Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
December 2020
- 39 participants
- 44 discussions
Hello! I am trying to use azure ad through Azure Domain services as an auth
for our wifi.
I have read several posts from people on this forum and have been thru all
the instructions in the config files for freeradius and the freewebsite.
I'm new to all this and I know I'm missing something.
I can get Pap to work per the setup and I think Eap to work as well (Not
sure here?)
My ldap bind works when I use rad test but anything else fails
I've also looked at the error messages and warnings in the debug but I'm
still missing something in a config somewhere.
Please help!
here is my debug log
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 45825
Listening on proxy address :: port 41484
Ready to process requests
(0) Received Access-Request Id 114 from 68.45.161.30:1824 to 10.0.1.5:1812
length 123
(0) User-Name = "dtown"
(0) NAS-IP-Address = 68.45.161.30
(0) Called-Station-Id = "7823aed64a00"
(0) Calling-Station-Id = "a483e742cff0"
(0) NAS-Identifier = "7823aed64a00"
(0) NAS-Port = 125
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) EAP-Message = 0x0200000a0164746f776e
(0) Message-Authenticator = 0xc4b316926a530a22a2915e885854b423
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x749ecc9b749fc856
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 114 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(0) EAP-Message = 0x0101001604105b9005bc07e64ece96b8e8753b9faa7d
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x749ecc9b749fc8560d9a9245bf7c0b3d
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 115 from 68.45.161.30:1824 to 10.0.1.5:1812
length 139
(1) User-Name = "dtown"
(1) NAS-IP-Address = 68.45.161.30
(1) Called-Station-Id = "7823aed64a00"
(1) Calling-Station-Id = "a483e742cff0"
(1) NAS-Identifier = "7823aed64a00"
(1) NAS-Port = 125
(1) Framed-MTU = 1400
(1) State = 0x749ecc9b749fc8560d9a9245bf7c0b3d
(1) NAS-Port-Type = Wireless-802.11
(1) EAP-Message = 0x020100080319152b
(1) Message-Authenticator = 0x0ffdac48427e34cb2a5461df93be7d94
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x749ecc9b749fc856
(1) eap: Finished EAP session with state 0x749ecc9b749fc856
(1) eap: Previous EAP request found for state 0x749ecc9b749fc856, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x749ecc9b759cd556
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 115 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x749ecc9b759cd5560d9a9245bf7c0b3d
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 116 from 68.45.161.30:1824 to 10.0.1.5:1812
length 292
(2) User-Name = "dtown"
(2) NAS-IP-Address = 68.45.161.30
(2) Called-Station-Id = "7823aed64a00"
(2) Calling-Station-Id = "a483e742cff0"
(2) NAS-Identifier = "7823aed64a00"
(2) NAS-Port = 125
(2) Framed-MTU = 1400
(2) State = 0x749ecc9b759cd5560d9a9245bf7c0b3d
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message =
0x020200a119800000009716030100920100008e03035fd3baf05c37c33a4fc237ff3e32630f58d2c0662e8ca4f4eae0445c4427bf5600002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(2) Message-Authenticator = 0xb050e9f9e27e2b66aa11cfe13f1bb1f2
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 161
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x749ecc9b759cd556
(2) eap: Finished EAP session with state 0x749ecc9b759cd556
(2) eap: Previous EAP request found for state 0x749ecc9b759cd556, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(2) eap_peap: Got complete TLS record (151 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3 [length 0092]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 0903]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 2725 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x749ecc9b769dd556
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 116 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(2) EAP-Message =
0x010303ec19c000000aa5160303003d0200003903034149d7c0d850734fb7c49763ac77e8ca484976d6c3a6b0a286a0ab601b1b7b0100c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230313231303133343331395a170d3231303230383133343331395a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x749ecc9b769dd5560d9a9245bf7c0b3d
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 117 from 68.45.161.30:1824 to 10.0.1.5:1812
length 137
(3) User-Name = "dtown"
(3) NAS-IP-Address = 68.45.161.30
(3) Called-Station-Id = "7823aed64a00"
(3) Calling-Station-Id = "a483e742cff0"
(3) NAS-Identifier = "7823aed64a00"
(3) NAS-Port = 125
(3) Framed-MTU = 1400
(3) State = 0x749ecc9b769dd5560d9a9245bf7c0b3d
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0x834c6579fac00cffba174a77e16bba33
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x749ecc9b769dd556
(3) eap: Finished EAP session with state 0x749ecc9b769dd556
(3) eap: Previous EAP request found for state 0x749ecc9b769dd556, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1000
(3) eap: EAP session adding &reply:State = 0x749ecc9b779ad556
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 117 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(3) EAP-Message =
