Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2020
- 53 participants
- 61 discussions
Hi,
I've stumbled across a few slightly obscured mentions of EAP-TEAP
support coming in the latest Windows 10 release - eg "EAP-TEAP is
supported on Windows 10 v2004 operating system and later" from:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpwl/6694fb…
I think this is first time a widely deployed supplicant (with apologies
to wpa_supplicant) will have TEAP support.
We would be absolutely ecstatic if we were able to use both computer and
user credentials as part of the network placement decision (in
particular for VPN sessions).
Is TEAP support on a future-plans-list for FreeRADIUS?
Graham
3
3
... my apologies, resending previous mail again with correct subject, sorry
for posting it without ...
Hello, guys.
I am stuck with rewriting the contents of Accounting messages and need your
advice.
I need to manipulate Class attribute (I might use another one, but I guess
there is no difference in handling attributes internally) according to
actual state of local database running on RADIUS server. To be specific,
based on data received in Access-Request packet and actual contents of
RADIUS database my custom function in policy.conf decides which service
name should be supplied to customer and relays this info to NAS using Class
attribute.
The NAS itself is not the entity that needs to receive the information. NAS
copies the Class attribute into subsequent Accounting messages sent after
opening the session, and those Accounting messages are proxied to another
entity (let's call it "black-box", since it is beyond my control).
Black-box influences traffic transferred by the session according to
service template (which is my desired effect).
xxx.rewrite.class {
if ((Called-Station-Id) && "%{Called-Station-Id}" =~
/^IW-REG([0-9]{3})-SVC(.*)$/i) {
update reply {
Class := "%{tolower:IW-R%{1}-S%{2}}-%{sql: SELECT SVC FROM radcheck
WHERE MAC='%{Calling-Station-Id}'}"
}
updated
}
else {
noop
}
}
I included my function into "authorize" and "preacct" sections of "default"
site config and everything works fine when the session is being started.
Now I need to change contents of the Class attribute DURING THE LIFETIME of
the session.
NAS keeps sending Accounting Interim updates. The information coming from
NAS is still the same as it was in Access-Request, but setting in local
database changed, so my script produces another contents for Class
attribute, and I need the change to be reflected in Accounting messsage
proxied to the black-box.
My idea was just to keep the same rewrite function in place, and I was
hoping that Class attribute will be sent back in response to Accounting
same as it was in response to Access-Request, then NAS will start to
include new version of my Class, that will be proxied to black-box, and
black-box does its job.
Unfortunately I can't get RADIUS to send the Class attribute in response to
Accounting message (neither Start nor Interim), Response contains just
Authenticator. So my intended solution does not work. Can you advise how to
force the Class attribute to be included?
09:31:01.466731 IP (tos 0x0, ttl 56, id 65225, offset 0, flags [DF], proto
UDP (17), length 217)
xxxxx.59947 > yyyyy.radius-acct: RADIUS, length: 189
Accounting Request (4), id: 0x1b, Authenticator:
c88c72cdfc48aa71744fbd90733a09a5
Accounting Status Attribute (40), length: 6, Value: Start
NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE
802.11
Calling Station Attribute (31), length: 19, Value:
34:A8:EB:0B:4D:03
Called Station Attribute (30), length: 21, Value: IW-REG001-SVCabc
NAS Port ID Attribute (87), length: 11, Value: BR-airmax
Username Attribute (1), length: 19, Value: 34:A8:EB:0B:4D:03
NAS Port Attribute (5), length: 6, Value: -2141191544
Accounting Session ID Attribute (44), length: 10, Value: 80600288
Framed IP Address Attribute (8), length: 6, Value: 192.168.98.189
Vendor Specific Attribute (26), length: 12, Value: Vendor:
Unknown (14988)
Vendor Attribute: 10, Length: 4, Value: ..b.
Class Attribute (25), length: 22, Value: iw-r001-sabc-bbbb
Event Timestamp Attribute (55), length: 6, Value: Thu Jun 25
09:31:01 2020
NAS ID Attribute (32), length: 13, Value: DHR Lucerna
Accounting Delay Attribute (41), length: 6, Value: 00 secs
NAS IP Address Attribute (4), length: 6, Value: xxxxx
09:31:01.474679 IP (tos 0x0, ttl 64, id 8369, offset 0, flags [none], proto
UDP (17), length 48)
yyyyy.radius-acct > xxxxx.59947: RADIUS, length: 20
Accounting Response (5), id: 0x1b, Authenticator:
3025c6d75fd16ac5992ac3278afa5630
As I mentioned before, I do not need the NAS to receive the info, it would
be sufficient for me to modify the proxied Accounting message. So, if
including the Class in Accounting Response is not possible (or does not do
what I need), I could solve it just between RADIUS and Accounting proxy.
I was trying to achieve this by including my function into "pre-proxy"
section of default site, but it does not influence the message, Class
contents is copied the same as it was ingested by the RADIUS. Can you
advise how to achieve this?
pre-proxy {
#attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
#files
xxx.rewrite.class
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
#attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
#pre_proxy_log
}
Thanks for all hints in advance,
Pavel Uhliar
2
1
Hello, guys.
