Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2019
- 75 participants
- 80 discussions
Dear freeradius users
I would like to implement the following attribute of the 3GPP2 dictionary:- "DNS-Server-IP-Address"
It is an attribute which is using subtypes.
Can someone please point me on a "how-to" implement subtypes ?
mit freundlichen Grüssen / Best Regards
Cesare Esposito
Manager Network Engineering
Tel: +492215000254
Mobile: +491635000627
Mail: cesare.esposito(a)inquam-solutions.de<mailto:cesare.esposito@inquam-solutions.de<mailto:cesare.esposito@inquam-solutions.de%3cmailto:cesare.esposito@inquam-solutions.de>>
------------------------------------------------------------------
Inquam Solutions GmbH, Adolf-Grimme-Allee 3, D-50829 Köln,
Geschäftsführer: Carsten Ullrich, Andrzej Cwik Handelsregister: Amtsgericht Köln HRB 33214
----------------------------------------------------------------------------------------------------------------
Disclaimer:
This e-mail message is for the sole use of the intended recipient(s) and may contain privileged or confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately contact the sender by reply e-mail and delete the original message including any attachments and destroy all copies thereof. Thank you for your cooperation.
2
1
Hi list,
i have an old ERX1440 Juniper BRAS. It is working very well with
thousands of pppoe connections. CPU is not burden at all, memory too.
But, from time to time there are large delays in STOP packets (over 20
minutes).
For example (radius detail log):
Wed Mar 20 15:02:56 2019
Acct-Status-Type = Stop
User-Name = "***"
Event-Timestamp = "Mar 20 2019 14:40:09 CET"
Acct-Delay-Time = 0
NAS-Identifier = "ERX1440***"
Acct-Session-Id = "0252606670"
NAS-IP-Address = ****
Service-Type = Framed-User
For this particular event radius is going to use localtime and in
database acctstoptime will be Wed Mar 20 15:02:56 2019.
Is there a way to tell radius to use Event-Timestamp if it exists?
I already tried with attr_rewrite, but acctsoptime wil be recalculated
in sql modul during inserts, right?
Thank you all,
Igor
2
5
HI Team,
I have rried running command radwho/radlast but it gave error (cannot open
/usr/local/var/log/radius/radwtmp: No such file or directory)
When i run with diff path it works.
radwho -F /var/log/freeradius/radwtmp
Login Name What TTY When From Location
I am using freeradius version 3.0.x with mysql.
--
Thanks & Regards
Aditya Vijjan
2
1
Hi,
I'm using freeradius 3.0.13 and I'm using it with openldap. I'm already
mapped the ldap attributes, but unfortunately, I have radiusExpiration
saved in ldap with double quotes and doesn't match the format that accepts.
I have searched in this list and google how to strip first and last char
of radiusExpire variable without result. Anyone knows how to do it?
Error: (669) LDAP_A: WARNING: Failed parsing value "\"02 apr 2019\"" for
attribute Expiration: failed to parse time string ""02 apr 2019""
/etc/raddb/mods-enabled/ldap
...
update {
...
control:Expiration := 'radiusExpiration'
....
}
Thanks.
2
1
Hi.
I am using freeradius 3.0.
I want to send a "Packet of Disconnect" message for all open sessions to force freeradius to close all open radacct records.
Should i send a disconnect message for each user separately or is there way to send one message to close all sessions?
Thanks.
2
2
20 Mar '19
Hello everyone,
I am new to this mailing list.
We have an 'eduroam' freeradius setup with an LDAP backend, including profiles etc from LDAP.
In part thanks to key information found on this list, the setup works and WiFi authentication works. Yeah!
However one thing has been bugging me and I cannot seem to fix it:
* during the whole EAP/PEAP negotiation, radiusd performs the exact same LDAP calls twice.
This occurs in step 7 and step 8 of the negotiation process, as can be seen in the debug output below: rlm_ldap performs the exact same lookups and searches in both steps.
How can I prevent this from happening? The LDAP servers are fast, but this means an unnecessary doubling of the load radiusd places on them, and we have many hundreds of thousands of authentications per day.
Thanks, regards,
Mark van Reijn
Debug output:
FreeRADIUS Version 3.0.15
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/eduroam-proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/nivo-eap-inner
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/cache
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/nivo-linelog
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/nivo-eap
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/nivo-ldap
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/dhcp
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/nivo-eduroam-inner
including configuration file /etc/raddb/sites-enabled/nivo-eduroam
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
home_server eduroam_flr_server_1 {
ipaddr = radius1.eduroam.kennisnet.nl IPv4 address [145.97.36.58]
port = 0
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server eduroam_flr_server_2 {
ipaddr = radius2.eduroam.kennisnet.nl IPv4 address [145.97.36.59]
port = 0
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool eduroam_flr_pool {
type = keyed-balance
home_server = eduroam_flr_server_1
home_server = eduroam_flr_server_2
}
realm eduroam_flr {
auth_pool = eduroam_flr_pool
nostrip
}
radiusd: #### Loading Clients ####
Debugger not attached
# Creating Auth-Type = inner-eap
# Creating Auth-Type = mschap
# Creating Auth-Type = pap
# Creating Auth-Type = eap
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_eap
# Loading module "inner-eap" from file /etc/raddb/mods-enabled/nivo-eap-inner
eap inner-eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_cache
# Loading module "cache" from file /etc/raddb/mods-enabled/cache
cache {
driver = "rlm_cache_rbtree"
key = "%{User-Name}"
ttl = 10
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_linelog
# Loading module "linelog_recv_request" from file /etc/raddb/mods-enabled/nivo-linelog
linelog linelog_recv_request {
filename = "syslog"
escape_filenames = no
syslog_facility = "local0"
syslog_severity = "debug"
permissions = 384
format = "action = Recv-Request, %{pairs:request:}"
}
# Loading module "linelog_send_accept" from file /etc/raddb/mods-enabled/nivo-linelog
linelog linelog_send_accept {
filename = "syslog"
escape_filenames = no
syslog_facility = "local0"
syslog_severity = "debug"
permissions = 384
format = "action = Send-Accept, %{pairs:reply:}"
}
# Loading module "linelog_send_reject" from file /etc/raddb/mods-enabled/nivo-linelog
linelog linelog_send_reject {
filename = "syslog"
escape_filenames = no
syslog_facility = "local0"
syslog_severity = "debug"
permissions = 384
format = "action = Send-Reject, %{pairs:request:}"
}
# Loading module "linelog_send_proxy_request" from file /etc/raddb/mods-enabled/nivo-linelog
linelog linelog_send_proxy_request {
filename = "syslog"
escape_filenames = no
syslog_facility = "local0"
syslog_severity = "debug"
permissions = 384
format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
}
# Loading module "linelog_recv_proxy_response" from file /etc/raddb/mods-enabled/nivo-linelog
linelog linelog_recv_proxy_response {
filename = "syslog"
escape_filenames = no
syslog_facility = "local0"
syslog_severity = "debug"
permissions = 384
format = "action = Recv-Proxy-Response, %{pairs:proxy-reply:}"
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "eap" from file /etc/raddb/mods-enabled/nivo-eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/raddb/mods-enabled/nivo-ldap
ldap {
server = "localhost"
port = 389
identity = "cn=sa-radius,ou=accounts,o=services"
password = <<< secret >>>
sasl {
}
valuepair_attribute = "nivoRadiusAttribute"
edir = yes
edir_autz = yes
read_clients = yes
user {
scope = "sub"
access_attribute = "nivoRadiusNoAccess"
access_positive = no
sasl {
}
}
group {
filter = "(objectClass=nivoGroup)"
scope = "one"
name_attribute = "cn"
membership_attribute = "groupMembership"
membership_filter = "(member=%{control:Ldap-UserDn})"
cacheable_name = no
cacheable_dn = no
}
client {
filter = "(objectClass=nivoRadiusClient)"
scope = "one"
base_dn = "ou=clients,ou=radius,o=config"
}
profile {
attribute = "nivoRadiusProfileDn"
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = no
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = yes
require_cert = "never"
}
}
Creating attribute LDAP-Group
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
instantiate {
}
# Instantiating module "inner-eap" from file /etc/raddb/mods-enabled/nivo-eap-inner
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Instantiating module "cache" from file /etc/raddb/mods-enabled/cache
rlm_cache (cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "linelog_recv_request" from file /etc/raddb/mods-enabled/nivo-linelog
# Instantiating module "linelog_send_accept" from file /etc/raddb/mods-enabled/nivo-linelog
# Instantiating module "linelog_send_reject" from file /etc/raddb/mods-enabled/nivo-linelog
# Instantiating module "linelog_send_proxy_request" from file /etc/raddb/mods-enabled/nivo-linelog
# Instantiating module "linelog_recv_proxy_response" from file /etc/raddb/mods-enabled/nivo-linelog
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "eap" from file /etc/raddb/mods-enabled/nivo-eap
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "eduroam-inner"
include_length = yes
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 8
name = "nivo-cache"
max_entries = 0
persist_dir = "/var/log/radius/tlscache"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "eduroam-inner"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/nivo-ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20441
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS certificate verification: Error, self signed certificate in certificate chain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS certificate verification: Error, self signed certificate in certificate chain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS certificate verification: Error, self signed certificate in certificate chain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS certificate verification: Error, self signed certificate in certificate chain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS certificate verification: Error, self signed certificate in certificate chain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Loading dynamic clients
rlm_ldap (ldap): Reserved connection (0)
rlm_ldap (ldap): Performing search in "ou=clients,ou=radius,o=config" with filter "(objectClass=nivoRadiusClient)", scope "one"
rlm_ldap (ldap): Waiting for search result...