0x010403e819404acb7e8c4c92936c99a480a4072d09ccc9b96cde7a13be01677daa723ad5ece4655d938f50df53e1cf39ec11da750c2ab652c02d26b8ca68f1bca4e3b898bacf34d9d52f87d1aa9acd39f67bb63b563469d4325ecb5b14d5480bb83a40804c59dab2bc4bf4d6820004fe308204fa308203e2a00302010202147efb48f4d14f992a5c09aee2b04dc6dc6f4771a0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230313231303133343331395a170d3231303230383133343331395a308193310b3009060355040613024652310f300d06035504080c0652616469
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x749ecc9b779ad5560d9a9245bf7c0b3d
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 118 from 68.45.161.30:1824 to 10.0.1.5:1812
length 137
(4) User-Name = "dtown"
(4) NAS-IP-Address = 68.45.161.30
(4) Called-Station-Id = "7823aed64a00"
(4) Calling-Station-Id = "a483e742cff0"
(4) NAS-Identifier = "7823aed64a00"
(4) NAS-Port = 125
(4) Framed-MTU = 1400
(4) State = 0x749ecc9b779ad5560d9a9245bf7c0b3d
(4) NAS-Port-Type = Wireless-802.11
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x60af64804bd551969cbdeee1ccc4c597
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x749ecc9b779ad556
(4) eap: Finished EAP session with state 0x749ecc9b779ad556
(4) eap: Previous EAP request found for state 0x749ecc9b779ad556, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 743
(4) eap: EAP session adding &reply:State = 0x749ecc9b709bd556
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 118 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(4) EAP-Message =
0x010502e7190072746966696361746520417574686f7269747982147efb48f4d14f992a5c09aee2b04dc6dc6f4771a0300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100293909cda29461712f345f76b29b939188d76ce0c6ab57d7fa11cc01ac150394f75923c9e0bafdeb86edd65e493998ee8c269d523d5aebeab7360d4d64429477ab372d945b09bb64a381987a6626d07daf88f684eb5a95ffdfb2f52a8ccdc684ba9b2150653f1688a6b65bec50ddab6c4a49db720049b77310b628303806547b7a1952e5574f5f4239b8f0f8944a6c4df15a7a491e21fc3ec8663588c379a3c09e5e5e34dec122ddf1c6f2c881342fac4de71c7e1c9f910537770099bf811a60ceea205253591fd66893499dbb89ae8dab773afbdad3f3c196c3593a69180d5156040029fe86ee13cbe88d
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x749ecc9b709bd5560d9a9245bf7c0b3d
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 119 from 68.45.161.30:1824 to 10.0.1.5:1812
length 267
(5) User-Name = "dtown"
(5) NAS-IP-Address = 68.45.161.30
(5) Called-Station-Id = "7823aed64a00"
(5) Calling-Station-Id = "a483e742cff0"
(5) NAS-Identifier = "7823aed64a00"
(5) NAS-Port = 125
(5) Framed-MTU = 1400
(5) State = 0x749ecc9b709bd5560d9a9245bf7c0b3d
(5) NAS-Port-Type = Wireless-802.11
(5) EAP-Message =
0x0205008819800000007e1603030046100000424104a28febeb0bb5f0922c97a95a5811f1696d6f4c2d375be0e34172007a28356a1068e9734682743ae0ae572000372fc2df84b48af1a34607c1f7703210b33f7f691403030001011603030028e3277115802d5ed3e247c8b34b1b3e062cf33600daf2c24d78ae457b1ade2f852f97aa0aaff65dd4
(5) Message-Authenticator = 0xac005f74adeffb71241ac5773458d9b3
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 136
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x749ecc9b709bd556
(5) eap: Finished EAP session with state 0x749ecc9b709bd556
(5) eap: Previous EAP request found for state 0x749ecc9b709bd556, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: <<< recv TLS 1.2 [length 0046]
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: <<< recv TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: >>> send TLS 1.2 [length 0001]
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: >>> send TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: TLS - Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap_peap: TLS - got 51 bytes of data
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 57
(5) eap: EAP session adding &reply:State = 0x749ecc9b7198d556
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 119 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(5) EAP-Message =
0x0106003919001403030001011603030028ab6860cd676579b8791ad027b85f2cc62cef4b5e2398c38a789b83ee466bb6216435f7b2d366eadb
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x749ecc9b7198d5560d9a9245bf7c0b3d
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 120 from 68.45.161.30:1824 to 10.0.1.5:1812
length 137
(6) User-Name = "dtown"
(6) NAS-IP-Address = 68.45.161.30
(6) Called-Station-Id = "7823aed64a00"
(6) Calling-Station-Id = "a483e742cff0"
(6) NAS-Identifier = "7823aed64a00"
(6) NAS-Port = 125
(6) Framed-MTU = 1400
(6) State = 0x749ecc9b7198d5560d9a9245bf7c0b3d
(6) NAS-Port-Type = Wireless-802.11
(6) EAP-Message = 0x020600061900
(6) Message-Authenticator = 0xe9cc34f3ffc2b01148aadd11d1488c75
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x749ecc9b7198d556
(6) eap: Finished EAP session with state 0x749ecc9b7198d556
(6) eap: Previous EAP request found for state 0x749ecc9b7198d556, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 7 length 40
(6) eap: EAP session adding &reply:State = 0x749ecc9b7299d556
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 120 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(6) EAP-Message =
0x010700281900170303001dab6860cd676579b9c9c7c6538c84a36bb004ad177a41505c31ef35af47
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x749ecc9b7299d5560d9a9245bf7c0b3d
(6) Finished request
Waking up in 4.5 seconds.
