs to support 0+ of each of the fields you suggest here, not
> > simply 0-1.
> >
> > --
> > Nathan Ward
> >
> >
> >
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > ------------------------------
> >
> > End of Freeradius-Users Digest, Vol 160, Issue 33
> > *************************************************
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 19 Aug 2018 21:43:29 +1200
> From: Nathan Ward <lists+freeradius(a)daork.net>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: daily usage report
> Message-ID: <D01DBD1C-9EC8-4FF5-8344-BA924FB40D65(a)daork.net>
> Content-Type: text/plain; charset=utf-8
>
> You might want to subscribe to the list non-digest :-)
>
> > On 19/08/2018, at 9:38 PM, Imdad Hasan <imdadalikadiwala0(a)gmail.com>
> wrote:
> >
> > Thank you Nathan Ward,
> >
> > Actually i want to make daily usage report, but if that session is older
> > than one or two days than i dont get proper daily data usage report. For
> > now, i was make script that disconnect all users with pod at midnight 12.
> >
> > Any other way to achieve this idea without disconnecting users.
>
> Sure there are plenty of ways. What is the problem re. the sessions being
> older than one or two days? Please be explicit about your problem and what
> you’re trying to achieve, and include as much detail as possible. I can
> guess, but, I am not exactly sure so I won’t. “Proper” is not an objective
> term - can you expand on that?
>
> --
> Nathan Ward
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Sun, 19 Aug 2018 21:47:54 +1200
> From: Nathan Ward <lists+freeradius(a)daork.net>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: IPv6 accounting RADIUS SQL schema?
> Message-ID: <CB334B87-4076-4673-9FA3-E0FBF0CA1E61(a)daork.net>
> Content-Type: text/plain; charset=utf-8
>
>
> > On 19/08/2018, at 6:57 PM, Michael Ducharme <mducharme(a)gmail.com> wrote:
> >
> > On 8/18/2018 10:49 PM, Nathan Ward wrote:
> >> If this would be the approach then I think it’s best left as examples
> of what could be done, rather than change the standard schema - a standard
> schema needs to support 0+ of each of the fields you suggest here, not
> simply 0-1.
> > There *needs* to be a standard schema for IPv6 soon, the billing system
> we use does not support IPv6 RADIUS accounting yet mainly because there are
> no standard FreeRADIUS/MySQL field names to read the data from (hence the
> reason for my question and my pull request). How can I get our billing
> system vendor to support IPv6 RADIUS accounting in FreeRADIUS/MySQL when
> there are not even standard fields for storing this data?
>
> I would query why that data is in your billing system, but, I’m sure you
> have your reasons.
> Generally I prefer to expose data to “external” systems through APIs,
> rather than give them direct database access and tightly couple two
> applications together though a DB schema which may need to change for one
> side or the other.
>
> > And, regarding 0+ instead of 0-1, even though the attributes may
> technically be usable multiple times, how often does this happen in
> practice? I would expect extremely rarely, based on what I have seen,
> especially in an automated sense. If there are multiple
> Delegated-IPv6-Prefix attributes, chances are that it is not due to an
> automated system but instead due to RADIUS assignment of
> Delegated-IPv6-Prefix, and that case is like the IPv4 Framed-Route
> attribute. If Delegated-IPv6-Prefix is assigned via RADIUS from the
> beginning, then at least there is a record that that prefix was assigned to
> that customer besides the accounting record.
>
> > I just don't want this to turn into a "lets do nothing" situation, due
> to a few potential corner case situations, because then nothing is going to
> happen.
>
> I don’t think this is a hard problem to solve in a more flexible manner.
> Given that, I think we should do so.
>
> --
> Nathan Ward
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 160, Issue 34
> *************************************************
>
1
0