client cn=localhost,ou=clients,ou=radius,o=config {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "nivo"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
rlm_ldap (ldap): Client "cn=localhost,ou=clients,ou=radius,o=config" added
client cn=obelix,ou=clients,ou=radius,o=config {
ipaddr = 172.16.48.123
require_message_authenticator = no
secret = <<< secret >>>
shortname = "obelix"
nas_type = "obelix"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
rlm_ldap (ldap): Client "cn=obelix,ou=clients,ou=radius,o=config" added
client cn=nivo-school,ou=clients,ou=radius,o=config {
ipaddr = 172.16.48.115
require_message_authenticator = no
secret = <<< secret >>>
shortname = "josef"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
rlm_ldap (ldap): Client "cn=nivo-school,ou=clients,ou=radius,o=config" added
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS certificate verification: Error, self signed certificate in certificate chain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server eduroam-inner { # from file /etc/raddb/sites-enabled/nivo-eduroam-inner
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server eduroam-inner
server eduroam { # from file /etc/raddb/sites-enabled/nivo-eduroam
# Loading authenticate {...}
# Loading authorize {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server eduroam
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 1812
}
Listening on auth address * port 18120 bound to server eduroam-inner
Listening on auth address * port 1812 bound to server eduroam
Listening on proxy address * port 44873
Ready to process requests
(0) Received Access-Request Id 0 from 127.0.0.1:45195 to 127.0.0.1:1812 length 148
(0) User-Name = "anonymous(a)nivo.im"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x0200001601616e6f6e796d6f7573406e69766f2e696d
(0) Message-Authenticator = 0x598a0aeeccecf47c0123369b319270f8
(0) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(0) authorize {
(0) policy split_username_nai {
(0) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(0) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(0) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(0) update request {
(0) EXPAND %{1}
(0) --> anonymous
(0) &Stripped-User-Name := anonymous
(0) EXPAND %{3}
(0) --> nivo.im
(0) &Stripped-User-Domain = nivo.im
(0) } # update request = noop
(0) [updated] = updated
(0) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy split_username_nai = updated
(0) if (noop || !&Stripped-User-Domain) {
(0) if (noop || !&Stripped-User-Domain) -> FALSE
(0) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(0) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(0) eap: Peer sent EAP Response (code 2) ID 0 length 22
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0x83a5a6c583a4bf32
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(0) Post-Auth-Type Challenge {
(0) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(0) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(0) } # Post-Auth-Type Challenge = noop
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x83a5a6c583a4bf3297f8fb882007e6d8
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 127.0.0.1:45195 to 127.0.0.1:1812 length 445
(1) User-Name = "anonymous(a)nivo.im"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x0201012b198000000121160301011c010001180303ce8317d9ecb7a6bf3c59be1461cc65455c708fd520665680cbccbdec4085cbcf0000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d003500
(1) State = 0x83a5a6c583a4bf3297f8fb882007e6d8
(1) Message-Authenticator = 0x7ae8869203bff2c67be3913f8a582d4c
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(1) authorize {
(1) policy split_username_nai {
(1) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(1) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(1) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(1) update request {
(1) EXPAND %{1}
(1) --> anonymous
(1) &Stripped-User-Name := anonymous
(1) EXPAND %{3}
(1) --> nivo.im
(1) &Stripped-User-Domain = nivo.im
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy split_username_nai = updated
(1) if (noop || !&Stripped-User-Domain) {
(1) if (noop || !&Stripped-User-Domain) -> FALSE
(1) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(1) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(1) eap: Peer sent EAP Response (code 2) ID 1 length 299
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(1) authenticate {
(1) eap: Expiring EAP session with state 0x83a5a6c583a4bf32
(1) eap: Finished EAP session with state 0x83a5a6c583a4bf32
(1) eap: Previous EAP request found for state 0x83a5a6c583a4bf32, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 289 bytes
(1) eap_peap: Got complete TLS record (289 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.2 [length 011c]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2 [length 005e]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2 [length 08d3]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2 [length 014d]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2 [length 0004]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: Need to read more data: unknown state
(1) eap_peap: TLS_accept: Need to read more data: unknown state
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 2 length 1014
(1) eap: EAP session adding &reply:State = 0x83a5a6c582a7bf32
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(1) Post-Auth-Type Challenge {
(1) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(1) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(1) } # Post-Auth-Type Challenge = noop
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(1) EAP-Message = 0x010203f619c000000a96160303005e0200005a0303a4f2f123d577a5ab1475eb713c7ae79668b085624dc262ebfb3a20c15d7e76d1202dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154dc030000012ff01000100000b000403000102000f00010116030308d30b0008cf00
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x83a5a6c582a7bf3297f8fb882007e6d8
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 127.0.0.1:45195 to 127.0.0.1:1812 length 150
(2) User-Name = "anonymous(a)nivo.im"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message = 0x020200061900
(2) State = 0x83a5a6c582a7bf3297f8fb882007e6d8
(2) Message-Authenticator = 0xc3baacf775e22132870f178153c40328
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(2) authorize {
(2) policy split_username_nai {
(2) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(2) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(2) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(2) update request {
(2) EXPAND %{1}
(2) --> anonymous
(2) &Stripped-User-Name := anonymous
(2) EXPAND %{3}
(2) --> nivo.im
(2) &Stripped-User-Domain = nivo.im
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy split_username_nai = updated
(2) if (noop || !&Stripped-User-Domain) {
(2) if (noop || !&Stripped-User-Domain) -> FALSE
(2) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(2) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(2) eap: Peer sent EAP Response (code 2) ID 2 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(2) authenticate {
(2) eap: Expiring EAP session with state 0x83a5a6c582a7bf32
(2) eap: Finished EAP session with state 0x83a5a6c582a7bf32
(2) eap: Previous EAP request found for state 0x83a5a6c582a7bf32, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1010
(2) eap: EAP session adding &reply:State = 0x83a5a6c581a6bf32
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(2) Post-Auth-Type Challenge {
(2) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(2) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(2) } # Post-Auth-Type Challenge = noop
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(2) EAP-Message = 0x010303f21940f9a92d7bc1831ce43842a7729308f0bebd13f6ed29f940d889e39e8c3bc921fbbe4c0bced1da32d8fc80b36ab48f83b37d00a663f8b5e2407701fbce3c4dcfd21530d0c3e94f08e1277619aa8cbc174cd04fc49d38e5f82576712e34f16e66898648396a0004e8308204e4308203cca003
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x83a5a6c581a6bf3297f8fb882007e6d8
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 127.0.0.1:45195 to 127.0.0.1:1812 length 150
(3) User-Name = "anonymous(a)nivo.im"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x020300061900
(3) State = 0x83a5a6c581a6bf3297f8fb882007e6d8
(3) Message-Authenticator = 0x1da38e54b87f3c8958f17c2028642d94
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(3) authorize {
(3) policy split_username_nai {
(3) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(3) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(3) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(3) update request {
(3) EXPAND %{1}
(3) --> anonymous
(3) &Stripped-User-Name := anonymous
(3) EXPAND %{3}
(3) --> nivo.im
(3) &Stripped-User-Domain = nivo.im
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy split_username_nai = updated
(3) if (noop || !&Stripped-User-Domain) {
(3) if (noop || !&Stripped-User-Domain) -> FALSE
(3) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(3) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(3) authenticate {
(3) eap: Expiring EAP session with state 0x83a5a6c581a6bf32
(3) eap: Finished EAP session with state 0x83a5a6c581a6bf32
(3) eap: Previous EAP request found for state 0x83a5a6c581a6bf32, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 708
(3) eap: EAP session adding &reply:State = 0x83a5a6c580a1bf32
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(3) Post-Auth-Type Challenge {
(3) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(3) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(3) } # Post-Auth-Type Challenge = noop
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(3) EAP-Message = 0x010402c41900e4cf09c90800300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101003803d3dfabad274231f8a05e1ad8
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x83a5a6c580a1bf3297f8fb882007e6d8
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 127.0.0.1:45195 to 127.0.0.1:1812 length 280
(4) User-Name = "anonymous(a)nivo.im"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x0204008819800000007e1603030046100000424104a1a455296c78320c0ac73e21a9fc1b81bcdaec90a80082d60944ade1483d0c129bec406de432b4590dadb0c61bddeaa20678ea06c012bdff92fedc493b973e351403030001011603030028d555a9d7a5232c19830ef49204771f9ac8ad24c593310d
(4) State = 0x83a5a6c580a1bf3297f8fb882007e6d8
(4) Message-Authenticator = 0xf22d6434b677b0c13c5af39287124050
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(4) authorize {
(4) policy split_username_nai {
(4) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(4) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(4) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(4) update request {
(4) EXPAND %{1}
(4) --> anonymous
(4) &Stripped-User-Name := anonymous