(7) Received Access-Request Id 121 from 68.45.161.30:1824 to 10.0.1.5:1812
length 172
(7) User-Name = "dtown"
(7) NAS-IP-Address = 68.45.161.30
(7) Called-Station-Id = "7823aed64a00"
(7) Calling-Station-Id = "a483e742cff0"
(7) NAS-Identifier = "7823aed64a00"
(7) NAS-Port = 125
(7) Framed-MTU = 1400
(7) State = 0x749ecc9b7299d5560d9a9245bf7c0b3d
(7) NAS-Port-Type = Wireless-802.11
(7) EAP-Message =
0x020700291900170303001ee3277115802d5ed4bc164f722798531c9d7f02629fac47c95c8e628766ff
(7) Message-Authenticator = 0x48b8d15b4c4f0070c13caeba3c46ccfe
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 41
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x749ecc9b7299d556
(7) eap: Finished EAP session with state 0x749ecc9b7299d556
(7) eap: Previous EAP request found for state 0x749ecc9b7299d556, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - dtown
(7) eap_peap: Got inner identity 'dtown'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0207000a0164746f776e
(7) eap_peap: Setting User-Name to dtown
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x0207000a0164746f776e
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "dtown"
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x0207000a0164746f776e
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "dtown"
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 10
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 43
(7) eap: EAP session adding &reply:State = 0x5daed4a35da6ce1f
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message =
0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message =
0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message =
0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 74
(7) eap: EAP session adding &reply:State = 0x749ecc9b7396d556
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 121 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(7) EAP-Message =
0x0108004a1900170303003fab6860cd676579ba5da69c46a36a4ada177ebb9815838a7895cedb20e47336c0ff9a6b1fc50076ed429c2c0e6c4d08099cb3ce1588e996659cfa9f474edf48
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x749ecc9b7396d5560d9a9245bf7c0b3d
(7) Finished request
Waking up in 4.4 seconds.
(8) Received Access-Request Id 122 from 68.45.161.30:1824 to 10.0.1.5:1812
length 226
(8) User-Name = "dtown"
(8) NAS-IP-Address = 68.45.161.30
(8) Called-Station-Id = "7823aed64a00"
(8) Calling-Station-Id = "a483e742cff0"
(8) NAS-Identifier = "7823aed64a00"
(8) NAS-Port = 125
(8) Framed-MTU = 1400
(8) State = 0x749ecc9b7396d5560d9a9245bf7c0b3d
(8) NAS-Port-Type = Wireless-802.11
(8) EAP-Message =
0x0208005f19001703030054e3277115802d5ed51cdae37d534fb40d32faa53975c2112f2a8f3d0a0f1c6ebcabebc6adf24a91f72cdf023696db57b08f8e0384bedaebf5435e68d77469eefc4adf89749b0906e476d06cb27319d180252acdda
(8) Message-Authenticator = 0xb9d5b39508bd6f731e5e6668a92603dd
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 95
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x5daed4a35da6ce1f
(8) eap: Finished EAP session with state 0x749ecc9b7396d556
(8) eap: Previous EAP request found for state 0x749ecc9b7396d556, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message =
0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e
(8) eap_peap: Setting User-Name to dtown
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message =
0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "dtown"
(8) eap_peap: State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(8) Virtual server inner-tunnel received request
(8) EAP-Message =
0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "dtown"
(8) State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 64
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 65
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://developertown.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(8) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (cn=dtown)
(8) ldap: Performing search in "OU=AADDC Users, DC=developertown,dc=com"
with filter "(cn=dtown)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "CN=dtown,OU=AADDC
Users,DC=developertown,DC=com"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://developertown.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) [ldap] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x5daed4a35da6ce1f
(8) eap: Finished EAP session with state 0x5daed4a35da6ce1f
(8) eap: Previous EAP request found for state 0x5daed4a35da6ce1f, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2: authenticate {
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(8) mschap: Creating challenge hash with username: dtown
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8) eap_mschapv2: [mschap] = reject
(8) eap_mschapv2: } # authenticate = reject
(8) eap: Sending EAP Failure (code 4) ID 8 length 4
(8) eap: Freeing handler
(8) [eap] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> dtown
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) update outer.session-state {
(8) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: FAILED: No NT-Password. Cannot perform authentication'
(8) } # update outer.session-state = noop