(4) EXPAND %{3}
(4) --> nivo.im
(4) &Stripped-User-Domain = nivo.im
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy split_username_nai = updated
(4) if (noop || !&Stripped-User-Domain) {
(4) if (noop || !&Stripped-User-Domain) -> FALSE
(4) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(4) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(4) eap: Peer sent EAP Response (code 2) ID 4 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(4) authenticate {
(4) eap: Expiring EAP session with state 0x83a5a6c580a1bf32
(4) eap: Finished EAP session with state 0x83a5a6c580a1bf32
(4) eap: Previous EAP request found for state 0x83a5a6c580a1bf32, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: <<< recv TLS 1.2 [length 0001]
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: Serialising session 2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d, and storing in cache
(4) eap_peap: WARNING: Wrote session 2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d to /var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1 (133 bytes)
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 57
(4) eap: EAP session adding &reply:State = 0x83a5a6c587a0bf32
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(4) Post-Auth-Type Challenge {
(4) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(4) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(4) } # Post-Auth-Type Challenge = noop
(4) session-state: Saving cached attributes
(4) TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(4) EAP-Message = 0x01050039190014030300010116030300288cb26cdae48a74dc6dbef534a1076f2317cafd2255a15e2469a2d298a212df4f1e030418ac22286f
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x83a5a6c587a0bf3297f8fb882007e6d8
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 5 from 127.0.0.1:45195 to 127.0.0.1:1812 length 150
(5) User-Name = "anonymous(a)nivo.im"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message = 0x020500061900
(5) State = 0x83a5a6c587a0bf3297f8fb882007e6d8
(5) Message-Authenticator = 0x635da02ba9bd74263ddaca65cc1bf424
(5) Restoring &session-state
(5) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(5) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(5) authorize {
(5) policy split_username_nai {
(5) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(5) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(5) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(5) update request {
(5) EXPAND %{1}
(5) --> anonymous
(5) &Stripped-User-Name := anonymous
(5) EXPAND %{3}
(5) --> nivo.im
(5) &Stripped-User-Domain = nivo.im
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy split_username_nai = updated
(5) if (noop || !&Stripped-User-Domain) {
(5) if (noop || !&Stripped-User-Domain) -> FALSE
(5) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(5) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(5) authenticate {
(5) eap: Expiring EAP session with state 0x83a5a6c587a0bf32
(5) eap: Finished EAP session with state 0x83a5a6c587a0bf32
(5) eap: Previous EAP request found for state 0x83a5a6c587a0bf32, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 40
(5) eap: EAP session adding &reply:State = 0x83a5a6c586a3bf32
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(5) Post-Auth-Type Challenge {
(5) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(5) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(5) } # Post-Auth-Type Challenge = noop
(5) session-state: Saving cached attributes
(5) TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(5) EAP-Message = 0x010600281900170303001d8cb26cdae48a74ddf10aeb4d683568c03fae04ca77c572c9d6381bbf35
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x83a5a6c586a3bf3297f8fb882007e6d8
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 6 from 127.0.0.1:45195 to 127.0.0.1:1812 length 199
(6) User-Name = "anonymous(a)nivo.im"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message = 0x020600371900170303002cd555a9d7a5232c1a7e404a719962ba649d98f720d64f302c06c9ea15eb17a9d3dcc7c54e3385bdd0bfe33cf0
(6) State = 0x83a5a6c586a3bf3297f8fb882007e6d8
(6) Message-Authenticator = 0xcb0a8eb8dd3aee90e7221258ef39808c
(6) Restoring &session-state
(6) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(6) authorize {
(6) policy split_username_nai {
(6) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(6) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(6) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(6) update request {
(6) EXPAND %{1}
(6) --> anonymous
(6) &Stripped-User-Name := anonymous
(6) EXPAND %{3}
(6) --> nivo.im
(6) &Stripped-User-Domain = nivo.im
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy split_username_nai = updated
(6) if (noop || !&Stripped-User-Domain) {
(6) if (noop || !&Stripped-User-Domain) -> FALSE
(6) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(6) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(6) eap: Peer sent EAP Response (code 2) ID 6 length 55
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(6) authenticate {
(6) eap: Expiring EAP session with state 0x83a5a6c586a3bf32
(6) eap: Finished EAP session with state 0x83a5a6c586a3bf32
(6) eap: Previous EAP request found for state 0x83a5a6c586a3bf32, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - radius-test(a)nivo.im
(6) eap_peap: Got inner identity 'radius-test(a)nivo.im'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x02060018017261646975732d74657374406e69766f2e696d
(6) eap_peap: Setting User-Name to radius-test(a)nivo.im
(6) eap_peap: Sending tunneled request to eduroam-inner
(6) eap_peap: EAP-Message = 0x02060018017261646975732d74657374406e69766f2e696d
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "radius-test(a)nivo.im"
(6) eap_peap: NAS-IP-Address = 127.0.0.1
(6) eap_peap: Calling-Station-Id = "02-00-00-00-00-01"
(6) eap_peap: Framed-MTU = 1400
(6) eap_peap: NAS-Port-Type = Wireless-802.11
(6) eap_peap: Service-Type = Framed-User
(6) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Virtual server eduroam-inner received request
(6) EAP-Message = 0x02060018017261646975732d74657374406e69766f2e696d
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "radius-test(a)nivo.im"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) server eduroam-inner {
(6) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(6) authorize {
(6) policy split_username_nai {
(6) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(6) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(6) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(6) update request {
(6) EXPAND %{1}
(6) --> radius-test
(6) &Stripped-User-Name := radius-test
(6) EXPAND %{3}
(6) --> nivo.im
(6) &Stripped-User-Domain = nivo.im
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy split_username_nai = updated
(6) if (noop || (&Stripped-User-Domain && (&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
(6) if (noop || (&Stripped-User-Domain && (&outer.Stripped-User-Domain != &Stripped-User-Domain))) -> FALSE
(6) inner-eap: Peer sent EAP Response (code 2) ID 6 length 24
(6) inner-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [inner-eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = inner-eap
(6) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(6) authenticate {
(6) inner-eap: Peer sent packet with method EAP Identity (1)
(6) inner-eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) inner-eap: Sending EAP Request (code 1) ID 7 length 43
(6) inner-eap: EAP session adding &reply:State = 0xfb1af5c9fb1def35
(6) [inner-eap] = handled
(6) } # authenticate = handled
(6) } # server eduroam-inner
(6) Virtual server sending reply
(6) EAP-Message = 0x0107002b1a0107002610d41937003d907712ef774dbca8cc34dc667265657261646975732d332e302e3135
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xfb1af5c9fb1def35157513a9c717c55d
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0107002b1a0107002610d41937003d907712ef774dbca8cc34dc667265657261646975732d332e302e3135
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xfb1af5c9fb1def35157513a9c717c55d
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0107002b1a0107002610d41937003d907712ef774dbca8cc34dc667265657261646975732d332e302e3135
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xfb1af5c9fb1def35157513a9c717c55d
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 74
(6) eap: EAP session adding &reply:State = 0x83a5a6c585a2bf32
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(6) Post-Auth-Type Challenge {
(6) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(6) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(6) } # Post-Auth-Type Challenge = noop
(6) session-state: Saving cached attributes
(6) TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(6) EAP-Message = 0x0107004a1900170303003f8cb26cdae48a74dec87881efd8d62a908a7d1ddb3bd4243da2120f725575a68aa8accf7909f8ecfcd66e17c501a72ca41155d086d85d354fc9d51c31c377fd
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x83a5a6c585a2bf3297f8fb882007e6d8
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 7 from 127.0.0.1:45195 to 127.0.0.1:1812 length 253
(7) User-Name = "anonymous(a)nivo.im"
(7) NAS-IP-Address = 127.0.0.1
(7) Calling-Station-Id = "02-00-00-00-00-01"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Connect-Info = "CONNECT 11Mbps 802.11b"
(7) EAP-Message = 0x0207006d19001703030062d555a9d7a5232c1bfb602be71ac506ab40e0048020768c920e2d5640fac15ca5e03b5f194bd604e782ea40a408f996268b8b1032de7eab329a611c852ea2651e9726c9ff0a40104838f4ff1c863c0b455818b690c26e205e2e39b893fcf7060d6e66
(7) State = 0x83a5a6c585a2bf3297f8fb882007e6d8
(7) Message-Authenticator = 0xb1aa26a3f3238f694baff19daef1c49f
(7) Restoring &session-state
(7) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(7) authorize {
(7) policy split_username_nai {
(7) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(7) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(7) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(7) update request {
(7) EXPAND %{1}
(7) --> anonymous
(7) &Stripped-User-Name := anonymous
(7) EXPAND %{3}
(7) --> nivo.im
(7) &Stripped-User-Domain = nivo.im
(7) } # update request = noop
(7) [updated] = updated
(7) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy split_username_nai = updated
(7) if (noop || !&Stripped-User-Domain) {
(7) if (noop || !&Stripped-User-Domain) -> FALSE
(7) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(7) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(7) eap: Peer sent EAP Response (code 2) ID 7 length 109
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(7) authenticate {
(7) eap: Expiring EAP session with state 0x83a5a6c585a2bf32
(7) eap: Finished EAP session with state 0x83a5a6c585a2bf32
(7) eap: Previous EAP request found for state 0x83a5a6c585a2bf32, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0207004e1a0207004931dbc2433d9ded0530d4e0d99bb7319cc10000000000000000023df6c38ea64f8069dc29233129b9bba71271cc1821e701007261646975732d74657374406e69766f2e696d
(7) eap_peap: Setting User-Name to radius-test(a)nivo.im
(7) eap_peap: Sending tunneled request to eduroam-inner
(7) eap_peap: EAP-Message = 0x0207004e1a0207004931dbc2433d9ded0530d4e0d99bb7319cc10000000000000000023df6c38ea64f8069dc29233129b9bba71271cc1821e701007261646975732d74657374406e69766f2e696d
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "radius-test(a)nivo.im"
(7) eap_peap: State = 0xfb1af5c9fb1def35157513a9c717c55d
(7) eap_peap: NAS-IP-Address = 127.0.0.1
(7) eap_peap: Calling-Station-Id = "02-00-00-00-00-01"
(7) eap_peap: Framed-MTU = 1400
(7) eap_peap: NAS-Port-Type = Wireless-802.11
(7) eap_peap: Service-Type = Framed-User
(7) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(7) Virtual server eduroam-inner received request
(7) EAP-Message = 0x0207004e1a0207004931dbc2433d9ded0530d4e0d99bb7319cc10000000000000000023df6c38ea64f8069dc29233129b9bba71271cc1821e701007261646975732d74657374406e69766f2e696d
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "radius-test(a)nivo.im"
(7) State = 0xfb1af5c9fb1def35157513a9c717c55d
(7) NAS-IP-Address = 127.0.0.1
(7) Calling-Station-Id = "02-00-00-00-00-01"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Connect-Info = "CONNECT 11Mbps 802.11b"
(7) server eduroam-inner {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(7) authorize {
(7) policy split_username_nai {
(7) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(7) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(7) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(7) update request {
(7) EXPAND %{1}
(7) --> radius-test
(7) &Stripped-User-Name := radius-test
(7) EXPAND %{3}
(7) --> nivo.im
(7) &Stripped-User-Domain = nivo.im
(7) } # update request = noop
(7) [updated] = updated
(7) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy split_username_nai = updated
(7) if (noop || (&Stripped-User-Domain && (&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
(7) if (noop || (&Stripped-User-Domain && (&outer.Stripped-User-Domain != &Stripped-User-Domain))) -> FALSE
(7) inner-eap: Peer sent EAP Response (code 2) ID 7 length 78
(7) inner-eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [inner-eap] = updated
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (nivoUserName=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (nivoUserName=radius-test)
(7) ldap: Performing search in "ou=identities,o=vault" with filter "(nivoUserName=radius-test)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "cn=radius-test,ou=guests,ou=identities,o=vault"
(7) ldap: Added eDirectory password
(7) ldap: Binding as user for eDirectory authorization checks
(7) ldap: Waiting for bind result...
(7) ldap: Bind successful
(7) ldap: Bind as user 'cn=radius-test,ou=guests,ou=identities,o=vault' was successful
(7) ldap: Waiting for bind result...
(7) ldap: Bind successful
(7) ldap: Performing search in "cn=default,ou=profiles,ou=radius,o=config" with filter "(objectclass=nivoRadiusProfile)", scope "base"
(7) ldap: Waiting for search result...
(7) ldap: Processing profile attributes
(7) ldap: Tunnel-Medium-Type := IEEE-802
(7) ldap: Tunnel-Private-Group-Id := 100
(7) ldap: Tunnel-Type := VLAN
(7) ldap: Processing user attributes
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldap://localhost:389
TLS certificate verification: Error, self signed certificate in certificate chain
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7) [ldap] = updated
(7) update {
rlm_ldap (ldap): Reserved connection (2)
(7) Performing search in "ou=groups,o=vault" with filter "(&(member=cn\3dradius-test\2cou\3dguests\2cou\3didentities\2co\3dvault)(nivoRadiusProfileDN=*))", scope "one"
(7) Waiting for search result...
(7) Search returned no results
rlm_ldap (ldap): Released connection (2)
(7) EXPAND %{ldap:ldap:///ou=groups,o=vault?nivoRadiusProfileDN?one?(&(member=%{control:Ldap-UserDN})(nivoRadiusProfileDN=*))}
(7) -->
(7) User-Profile :=
(7) } # update = noop
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) [mschap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = inner-eap
(7) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(7) authenticate {
(7) inner-eap: Expiring EAP session with state 0xfb1af5c9fb1def35
(7) inner-eap: Finished EAP session with state 0xfb1af5c9fb1def35
(7) inner-eap: Previous EAP request found for state 0xfb1af5c9fb1def35, released from the list
(7) inner-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) inner-eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(7) eap_mschapv2: authenticate {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Found Cleartext-Password, hashing to create LM-Password
(7) mschap: Creating challenge hash with username: radius-test(a)nivo.im
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # authenticate = ok
(7) MSCHAP Success
(7) inner-eap: Sending EAP Request (code 1) ID 8 length 51
(7) inner-eap: EAP session adding &reply:State = 0xfb1af5c9fa12ef35
(7) [inner-eap] = handled
(7) } # authenticate = handled
(7) } # server eduroam-inner
(7) Virtual server sending reply
(7) Tunnel-Medium-Type := IEEE-802
(7) Tunnel-Private-Group-Id := "100"
(7) Tunnel-Type := VLAN
(7) EAP-Message = 0x010800331a0307002e533d46364144364644453838443438353230413045393130313737313034313731423536373841383345
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xfb1af5c9fa12ef35157513a9c717c55d
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: Tunnel-Medium-Type := IEEE-802
(7) eap_peap: Tunnel-Private-Group-Id := "100"
(7) eap_peap: Tunnel-Type := VLAN
(7) eap_peap: EAP-Message = 0x010800331a0307002e533d46364144364644453838443438353230413045393130313737313034313731423536373841383345
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xfb1af5c9fa12ef35157513a9c717c55d
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: Tunnel-Medium-Type := IEEE-802
(7) eap_peap: Tunnel-Private-Group-Id := "100"
(7) eap_peap: Tunnel-Type := VLAN
(7) eap_peap: EAP-Message = 0x010800331a0307002e533d46364144364644453838443438353230413045393130313737313034313731423536373841383345
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xfb1af5c9fa12ef35157513a9c717c55d
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 82
(7) eap: EAP session adding &reply:State = 0x83a5a6c584adbf32
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(7) Post-Auth-Type Challenge {
(7) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(7) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(7) } # Post-Auth-Type Challenge = noop
(7) session-state: Saving cached attributes
(7) TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(7) EAP-Message = 0x01080052190017030300478cb26cdae48a74dfe5d6b80e6659a4d3cdcb60924d42d1fc17756a8df98c7fbb5df3415fd1878a16a90db9ffc87a8ca04f14a788159fda58a88d3228bfc710f8ada09e0dc86143
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x83a5a6c584adbf3297f8fb882007e6d8
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 8 from 127.0.0.1:45195 to 127.0.0.1:1812 length 181
(8) User-Name = "anonymous(a)nivo.im"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id = "02-00-00-00-00-01"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) EAP-Message = 0x020800251900170303001ad555a9d7a5232c1cf57207ad5a3a2db4faaf3ffab6463939dc09
(8) State = 0x83a5a6c584adbf3297f8fb882007e6d8
(8) Message-Authenticator = 0x685a6a0787c917d31df8b3010a666400
(8) Restoring &session-state
(8) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(8) authorize {
(8) policy split_username_nai {
(8) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(8) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(8) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(8) update request {
(8) EXPAND %{1}
(8) --> anonymous
(8) &Stripped-User-Name := anonymous
(8) EXPAND %{3}
(8) --> nivo.im
(8) &Stripped-User-Domain = nivo.im
(8) } # update request = noop
(8) [updated] = updated
(8) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy split_username_nai = updated
(8) if (noop || !&Stripped-User-Domain) {
(8) if (noop || !&Stripped-User-Domain) -> FALSE
(8) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(8) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(8) eap: Peer sent EAP Response (code 2) ID 8 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(8) authenticate {
(8) eap: Expiring EAP session with state 0x83a5a6c584adbf32
(8) eap: Finished EAP session with state 0x83a5a6c584adbf32
(8) eap: Previous EAP request found for state 0x83a5a6c584adbf32, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: Setting User-Name to radius-test(a)nivo.im
(8) eap_peap: Sending tunneled request to eduroam-inner
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "radius-test(a)nivo.im"
(8) eap_peap: State = 0xfb1af5c9fa12ef35157513a9c717c55d
(8) eap_peap: NAS-IP-Address = 127.0.0.1
(8) eap_peap: Calling-Station-Id = "02-00-00-00-00-01"
(8) eap_peap: Framed-MTU = 1400
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(8) Virtual server eduroam-inner received request
(8) EAP-Message = 0x020800061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "radius-test(a)nivo.im"
(8) State = 0xfb1af5c9fa12ef35157513a9c717c55d
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id = "02-00-00-00-00-01"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) server eduroam-inner {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(8) authorize {
(8) policy split_username_nai {
(8) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(8) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(8) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(8) update request {
(8) EXPAND %{1}
(8) --> radius-test
(8) &Stripped-User-Name := radius-test
(8) EXPAND %{3}
(8) --> nivo.im
(8) &Stripped-User-Domain = nivo.im
(8) } # update request = noop
(8) [updated] = updated
(8) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy split_username_nai = updated
(8) if (noop || (&Stripped-User-Domain && (&outer.Stripped-User-Domain != &Stripped-User-Domain))) {
(8) if (noop || (&Stripped-User-Domain && (&outer.Stripped-User-Domain != &Stripped-User-Domain))) -> FALSE
(8) inner-eap: Peer sent EAP Response (code 2) ID 8 length 6
(8) inner-eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [inner-eap] = updated
rlm_ldap (ldap): Reserved connection (3)
(8) ldap: EXPAND (nivoUserName=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (nivoUserName=radius-test)
(8) ldap: Performing search in "ou=identities,o=vault" with filter "(nivoUserName=radius-test)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "cn=radius-test,ou=guests,ou=identities,o=vault"
(8) ldap: Added eDirectory password
(8) ldap: Binding as user for eDirectory authorization checks
(8) ldap: Waiting for bind result...