(8) } # Post-Auth-Type REJECT = updated
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) MS-CHAP-Error = "\010E=691 R=1 C=3470efc6beebf4771fe9b420897b9c03 V=3
M=Authentication rejected"
(8) EAP-Message = 0x04080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply code 3
(8) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=3470efc6beebf4771fe9b420897b9c03 V=3 M=Authentication rejected"
(8) eap_peap: EAP-Message = 0x04080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply RADIUS code 3
(8) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=3470efc6beebf4771fe9b420897b9c03 V=3 M=Authentication rejected"
(8) eap_peap: EAP-Message = 0x04080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Tunneled authentication was rejected
(8) eap_peap: FAILURE
(8) eap: Sending EAP Request (code 1) ID 9 length 46
(8) eap: EAP session adding &reply:State = 0x749ecc9b7c97d556
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Module-Failure-Message := "mschap: FAILED: No NT-Password. Cannot
perform authentication"
(8) Sent Access-Challenge Id 122 from 10.0.1.5:1812 to 68.45.161.30:1824
length 0
(8) EAP-Message =
0x0109002e19001703030023ab6860cd676579bbf8e24db65e3b3ad7c73a183632753492b3bcd66ede043aa9335aa9
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x749ecc9b7c97d5560d9a9245bf7c0b3d
(8) Finished request
Waking up in 4.3 seconds.
(9) Received Access-Request Id 123 from 68.45.161.30:1824 to 10.0.1.5:1812
length 177
(9) User-Name = "dtown"
(9) NAS-IP-Address = 68.45.161.30
(9) Called-Station-Id = "7823aed64a00"
(9) Calling-Station-Id = "a483e742cff0"
(9) NAS-Identifier = "7823aed64a00"
(9) NAS-Port = 125
(9) Framed-MTU = 1400
(9) State = 0x749ecc9b7c97d5560d9a9245bf7c0b3d
(9) NAS-Port-Type = Wireless-802.11
(9) EAP-Message =
0x0209002e19001703030023e3277115802d5ed625e1da95b903138f9d2c1b64790aaef5e83488b5236ccedd4b6283
(9) Message-Authenticator = 0xe96dd63632d387be9f2c5cfb51fd45d3
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) &session-state:Module-Failure-Message := "mschap: FAILED: No
NT-Password. Cannot perform authentication"
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "dtown", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x749ecc9b7c97d556
(9) eap: Finished EAP session with state 0x749ecc9b7c97d556
(9) eap: Previous EAP request found for state 0x749ecc9b7c97d556, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv failure
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: ERROR: The users session was previously rejected: returning
reject (again.)
(9) eap_peap: This means you need to read the PREVIOUS messages in the
debug output
(9) eap_peap: to find out the reason why the user was rejected
(9) eap_peap: Look for "reject" or "fail". Those earlier messages will
tell you
(9) eap_peap: what went wrong, and how to fix the problem
(9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(9) eap: Sending EAP Failure (code 4) ID 9 length 4
(9) eap: Failed in EAP select
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> dtown
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) [eap] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 123 from 10.0.1.5:1812 to 68.45.161.30:1824
length 44
(9) EAP-Message = 0x04090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.2 seconds.
(0) Cleaning up request packet ID 114 with timestamp +65
(1) Cleaning up request packet ID 115 with timestamp +65
(2) Cleaning up request packet ID 116 with timestamp +65
(3) Cleaning up request packet ID 117 with timestamp +65
(4) Cleaning up request packet ID 118 with timestamp +65
(5) Cleaning up request packet ID 119 with timestamp +65
(6) Cleaning up request packet ID 120 with timestamp +65
(7) Cleaning up request packet ID 121 with timestamp +65
Waking up in 0.1 seconds.
(8) Cleaning up request packet ID 122 with timestamp +65
(9) Cleaning up request packet ID 123 with timestamp +65
Ready to process requests
3
6
Greetings FR-users,
I am running 3.0.17.
I've got a question about my radius deployment...
Our institution is proxying auth requests to a Duo enabled RADIUS server
off site. Due to the delay in the WAN, plus the human delay of the 2FA I
would like to have an appropriate configured timeout for the proxy. I am
thinking 60 seconds. Is that value too large?
Attempting to change the timeout for the proxy yields a message that I
cannot set the value to 60 seconds:
WARNING: Ignoring "response_window = 60.000000", forcing to
"response_window = 30.000000"
Here is my config:
home_server radius_1 {
type = auth
ipaddr = 10.0.0.1
secret = REMOVED
require_message_authenticator = yes
response_window = 60
}
According to the docs it looks like it should accept 60:
# The response window can be a number between 0.001 and 60.000
# Values on the low end are discouraged, as they will likely
# not work due to limitations of operating system timers.
#
# The default response window is large because responses may
# be slow, especially when proxying across the Internet.
#
# Useful range of values: 5 to 60
response_window = 30
Is response_window the right config parameter for adjusting the proxy
timeout?