(8) ldap: Bind successful
(8) ldap: Bind as user 'cn=radius-test,ou=guests,ou=identities,o=vault' was successful
(8) ldap: Waiting for bind result...
(8) ldap: Bind successful
(8) ldap: Performing search in "cn=default,ou=profiles,ou=radius,o=config" with filter "(objectclass=nivoRadiusProfile)", scope "base"
(8) ldap: Waiting for search result...
(8) ldap: Processing profile attributes
(8) ldap: Tunnel-Medium-Type := IEEE-802
(8) ldap: Tunnel-Private-Group-Id := 100
(8) ldap: Tunnel-Type := VLAN
(8) ldap: Processing user attributes
rlm_ldap (ldap): Released connection (3)
(8) [ldap] = updated
(8) update {
rlm_ldap (ldap): Reserved connection (4)
(8) Performing search in "ou=groups,o=vault" with filter "(&(member=cn\3dradius-test\2cou\3dguests\2cou\3didentities\2co\3dvault)(nivoRadiusProfileDN=*))", scope "one"
(8) Waiting for search result...
(8) Search returned no results
rlm_ldap (ldap): Released connection (4)
(8) EXPAND %{ldap:ldap:///ou=groups,o=vault?nivoRadiusProfileDN?one?(&(member=%{control:Ldap-UserDN})(nivoRadiusProfileDN=*))}
(8) -->
(8) User-Profile :=
(8) } # update = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) [mschap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = inner-eap
(8) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(8) authenticate {
(8) inner-eap: Expiring EAP session with state 0xfb1af5c9fa12ef35
(8) inner-eap: Finished EAP session with state 0xfb1af5c9fa12ef35
(8) inner-eap: Previous EAP request found for state 0xfb1af5c9fa12ef35, released from the list
(8) inner-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) inner-eap: Calling submodule eap_mschapv2 to process data
(8) inner-eap: Sending EAP Success (code 3) ID 8 length 4
(8) inner-eap: Freeing handler
(8) [inner-eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/nivo-eduroam-inner
(8) post-auth {
(8) if (&User-Profile =~ /^cn=([^,]+).*$/) {
(8) if (&User-Profile =~ /^cn=([^,]+).*$/) -> FALSE
(8) if (&reply:Tunnel-Private-Group-ID) {
(8) if (&reply:Tunnel-Private-Group-ID) -> TRUE
(8) if (&reply:Tunnel-Private-Group-ID) {
(8) update reply {
(8) EXPAND v=%{reply:Tunnel-Private-Group-ID},t=%{reply:Tunnel-Type},m=%{reply:Tunnel-Medium-Type}
(8) --> v=100,t=VLAN,m=IEEE-802
(8) Cached-Session-Policy := v=100,t=VLAN,m=IEEE-802
(8) } # update reply = noop
(8) } # if (&reply:Tunnel-Private-Group-ID) = noop
(8) } # post-auth = noop
(8) } # server eduroam-inner
(8) Virtual server sending reply
(8) Tunnel-Medium-Type := IEEE-802
(8) Tunnel-Private-Group-Id := "100"
(8) Tunnel-Type := VLAN
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0x030d3b1fa5ef089ee301c78f5f1f581d
(8) MS-MPPE-Recv-Key = 0x4c21e4dcd91f8e5070903fe456cf030f
(8) EAP-Message = 0x03080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) Stripped-User-Name := "radius-test"
(8) Cached-Session-Policy := "v=100,t=VLAN,m=IEEE-802"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Tunnel-Medium-Type := IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id := "100"
(8) eap_peap: Tunnel-Type := VLAN
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x030d3b1fa5ef089ee301c78f5f1f581d
(8) eap_peap: MS-MPPE-Recv-Key = 0x4c21e4dcd91f8e5070903fe456cf030f
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Stripped-User-Name := "radius-test"
(8) eap_peap: Cached-Session-Policy := "v=100,t=VLAN,m=IEEE-802"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Tunnel-Medium-Type := IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id := "100"
(8) eap_peap: Tunnel-Type := VLAN
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x030d3b1fa5ef089ee301c78f5f1f581d
(8) eap_peap: MS-MPPE-Recv-Key = 0x4c21e4dcd91f8e5070903fe456cf030f
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Stripped-User-Name := "radius-test"
(8) eap_peap: Cached-Session-Policy := "v=100,t=VLAN,m=IEEE-802"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 9 length 46
(8) eap: EAP session adding &reply:State = 0x83a5a6c58bacbf32
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(8) Post-Auth-Type Challenge {
(8) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(8) if (&reply:Cached-Session-Policy && &reply:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(8) } # Post-Auth-Type Challenge = noop
(8) session-state: Saving cached attributes
(8) TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(8) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(8) EAP-Message = 0x0109002e190017030300238cb26cdae48a74e021f3e5676aa48cab90be1b096db2d4e59ba183040d89daedc06f22
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x83a5a6c58bacbf3297f8fb882007e6d8
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 9 from 127.0.0.1:45195 to 127.0.0.1:1812 length 190
(9) User-Name = "anonymous(a)nivo.im"
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id = "02-00-00-00-00-01"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Connect-Info = "CONNECT 11Mbps 802.11b"
(9) EAP-Message = 0x0209002e19001703030023d555a9d7a5232c1df98262637e77c14e4294e91bbf98b6af39f71f4df273d5b0841a0f
(9) State = 0x83a5a6c58bacbf3297f8fb882007e6d8
(9) Message-Authenticator = 0x437a157bbe6995fae1e0a98bbed98f44
(9) Restoring &session-state
(9) &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d.asn1"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/nivo-eduroam
(9) authorize {
(9) policy split_username_nai {
(9) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(9) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(9) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(9) update request {
(9) EXPAND %{1}
(9) --> anonymous
(9) &Stripped-User-Name := anonymous
(9) EXPAND %{3}
(9) --> nivo.im
(9) &Stripped-User-Domain = nivo.im
(9) } # update request = noop
(9) [updated] = updated
(9) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy split_username_nai = updated
(9) if (noop || !&Stripped-User-Domain) {
(9) if (noop || !&Stripped-User-Domain) -> FALSE
(9) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) {
(9) if (&Stripped-User-Domain !~ /[Nn]ivo\.im/) -> FALSE
(9) eap: Peer sent EAP Response (code 2) ID 9 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/nivo-eduroam
(9) authenticate {
(9) eap: Expiring EAP session with state 0x83a5a6c58bacbf32
(9) eap: Finished EAP session with state 0x83a5a6c58bacbf32
(9) eap: Previous EAP request found for state 0x83a5a6c58bacbf32, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: caching Stripped-User-Name := "anonymous"
(9) eap_peap: caching Stripped-User-Domain = "nivo.im"
(9) eap_peap: Saving session 2dca13077445f03bdd2011f69c2b973b298c6cb909dd614d917d14454c8b154d in the disk cache
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
tls: Freeing cached session VPs
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/nivo-eduroam
(9) post-auth {
(9) if (&control:Proxy-To-Realm && &control:Proxy-To-Realm == 'eduroam_flr') {
(9) if (&control:Proxy-To-Realm && &control:Proxy-To-Realm == 'eduroam_flr') -> FALSE
(9) if (&session-state:Stripped-User-Name) {
(9) if (&session-state:Stripped-User-Name) -> FALSE
(9) if (&session-state:Cached-Session-Policy && &session-state:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) {
(9) if (&session-state:Cached-Session-Policy && &session-state:Cached-Session-Policy =~ /v=(.+),t=(.+),m=(.+)/) -> FALSE
(9) linelog_send_accept: EXPAND action = Send-Accept, %{pairs:reply:}
(9) linelog_send_accept: --> action = Send-Accept, MS-MPPE-Recv-Key = 0x23263892d14c397f30d373067ad29f8c673a19bd0fa42a3e3b74f89cf3fa1f58, MS-MPPE-Send-Key = 0x199553d51fbc32a32a4fcd3edec9f0f0a59836cca6798cd552a9baae611e7899, EAP-MSK = 0x23263892d14c397f30d373067ad29f8c673a19bd0fa42a3e3b74f89cf3fa1f58199553d51fbc32a32a4fcd3edec9f0f0a59836cca6798cd552a9baae611e7899, EAP-EMSK = 0xec548a61ce6133e7a67ecdc37eab50d314b44fbe025f3e8a08288a5da4d62662408e8b8fb0eb65efff3af51b1c0635190555e44e6c4491544f4a57a4b3e3fbd0, EAP-Session-Id = 0x19ce8317d9ecb7a6bf3c59be1461cc65455c708fd520665680cbccbdec4085cbcfa4f2f123d577a5ab1475eb713c7ae79668b085624dc262ebfb3a20c15d7e76d1, EAP-Message = 0x03090004, Message-Authenticator = 0x00000000000000000000000000000000, Stripped-User-Name = "anonymous"
(9) [linelog_send_accept] = ok
(9) } # post-auth = ok
(9) Sent Access-Accept Id 9 from 127.0.0.1:1812 to 127.0.0.1:45195 length 0
(9) MS-MPPE-Recv-Key = 0x23263892d14c397f30d373067ad29f8c673a19bd0fa42a3e3b74f89cf3fa1f58
(9) MS-MPPE-Send-Key = 0x199553d51fbc32a32a4fcd3edec9f0f0a59836cca6798cd552a9baae611e7899
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 0 with timestamp +25
(1) Cleaning up request packet ID 1 with timestamp +25
(2) Cleaning up request packet ID 2 with timestamp +25
(3) Cleaning up request packet ID 3 with timestamp +25
(4) Cleaning up request packet ID 4 with timestamp +25
(5) Cleaning up request packet ID 5 with timestamp +25
(6) Cleaning up request packet ID 6 with timestamp +25
(7) Cleaning up request packet ID 7 with timestamp +25
(8) Cleaning up request packet ID 8 with timestamp +25
(9) Cleaning up request packet ID 9 with timestamp +25
Ready to process requests
3
5
dhcp v4 server bypassing relay agent ip addr and directly replying to ciaddr
by Katuri, Vikram 20 Mar '19
by Katuri, Vikram 20 Mar '19
20 Mar '19
Dear Team,
I am facing a problem with v4 dhcp where the server is not sending replies to the relay agent ip addr(from which it received discover), but rather sending directly to ciaddr(the client that sent discover to the relay agent).
My use case:
----------------
I have a dhcp server (running version 4 , git tag 11ce507fdb001c40cf18d8e42118332350b27bff ) behind a dhcp relay (running version 3.0.19, git tag 63885807ec8d741ecf1af60f9a55edb2d4796982 ).
Discover from my client targeted at the relay is making its way to the dhcp server , but the offer packet from the server is bypassing the relay and directly landing onto the client.
from the pcap it appears that the server (v4) is stripping off the ciaddr and giaddr in the offer packer.
tcpdump on the server:
------------------------
07:38:46.865317 IP 10.43.18.35.67 > 10.43.18.95.67: BOOTP/DHCP, Request from 00:a0:bc:00:00:02, length 300
07:38:46.867240 IP 10.43.18.95.67 > 10.43.18.124.67: BOOTP/DHCP, Reply, length 300
07:38:46.869644 IP 10.43.18.35.67 > 10.43.18.95.67: BOOTP/DHCP, Request from 00:a0:bc:00:00:02, length 300
07:38:46.870689 IP 10.43.18.95.67 > 10.43.18.124.67: BOOTP/DHCP, Reply, length 300
.124(client) -- > .35(relay agent) --> .95(server)
^_ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ |
Please find the radiusd -X output below.
# /usr/local/sbin/radiusd -X
Info : FreeRADIUS Version 4.0.0
Info : Copyright 1999-2019 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Info : Starting - reading configuration files ...
Debug : Including dictionary file "/usr/local/etc/raddb/dictionary"
Debug : including configuration file /usr/local/etc/raddb/radiusd.conf
Debug : including configuration file /usr/local/etc/raddb/clients.conf
Debug : Including files in directory "/usr/local/etc/raddb/mods-enabled/"
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/always
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/chap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/client
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/detail
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/digest
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/dhcpv4
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/echo
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/escape
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/exec
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/expiration
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/expr
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/files
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/linelog
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/logintime
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/mschap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/pap
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/passwd
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/radius
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/stats
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/unix
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/unpack
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/utf8
Debug : including configuration file /usr/local/etc/raddb/mods-enabled/redis_ippool
Debug : Including files in directory "/usr/local/etc/raddb/policy.d/"
Debug : including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
Debug : including configuration file /usr/local/etc/raddb/policy.d/accounting
Debug : including configuration file /usr/local/etc/raddb/policy.d/canonicalization
Debug : including configuration file /usr/local/etc/raddb/policy.d/control
Debug : including configuration file /usr/local/etc/raddb/policy.d/cui
Debug : including configuration file /usr/local/etc/raddb/policy.d/debug
Debug : including configuration file /usr/local/etc/raddb/policy.d/dhcp
Debug : including configuration file /usr/local/etc/raddb/policy.d/eap
Debug : including configuration file /usr/local/etc/raddb/policy.d/filter
Debug : including configuration file /usr/local/etc/raddb/policy.d/operator-name
Debug : including configuration file /usr/local/etc/raddb/policy.d/time
Debug : including configuration file /usr/local/etc/raddb/policy.d/vendor
Debug : Including files in directory "/usr/local/etc/raddb/sites-enabled/"
Debug : including configuration file /usr/local/etc/raddb/sites-enabled/dhcp
Debug : Loading dictionaries for proto_dhcpv4
Info : Loaded module "proto_dhcpv4"
Debug : Parsing security rules to bootstrap UID / GID / chroot / etc.
Debug : main {
Debug : security {
Debug : allow_core_dumps = no
Debug : allow_vulnerable_openssl = "no"
Debug : openssl_fips_mode = no
Debug : }
Debug : name = radiusd
Debug : name = "radiusd"
Debug : prefix = "/usr/local"
Debug : local_state_dir = "/usr/local/var"
Debug : run_dir = "/usr/local/var/run/radiusd"
Debug : }
Debug : Parsing main configuration.