Is the 30 second limitation a bug? or is the documentation wrong? Or is the
issue corrected in a more recent release?
Thanks for the help!
-m
2
1
Greetings FR-users,
On a default debian install of freeradius there is some yellow text when
running the server in debug (-X) mode:
[...]
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter
list for realm "DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in
filter list for realm "DEFAULT".
[...]
The last two lines which reference line 11 are yellow.
Here is the contents of access_reject:
$ sudo cat -n /etc/freeradius/3.0/mods-config/attr_filter/access_reject
1 #
2 # Configuration file for the rlm_attr_filter module.
3 # Please see rlm_attr_filter(5) manpage for more information.
4 #
5 # $Id: afd89473dc50e4ff62389e35e5cb73b512e9d352 $
6 #
7 # This configuration file is used to remove almost all of the
attributes
8 # From an Access-Reject message. The RFCs say that an
Access-Reject
9 # packet can contain only a few attributes. We enforce that
here.
10 #
11 DEFAULT
12 EAP-Message =* ANY,
13 State =* ANY,
14 Message-Authenticator =* ANY,
15 Error-Cause =* ANY,
16 Reply-Message =* ANY,
17 MS-CHAP-Error =* ANY,
18 Proxy-State =* ANY,
19 FreeRADIUS-Response-Delay =* ANY,
20 FreeRADIUS-Response-Delay-USec =* ANY
I'm afraid I don't know what to modify to eliminate the warning.
Any suggestions?
Thank you!
-m
4
6
Hello to everyone,
after reading the whole internet and searching for solutions, but finding a solution in vain, I try my luck here.
First of all, my goal: It should work quite simply. If you choose the WLAN you should be able to login with your LDAP - access data.
After trying a lot of things, the same or even new errors will appear again and again.
The LDAP connection exists in any case. It finds the user in the exact OU. I tried it already with a certain group (so only if the user is in the group "wlan" he can login). He could also check the group.
My question is: Is it because of some config that it does not work, or is it because of the domain controller?
ldap.conf:
-----------------------------------------------------------------------------------------------
ldap {
server = "ldap://intranet.***.de <ldap://intranet.***.de>"
identity = "INTRANET\*USERNAME*"
password = "*******"
base_dn = "DC=intranet,DC=DC,DC=de"
sasl {
}
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
}
group {
base_dn = 'DC=intranet,DC=*DC*,DC=de'
filter = '(objectClass=posixGroup)'
scope = 'sub'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
membership_attribute = 'memberOf'
}
Profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
Tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
-----------------------------------------------------------------------------------------------
Site-enabled/default and Innertunnel:
-----------------------------------------------------------------------------------------------
The files are both still standard. The only thing I have added is:
-ldap
if ((ok || updated) && User-Password && !control:Auth-Type) {
update {
control:Auth-Type := ldap
}
}
In the authorize-section.
-----------------------------------------------------------------------------------------------
FREERADIUS -X:
-----------------------------------------------------------------------------------------------
(7) Received Access-Request Id 25 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 371
(7) User-Name = "*USERNAME*"
(7) NAS-IP-Address = *AccessPoint-IP*
(7) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
(7) NAS-Port-Id = "00000001"
(7) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
(7) NAS-Port-Type = Wireless-802.11
(7) Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "6A-95-50-D9-1B-DC"
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
(7) Acct-Multi-Session-Id = "97193BFF112F1388"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message = 0x0238006219001703030057b1de21bae8c7f5d43e9cefcb5c41ba58ac82f19aea43c4ed3c21feb1a2c3d6372f73a55132eb0157bf9792ab55d4ba3674125df5a3bdace00a31a870f5207823f75aaca3a15aa1ba23107d8ccd9cc1f0da3abd0f10c8cb
(7) State = 0x91de85df97e69c726c333a62068cc31c
(7) Message-Authenticator = 0xd2c7816cb5763af4c1102989e178783a
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 56 length 98
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Finished EAP session with state 0x91de85df97e69c72
(7) eap: Previous EAP request found for state 0x91de85df97e69c72, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7) eap_peap: Setting User-Name to *USERNAME*
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "*USERNAME*"
(7) eap_peap: State = 0x6d94a36d6dacb9f97126b7451b802a00
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x023800431a0238003e31976c2f5de49266406d03aa536085bfe2000000000000000079adbba2193c9312ebf9719bd0060b3fc13cdb7f8f7aeece00666c6f7269616e62
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "*USERNAME*"
(7) State = 0x6d94a36d6dacb9f97126b7451b802a00
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 56 length 67
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (samaccountname=*USERNAME*)
(7) ldap: Performing search in "DC=INTRANET,DC=*DC*,DC=de" with filter "(samaccountname=*USERNAME*)", scope "sub"
(7) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://ForestDnsZones.INTRANET.*domain*.de/DC=ForestDnsZones,DC=*DC*,DC=*DC*,DC=de>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de <ldap://DomainDnsZones.INTRANET.*domain*.de/DC=DomainDnsZones,DC=*DC*,DC=*DC*,DC=de>
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) ldap: User object found at DN "CN=Name Surname,OU=*OU*,OU=*OU*,OU=*OU*,OU=*OU*,DC=*DC*,DC=*DC,DC=*DC*"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (1) - Was referred to a different LDAP server
(7) [ldap] = ok
(7) if ((ok || updated) && User-Password && !control:Auth-Type) {
(7) if ((ok || updated) && User-Password && !control:Auth-Type) -> FALSE
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Finished EAP session with state 0x6d94a36d6dacb9f9
(7) eap: Previous EAP request found for state 0x6d94a36d6dacb9f9, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(7) mschap: Creating challenge hash with username: *USERNAME*
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) eap_mschapv2: [mschap] = reject
(7) eap_mschapv2: } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 56 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> *USERNAME*
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state {
(7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(7) } # update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7) EAP-Message = 0x04380004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply code 3
(7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x04380004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply RADIUS code 3
(7) eap_peap: MS-CHAP-Error = "8E=691 R=1 C=6d62be4a6a391d62280be8faba594674 V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x04380004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Tunneled authentication was rejected
(7) eap_peap: FAILURE
(7) eap: Sending EAP Request (code 1) ID 57 length 46
(7) eap: EAP session adding &reply:State = 0x91de85df96e79c72
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
(7) Sent Access-Challenge Id 25 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 0
(7) EAP-Message = 0x0139002e1900170303002371c86c4f9605471aebfaa3b34ed5f06357d0eb547c2c853c97853ab157bee0b162981c
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x91de85df96e79c726c333a62068cc31c
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 26 from *Accesspoint-IP* to *Radius-Server-IP:1812* length 319
(8) User-Name = "*USERNAME*"
(8) NAS-IP-Address = *AccessPoint-IP*
(8) NAS-Identifier = "TP-Link:B0-BE-76-24-73-FF"
(8) NAS-Port-Id = "00000001"
(8) Called-Station-Id = "B0-BE-76-24-73-FF:ldap_auth"
(8) NAS-Port-Type = Wireless-802.11
(8) Event-Timestamp = "Nov 25 2020 11:52:42 UTC"
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "6A-95-50-D9-1B-DC"
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) Acct-Session-Id = "b0be762473ff-357FC6FB8137FBBA"
(8) Acct-Multi-Session-Id = "97193BFF112F1388"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message = 0x0239002e19001703030023b1de21bae8c7f5d5fe5ace2f015bb1493cfc51fce39ec097cb3b7adc33072b2fd5928f
(8) State = 0x91de85df96e79c726c333a62068cc31c
(8) Message-Authenticator = 0xd60eadff0ff86f1364a45131245674c1
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "*USERNAME*", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 57 length 46
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x91de85df96e79c72
(8) eap: Finished EAP session with state 0x91de85df96e79c72
(8) eap: Previous EAP request found for state 0x91de85df96e79c72, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv failure
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: ERROR: The users session was previously rejected: returning reject (again.)
(8) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(8) eap_peap: to find out the reason why the user was rejected
(8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(8) eap_peap: what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(8) eap: Sending EAP Failure (code 4) ID 57 length 4
(8) eap: Failed in EAP select
(8) [eap] = invalid
(8) } # authenticate = invalid
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> *USERNAME*
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) [eap] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 26 from *Radius-Server-IP:1812* to *Accesspoint-IP* length 44
(8) EAP-Message = 0x04390004
(8) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 18 with timestamp +11
(1) Cleaning up request packet ID 19 with timestamp +11
(2) Cleaning up request packet ID 20 with timestamp +11
(3) Cleaning up request packet ID 21 with timestamp +11
(4) Cleaning up request packet ID 22 with timestamp +11
(5) Cleaning up request packet ID 23 with timestamp +11
(6) Cleaning up request packet ID 24 with timestamp +11
(7) Cleaning up request packet ID 25 with timestamp +11
(8) Cleaning up request packet ID 26 with timestamp +11
Ready to process requests
Sincerely yours
Florian Bergner
2
3
Hi Folks,
After years of running NPS for RADIUS we are getting started with
freeRADIUS. Use will be primarily for our eduroam 802.1x wireless network.