Debug : main {
Debug : server dhcp {
Debug : listen {
Debug : type = DHCP-Discover
Debug : Loading dictionaries for proto_dhcpv4_base
Info : Loaded module "proto_dhcpv4_base"
Debug : type = DHCP-Request
Debug : type = DHCP-Inform
Debug : type = DHCP-Release
Debug : type = DHCP-Decline
Debug : transport = udp
Debug : Loading dictionaries for proto_dhcpv4_udp
Info : Loaded module "proto_dhcpv4_udp"
Debug : udp {
Debug : ipaddr = 10.43.18.95
Debug : src_ipaddr = 10.43.18.95
Debug : port = 67
Debug : broadcast = no
Debug : networks {
Debug : }
Debug : max_packet_size = 4096
Debug : max_attributes = 0
Debug : }
Debug : limit {
Debug : idle_timeout = 30.000000
Debug : nak_lifetime = 30.000000
Debug : max_connections = 1024
Debug : max_clients = 256
Debug : max_pending_packets = 256
Debug : priority {
Debug : DHCP-Discover = normal
Debug : DHCP-Request = normal
Debug : DHCP-Decline = normal
Debug : DHCP-Release = normal
Debug : DHCP-Inform = normal
Debug : DHCP-Lease-Query = low
Debug : DHCP-Bulk-Lease-Query = low
Debug : }
Debug : }
Debug : }
Debug : }
Debug : security {
Debug : }
Debug : sbin_dir = "/usr/local/sbin"
Debug : logdir = "/usr/local/var/log/radius"
Debug : libdir = "/usr/local/lib"
Debug : radacctdir = "/usr/local/var/log/radius/radacct"
Debug : reverse_lookups = no
Debug : reverse_lookups = no
Debug : hostname_lookups = yes
Debug : hostname_lookups = yes
Debug : max_request_time = 30
Debug : max_request_time = 30
Debug : pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
Debug : debug_level = 0
Debug : log {
Debug : colourise = yes
Debug : }
Debug : resources {
Debug : }
Debug : thread pool {
Debug : num_networks = 1
Debug : num_networks = 1
Debug : num_workers = 4
Debug : num_workers = 4
Debug : }
Debug : }
Switching to configured log settings
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.0.0.0 {
ipaddr = 10.0.0.0/8
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
trigger { ... } subsection not found, triggers will be disabled
#### Bootstrapping listeners ####
#### Bootstrapping modules ####
modules {
Loaded module "rlm_always"
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
Loading dictionaries for rlm_attr_filter
Loaded module "rlm_attr_filter"
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
relaxed = no
}
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
relaxed = no
}
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
relaxed = no
}
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
relaxed = no
}
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
relaxed = no
}
Loading dictionaries for rlm_cache
Loaded module "rlm_cache"
cache cache_eap {
driver = "rlm_cache_rbtree"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
Loading dictionaries for rlm_chap
Loaded module "rlm_chap"
Loaded module "rlm_client"
Loading dictionaries for rlm_detail
Loaded module "rlm_detail"
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y-%m-%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
Loading dictionaries for rlm_digest
Loaded module "rlm_digest"
Loading dictionaries for rlm_dhcpv4
Loaded module "rlm_dhcpv4"
Loaded module "rlm_exec"
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
Loaded module "rlm_escape"
escape {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Loading dictionaries for rlm_expiration
Loaded module "rlm_expiration"
Loaded module "rlm_expr"
Loading dictionaries for rlm_files
Loaded module "rlm_files"
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
Loaded module "rlm_linelog"
linelog {
destination = "file"
delimiter = " "
file {
filename = "/usr/local/var/log/radius/linelog"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
server = localhost IPv4 address [127.0.0.1]
port = 514
timeout = 2.000000
}
udp {
server = localhost IPv4 address [127.0.0.1]
port = 514
timeout = 2.000000
}
}
linelog log_accounting {
destination = "file"
delimiter = " "
file {
filename = "/usr/local/var/log/radius/linelog-accounting"
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000.000000
}
udp {
timeout = 1000.000000
}
}
Loading dictionaries for rlm_logintime
Loaded module "rlm_logintime"
logintime {
minimum_timeout = 60
}
Loading dictionaries for rlm_mschap
Loaded module "rlm_mschap"
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind {
}
}
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
Loading dictionaries for rlm_pap
Loaded module "rlm_pap"
pap {
normalise = yes
}
Loading dictionaries for rlm_passwd
Loaded module "rlm_passwd"
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
Loading dictionaries for rlm_radius
Loaded module "rlm_radius"
radius {
transport = udp
Loading dictionaries for rlm_radius_udp
Loaded module "rlm_radius_udp"
udp {
ipaddr = 127.0.0.1
port = 1812
secret = "testing123"
max_packet_size = 4096
}
type = Access-Request
type = Accounting-Request
status_checks {
type = Status-Server
}
max_connections = 32
max_attributes = 255
connection {
connect_timeout = 5.000000
reconnect_delay = 5.000000
idle_timeout = 5.000000
zombie_period = 10.000000
}
Access-Request {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 2
maximum_retransmission_duration = 30
}
Accounting-Request {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 5
maximum_retransmission_duration = 30
}
Status-Server {
initial_retransmission_time = 2
maximum_retransmission_time = 16
maximum_retransmission_count = 5
maximum_retransmission_duration = 30
}
}
Loading dictionaries for rlm_radutmp
Loaded module "rlm_radutmp"
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = no
}
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
Loading dictionaries for rlm_stats
Loaded module "rlm_stats"
stats {
}
Loading dictionaries for rlm_unix
Loaded module "rlm_unix"
unix {
}
Creating attribute Unix-Group
Loading dictionaries for rlm_unpack
Loaded module "rlm_unpack"
Loaded module "rlm_utf8"
libfreeradius-redis: libhiredis version: 0.12.1
Loading dictionaries for rlm_redis_ippool
Loaded module "rlm_redis_ippool"
redis_ippool {
copy_on_update = yes
redis {
server = "10.43.16.162"
port = 6379
database = 0
max_nodes = 20
max_alt = 3
max_redirects = 2
}
}
instantiate {
}
} # modules
#### Instantiating listeners ####
Compiling policies in server dhcp { ... }
compiling - recv DHCP-Discover {...}
compiling - recv DHCP-Request {...}
compiling - recv DHCP-Decline {...}
compiling - recv DHCP-Inform {...}
compiling - recv DHCP-Release {...}
compiling - recv DHCP-Lease-Query {...}
#### Instantiating modules ####
Instantiating module "attr_filter.access_challenge"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
Instantiating module "attr_filter.access_reject"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
Instantiating module "attr_filter.accounting_response"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
Instantiating module "attr_filter.post-proxy"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
Instantiating module "attr_filter.pre-proxy"
Reading file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating module "auth_log"
rlm_detail (auth_log) - 'User-Password' suppressed, will not appear in detail output
Instantiating module "cache_eap"
Loaded module "rlm_cache_rbtree"
Instantiating module "detail"
Instantiating module "etc_passwd"
Instantiating module "expiration"
Instantiating module "fail"
Instantiating module "files"
Reading file /usr/local/etc/raddb/mods-config/files/authorize
Reading file /usr/local/etc/raddb/mods-config/files/accounting
Reading file /usr/local/etc/raddb/mods-config/files/pre-proxy
Instantiating module "handled"
Instantiating module "invalid"
Instantiating module "linelog"
Instantiating module "log_accounting"
Instantiating module "logintime"
Instantiating module "mschap"
mschap: using internal authentication
Instantiating module "noop"
Instantiating module "notfound"
Instantiating module "ok"
Instantiating module "post_proxy_log"
Instantiating module "pre_proxy_log"
Instantiating module "radius"
Instantiating module "redis_ippool"
rlm_redis (redis) [1] - Initialising connection pool
pool {
start = 0
min = 4
max = 4
max_pending = 0
spare = 1
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
connect_timeout = 3.000000
held_trigger_min = 0.000000
held_trigger_max = 0.500000
retry_delay = 30
spread = no
}
rlm_redis (redis) [1] - Ignoring "spare = 1", forcing to "spare = 0"
rlm_redis (redis) [1] - 0 of 0 connections in use. You may need to increase "spare"
rlm_redis (redis) [1] - Opening additional connection (0), 1 of 4 pending slots used
rlm_redis (redis) - [1] Connecting to node 10.43.16.162:6379
rlm_redis (redis) [1] - Reserved connection (0)
rlm_redis (redis) [1] - Released connection (0)
rlm_redis (redis) [1] - Need 3 more connections to reach min connections (4)
rlm_redis (redis) [1] - Opening additional connection (1), 1 of 3 pending slots used
rlm_redis (redis) - [1] Connecting to node 10.43.16.162:6379
Instantiating module "reject"
Instantiating module "reply_log"
Instantiating module "stats"
Instantiating module "updated"
Instantiating module "userlock"
[1] radius - Connection initialising
[1] radius - Connection initialised
Scheduler created in single-threaded mode
#### Opening listener interfaces ####
Listening on dhcpv4 address proto_dhcpv4_udp server 10.43.18.95 port 67 bound to virtual server dhcp
Waking up in 4.9 seconds.
radius - Connection open - proto udp local 0.0.0.0 port 56038 remote 127.0.0.1 port 1812
radius - Allocated Status-Server ID 0 for status checks on connection proto udp local 0.0.0.0 port 56038 remote 127.0.0.1 port 1812
radius - Setting idle timeout to +5.000000 for connection proto udp local 0.0.0.0 port 56038 remote 127.0.0.1 port 1812
[1] radius - Connection established
Waking up in 4.9 seconds.
Waking up in 4.9 seconds.
radius - Idle timeout for connection proto udp local 0.0.0.0 port 56038 remote 127.0.0.1 port 1812
[1] radius - Closing connection (13)
radius - Connection closed - proto udp local 0.0.0.0 port 56038 remote 127.0.0.1 port 1812
Ready to process requests
proto_dhcpv4_udp - Received DHCP-Discover XID 00000000 length 300 proto_dhcpv4_udp server 10.43.18.95 port 67
Resetting worker 30 cleanup timer to +0s
(0) running request
(0) Received DHCP-Discover XID 00000000 from 10.43.18.35:67 to 10.43.18.95:67 via eth1
(0) &DHCP-Opcode = Client-Message
(0) &DHCP-Hardware-Type = Ethernet
(0) &DHCP-Hardware-Address-Length = 6
(0) &DHCP-Hop-Count = 2
(0) &DHCP-Transaction-Id = 0
(0) &DHCP-Number-of-Seconds = 0
(0) &DHCP-Flags = 0
(0) &DHCP-Client-IP-Address = 10.43.18.124
(0) &DHCP-Your-IP-Address = 0.0.0.0
(0) &DHCP-Server-IP-Address = 0.0.0.0
(0) &DHCP-Gateway-IP-Address = 10.43.18.35
(0) &DHCP-Client-Hardware-Address = 00:a0:bc:00:00:02
(0) &DHCP-Message-Type = DHCP-Discover
(0) &DHCP-DHCP-Server-Identifier = 10.43.18.92
(0) &DHCP-Client-Identifier = 0x0100a1bc000001
(0) Running 'recv DHCP-Discover' from file /usr/local/etc/raddb/sites-enabled/dhcp
(0) recv DHCP-Discover {
(0) update reply {
(0) &DHCP-Message-Type = DHCP-Offer
(0) } # update reply (noop)
(0) update reply {
(0) &DHCP-Domain-Name-Server = 127.0.0.1
(0) &DHCP-Domain-Name-Server = 127.0.0.2
(0) &DHCP-Subnet-Mask = 255.255.255.0
(0) &DHCP-Router-Address = 192.0.2.1
(0) &DHCP-IP-Address-Lease-Time = 900
(0) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(0) } # update reply (noop)
(0) update control {
(0) &Pool-Name := "local"
(0) } # update control (noop)
(0) redis_ippool - Allocating lease from pool "local", to "00:a0:bc:00:00:02", expires in 120s
(0) redis_ippool - Reserved connection (1)
(0) redis_ippool - [1] >>> Sending command(s) to 10.43.16.162:6379
(0) redis_ippool - [1] <<< Returned: success
(0) redis_ippool - Released connection (1)
(0) redis_ippool - Need 2 more connections to reach min connections (4)
(0) redis_ippool - Opening additional connection (2), 1 of 2 pending slots used
rlm_redis (redis) - [1] Connecting to node 10.43.16.162:6379
(0) redis_ippool - &reply:DHCP-Your-IP-Address := 192.172.156.164
(0) redis_ippool - &reply:DHCP-IP-Address-Lease-Time := 120
(0) redis_ippool - IP address lease allocated
(0) redis_ippool (updated)
(0) ok (ok)
(0) } # recv DHCP-Discover (updated)
(0) Sent DHCP-Offer XID 00000000 from 10.43.18.95:67 to 10.43.18.35:67 via eth1
(0) &DHCP-Message-Type = DHCP-Offer
(0) &DHCP-Domain-Name-Server = 127.0.0.1
(0) &DHCP-Subnet-Mask = 255.255.255.0
(0) &DHCP-Router-Address = 192.0.2.1
(0) &DHCP-IP-Address-Lease-Time := 120
(0) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(0) done request
(0) finished request.
Ready to process requests
Reply will be unicast to CIADDR from original packet.
proto_dhcpv4_udp - cleaning up ID 1
Ready to process requests
proto_dhcpv4_udp - Received DHCP-Request XID 00000000 length 300 proto_dhcpv4_udp server 10.43.18.95 port 67
Resetting worker 30 cleanup timer to +0s
(1) running request
(1) Received DHCP-Request XID 00000000 from 10.43.18.35:67 to 10.43.18.95:67 via eth1
(1) &DHCP-Opcode = Client-Message
(1) &DHCP-Hardware-Type = Ethernet
(1) &DHCP-Hardware-Address-Length = 6
(1) &DHCP-Hop-Count = 2
(1) &DHCP-Transaction-Id = 0
(1) &DHCP-Number-of-Seconds = 0
(1) &DHCP-Flags = 0
(1) &DHCP-Client-IP-Address = 10.43.18.124
(1) &DHCP-Your-IP-Address = 0.0.0.0
(1) &DHCP-Server-IP-Address = 0.0.0.0
(1) &DHCP-Gateway-IP-Address = 10.43.18.35
(1) &DHCP-Client-Hardware-Address = 00:a0:bc:00:00:02
(1) &DHCP-Message-Type = DHCP-Request
(1) &DHCP-Requested-IP-Address = 192.172.156.164
(1) &DHCP-DHCP-Server-Identifier = 10.43.18.92
(1) &DHCP-Client-Identifier = 0x0100a1bc000001
(1) Running 'recv DHCP-Request' from file /usr/local/etc/raddb/sites-enabled/dhcp
(1) recv DHCP-Request {
(1) update reply {
(1) &DHCP-Message-Type = DHCP-Ack
(1) } # update reply (noop)
(1) update reply {
(1) &DHCP-Domain-Name-Server = 127.0.0.1
(1) &DHCP-Domain-Name-Server = 127.0.0.2
(1) &DHCP-Subnet-Mask = 255.255.255.0
(1) &DHCP-Router-Address = 192.0.2.1
(1) &DHCP-IP-Address-Lease-Time = 900
(1) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(1) } # update reply (noop)
(1) update control {
(1) &Pool-Name := "local"
(1) } # update control (noop)
(1) redis_ippool - Allocating lease from pool "local", to "00:a0:bc:00:00:02", expires in 120s
(1) redis_ippool - Reserved connection (2)
(1) redis_ippool - [1] >>> Sending command(s) to 10.43.16.162:6379
(1) redis_ippool - [1] <<< Returned: success
(1) redis_ippool - Released connection (2)
(1) redis_ippool - &reply:DHCP-Your-IP-Address := 192.172.156.164
(1) redis_ippool - &reply:DHCP-IP-Address-Lease-Time := 120
(1) redis_ippool - IP address lease allocated
(1) redis_ippool (updated)
(1) ok (ok)
(1) } # recv DHCP-Request (updated)
(1) Sent DHCP-Ack XID 00000000 from 10.43.18.95:67 to 10.43.18.35:67 via eth1
(1) &DHCP-Message-Type = DHCP-Ack
(1) &DHCP-Domain-Name-Server = 127.0.0.1
(1) &DHCP-Subnet-Mask = 255.255.255.0
(1) &DHCP-Router-Address = 192.0.2.1
(1) &DHCP-IP-Address-Lease-Time := 120
(1) &DHCP-DHCP-Server-Identifier = 192.0.2.1
(1) done request
(1) finished request.
Ready to process requests
Reply will be unicast to CIADDR from original packet.
proto_dhcpv4_udp - cleaning up ID 1
Ready to process requests
Sorry for the lengthy mail.
Please advise.
Thanks and regards,
Vikram.
4
3
HI Team,
Accounting on freeradius not working , authentication is fine.
Using mysql and freeradius is on Ubuntu.
radtest test test 127.0.0.1:1813 0 testing123
(0) No reply from server for ID 52 socket 3
Debug
Invalid packet code 1 sent to a accounting port from client localhost port
32840 : IGNORED
Ready to process requests
Invalid packet code 1 sent to a accounting port from client localhost port
32840 : IGNORED
Ready to process requests
Invalid packet code 1 sent to a accounting port from client localhost port
32840 : IGNORED
Ready to process requests
--
Thanks & Regards
Aditya Vijjan
2
1
Hello to everyone,
I'm using mysql and pfsense captive portal with Freeradius 3.0.12.
I added the sqlcounter module to Freeradius and I can use the attributes of
the Max-All-Session, Max-Daily-Session, Max-Monthly-Session in the
radgroupcheck table on this module. I am using the
"WISPr-Bandwidth-Max-Down" attributes in the radgroupreply table
successfully.
I have two requests from you;
First, I want to add daily, monthly Download and Upload quota feature. How
do I do this and what attributes I can do.
Second, we can reduce the speed of the Internet for users who access this
limitation. According to my research, I learned that its short name is FUP,
and it can be done with the "Mikrotik-Rate-Limit" essence for Mikrotik.
Frankly, I couldn't find more resources for Pfsense.
I would be very grateful if you could help me with these two things.
I wish everyone a happy day.
Respects.
1
0
HI Team,
I have tried this attribute via freeradius internal dictionary but not able
to see from ntradping.
--
Thanks & Regards
Aditya Vijjan
2
1