We have a single site with 4 AD DCs. Expected load is a few authentications
per second (4,000 users, 10K+ devices).
A few years back we migrated away from samba/winbind and all systems now
use an LDAP-based sssd config. Most of the freeRADIUS guides I've come
across document using samba; we are more familiar with LDAP than samba.
What is the recommendation for new installations - samba or LDAP? Are there
significant pros and cons to either approach? Thanks!
ajs
--
*Tony Skalski*
System Administrator | IT
*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
stolaf.edu
2
4
Greetings FR-users,
I've configured my linelog module as such:
message {
Access-Request = "%S Access Request from calling station
%{Calling-Station-Id:-bar}"
}
but the logging fails:
(0) linelog: ERROR: %S Access Request from calling station
%{Calling-Station-Id:-bar}
(0) linelog: ERROR: ^ Unknown
module
(0) [linelog] = fail
According to the wiki, I feel like the above configuration should work:
https://wiki.freeradius.org/config/run_time_variables#conditional-syntax
Any ideas what I'm doing wrong?
Thanks for the help!
-m
2
2
Hi,
I am trying to install FreeRadius to do the Mac Auth.
I followed this guide :
https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x
<https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x>.
Here are the elements :
- server :
CentOS Linux release 7.9.2009 (Core)
SELinux is disabled.
rpm -qa |egrep freeradius
freeradius-utils-3.0.13-15.el7.x86_64
freeradius-3.0.13-15.el7.x86_64
- client : a Huawei switch
#
authentication-profile name ACCESS-MAC
mac-access-profile MAC
authentication mode multi-authen max-user 100
access-domain toto force
#
radius-server template TOTO
radius-server shared-key cipher tata
radius-server authentication 10.x.x.x 1812 vpn-instance management
weight 80
#
authentication-scheme TOTO
authentication-mode radius
#
domain toto
authentication-scheme TOTO
accounting-scheme default
radius-server TOTO
#
---
cat /etc/raddb/users
bob Auth-Type := Accept, Cleartext-Password := "toto"
Reply-Message := "Hello, %{User-Name}"
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := Reject
Reply-Message = "\_o< Acces refuse."
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
---
cat /etc/raddb/authorized_macs
xx-xx-xx-xx-xx-xx
Reply-Message = "Device with MAC Address %{Calling-Station-Id}
authorized for network access"
---
cat /etc/raddb/sites-enabled/default
...
authorize {
filter_username
preprocess
rewrite_calling_station_id
authorized_macs
if (!ok) {
reject
}
else {
update control {
Auth-Type := Accept
}
}
auth_log
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
I did not modified policy.d/canonicalization from the package
cat /etc/raddb/mods-available/files
files {
moddir = ${modconfdir}/${.:instance}
filename = ${moddir}/authorize
acctusersfile = ${moddir}/accounting
preproxy_usersfile = ${moddir}/pre-proxy
}
files authorized_macs {
key = "%{Calling-Station-ID}"
usersfile = ${confdir}/authorized_macs
# compat = no -------> if not commented, Configuration item
"compat" is deprecated
}
Here is the message from the switch client :
Status : Pre-authen
There is no more message.
From the switch a test with test user "bob" is ok.
In the debug mode, "radiusd -X", there is no message when a machine
tried to connect to the switch.
Any help would be appreciated.
y.
3
3
I have a particular problem with our service structure
We are getting rid of old freeradius servers that have been operational for years and centralizing everything into two radius servers
Due to different access networks , Some users are connected to BNG services that can only terminate or forward to a LNS
The users (realm) that are forwarded to the LNS first get a response from our prod radius with modified attributes through the legacy attr file were we add the VPDN config, and then proxied to the old legacy Radius. Our Old LNS then receives the session and authenticates with the legacy radius.
Client -> BNG - radius to prod Radius – gets VPDN info towards LNS and proxies auth to legacy radius.
Client -> LNS - authenticates to the legacy radius
This is all and well, but we have new LNS routers that are going to be terminating these sessions.
Now the issue is that I need to be able (if possible to only rewrite the attr (insert LNS / VPN info) if the requests comes from the BNG gateways as they can‘t terminate some of the special realms. (only do normal pppoe users)
But when the auth requests comes from the LNS – it shoud not get the VPDN config – else it will just loop.
Is it possible to conditionally add the attributes I need based on the NAS / NAS-IP or some other identifier ?
(basically I‘m using the routers both for LNS and terminate locally)
I have searched and I‘m bit lost both between the legacy config and „new“.
- Benni
3
3
Ping?
-m
On Sat, Dec 5, 2020 at 9:58 PM Matt Zagrabelny <mzagrabe(a)d.umn.edu> wrote:
> Greetings FR-users!
>
> I am having trouble getting FR to bind to LDAP (AD). I believe the issue
> is with TLS and the CA's, but I am not sure. Any help verifying the problem
> and finding a solution would be very appreciated.
>
> Here's the version:
>
> $ apt policy freeradius
> freeradius:
> Installed: 3.0.17+dfsg-1.1
>
> According to package dependencies and readelf, FR is using libssl for
> crypto library needs:
>
> $ readelf -d /usr/sbin/freeradius | grep ssl
> 0x0000000000000001 (NEEDED) Shared library: [libssl.so.1.1]
>
> If I use openssl s_client and connect to the AD system without the CA for
> the AD system's cert, I get an error:
>
> $ echo | openssl s_client -connect ad.umn.edu:636 | grep 'Verification:
> OK'
> depth=0 CN = dc-tc2.ad.umn.edu
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = dc-tc2.ad.umn.edu
> verify error:num=21:unable to verify the first certificate
> verify return:1
> DONE
>
> If I add the authority cert of our AD system to the system's list of CA
> certs...
>
> $ sudo cp /path/to/cert /usr/local/share/ca-certificates/ad.umn.edu.crt
> $ sudo update-ca-certificates
>
> ...I do not get the error:
>
> $ echo | openssl s_client -connect ad.umn.edu:636 | grep 'Verification:
> OK'
> depth=1 DC = edu, DC = umn, DC = ad, CN = OIT-CA1-ADRCA
> verify return:1
> depth=0 CN = dc-tc1.ad.umn.edu
> verify return:1
> Verification: OK
> DONE
>
> Also, ldapsearch executes successfully when the authority cert is added to
> the ca-certificates for the system, but fails when the cert is not added to
> the ca-certificates. ldapsearch is linked against gnutls.
>
> However, even with the cert added to the system list of ca-certificates,
> it appears FR (at least the LDAP component) is failing. Here is a snippet
> of "freeradius -X"
>
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldaps://ad.umn.edu:636
> TLS: can't connect: (unknown error code).
> rlm_ldap (ldap): Bind with
> CN=d-ins-ldapuser,OU=ServiceAccounts,OU=INS,OU=D,OU=Units,DC=ad,DC=umn,DC=edu
> to ldaps://ad.umn.edu:636 failed: Can't contact LDAP server
>
> rlm_ldap (ldap): Opening connection failed (0)
> rlm_ldap (ldap): Removing connection pool
> /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module
> "ldap"
>
> The file that the system CA certificates, and hence the AD certificate
> authority, reside in is:
>
> /etc/ssl/certs/ca-certificates.crt
>
> An strace of the FR shows that it is opening that file:
>
> $ sudo strace -f /usr/sbin/freeradius 2>&1 | grep '^open' | grep ssl
>
> openat(AT_FDCWD, "/usr/lib/freeradius/libssl.so.1.1", O_RDONLY|O_CLOEXEC)
> = -1 ENOENT (No such file or directory)
> openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libssl.so.1.1",
> O_RDONLY|O_CLOEXEC) = 3
> openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 3
> openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 3
> openat(AT_FDCWD, "/etc/ssl/certs/ssl-cert-snakeoil.pem", O_RDONLY) = 3
> openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3
> openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3
> openat(AT_FDCWD, "/etc/ssl/private/ssl-cert-snakeoil.key", O_RDONLY) = 3
>
> So... part of me thinks that TLS isn't having issues with the CA of the AD
> system.
>
> I've tried increasing the debugging level with extra -x for freeradius,
> but the extra logs don't help me determine where the issue is with ldap.
>
> What do folks think? This is my first foray into LDAP binding.
>
> Thanks for any help!
>
> -m
>
3
3
Dear freeradius-experts,
I'm using version 3.0.21, running in docker
(freeradius/freeradius-server:latest-alpine).
I want to use freeradius to authenticate users against entries in a file
in the form "username:$2a$10$<bcrypt hash>".
This works quite well, using the following stanza:
passwd my_passwd {
filename = /opt/etc/raddb/ext/pwd.txt
format = "*User-Name:Crypt-Password:"
hash_size = 100
ignore_nislike = no
allow_multiple_keys = no
}
However, when the file gets modified, the changes are not picked up by
freeradius.
I checked the FAQ [1], which suggests to use kill -HUP <PID>, but that
doesn't work either:
Do you have any hints for me to get this resolved? It works by
restarting the docker container, but I'd rather avoid this if possible.
Actually, my users are stored by a 3rd party application in a postgresql
DB. This DB is using a different schema than radiusd (I checked [2]), so
I decided to generate the file described above. If it would be easy to
access the DB directly using custom SQL queries ONLY for
usernames/passwords, that would be another option. I only need
authentication, no accounting or any logging into the DB.
kind regards,
Markus
[1]:
https://wiki.freeradius.org/guide/FAQ#how-do-i_how-do-i-get-radius-to-pick-…
[2]:
https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ub…
2
1