I am stuck with rewriting the contents of Accounting messages and need your
advice.
I need to manipulate Class attribute (I might use another one, but I guess
there is no difference in handling attributes internally) according to
actual state of local database running on RADIUS server. To be specific,
based on data received in Access-Request packet and actual contents of
RADIUS database my custom function in policy.conf decides which service
name should be supplied to customer and relays this info to NAS using Class
attribute.
The NAS itself is not the entity that needs to receive the information. NAS
copies the Class attribute into subsequent Accounting messages sent after
opening the session, and those Accounting messages are proxied to another
entity (let's call it "black-box", since it is beyond my control).
Black-box influences traffic transferred by the session according to
service template (which is my desired effect).
xxx.rewrite.class {
if ((Called-Station-Id) && "%{Called-Station-Id}" =~
/^IW-REG([0-9]{3})-SVC(.*)$/i) {
update reply {
Class := "%{tolower:IW-R%{1}-S%{2}}-%{sql: SELECT SVC FROM radcheck
WHERE MAC='%{Calling-Station-Id}'}"
}
updated
}
else {
noop
}
}
I included my function into "authorize" and "preacct" sections of "default"
site config and everything works fine when the session is being started.
Now I need to change contents of the Class attribute DURING THE LIFETIME of
the session.
NAS keeps sending Accounting Interim updates. The information coming from
NAS is still the same as it was in Access-Request, but setting in local
database changed, so my script produces another contents for Class
attribute, and I need the change to be reflected in Accounting messsage
proxied to the black-box.
My idea was just to keep the same rewrite function in place, and I was
hoping that Class attribute will be sent back in response to Accounting
same as it was in response to Access-Request, then NAS will start to
include new version of my Class, that will be proxied to black-box, and
black-box does its job.
Unfortunately I can't get RADIUS to send the Class attribute in response to
Accounting message (neither Start nor Interim), Response contains just
Authenticator. So my intended solution does not work. Can you advise how to
force the Class attribute to be included?
09:31:01.466731 IP (tos 0x0, ttl 56, id 65225, offset 0, flags [DF], proto
UDP (17), length 217)
xxxxx.59947 > yyyyy.radius-acct: RADIUS, length: 189
Accounting Request (4), id: 0x1b, Authenticator:
c88c72cdfc48aa71744fbd90733a09a5
Accounting Status Attribute (40), length: 6, Value: Start
NAS Port Type Attribute (61), length: 6, Value: Wireless - IEEE
802.11
Calling Station Attribute (31), length: 19, Value:
34:A8:EB:0B:4D:03
Called Station Attribute (30), length: 21, Value: IW-REG001-SVCabc
NAS Port ID Attribute (87), length: 11, Value: BR-airmax
Username Attribute (1), length: 19, Value: 34:A8:EB:0B:4D:03
NAS Port Attribute (5), length: 6, Value: -2141191544
Accounting Session ID Attribute (44), length: 10, Value: 80600288
Framed IP Address Attribute (8), length: 6, Value: 192.168.98.189
Vendor Specific Attribute (26), length: 12, Value: Vendor:
Unknown (14988)
Vendor Attribute: 10, Length: 4, Value: ..b.
Class Attribute (25), length: 22, Value: iw-r001-sabc-bbbb
Event Timestamp Attribute (55), length: 6, Value: Thu Jun 25
09:31:01 2020
NAS ID Attribute (32), length: 13, Value: DHR Lucerna
Accounting Delay Attribute (41), length: 6, Value: 00 secs
NAS IP Address Attribute (4), length: 6, Value: xxxxx
09:31:01.474679 IP (tos 0x0, ttl 64, id 8369, offset 0, flags [none], proto
UDP (17), length 48)
yyyyy.radius-acct > xxxxx.59947: RADIUS, length: 20
Accounting Response (5), id: 0x1b, Authenticator:
3025c6d75fd16ac5992ac3278afa5630
As I mentioned before, I do not need the NAS to receive the info, it would
be sufficient for me to modify the proxied Accounting message. So, if
including the Class in Accounting Response is not possible (or does not do
what I need), I could solve it just between RADIUS and Accounting proxy.
I was trying to achieve this by including my function into "pre-proxy"
section of default site, but it does not influence the message, Class
contents is copied the same as it was ingested by the RADIUS. Can you
advise how to achieve this?
pre-proxy {
#attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
#files
xxx.rewrite.class
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
#attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
#pre_proxy_log
}
Thanks for all hints in advance,
Pavel Uhliar
1
0
Hi everyone,
My freeradius (FreeRADIUS Version 3.0.12) sometimes accept users and logs at postgre some username that just don’t exist at Active Directory. I just couldn’t debug and stopped at dead end now.
Here to illustrate:
Mon Jun 22 18:35:06 2020 : Auth: (82485) Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 0 via TLS tunnel)
Mon Jun 22 18:35:06 2020 : Auth: (82486) Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 2 cli E0-5F-45-###)
-[ RECORD 1 ]------+---------------------------------
radacctid | 5993772
acctsessionid | 38ED2133-00000040
acctuniqueid | 2e3edbe1aa2069c36ac67cf96384219c
username | e05f4588a57d
groupname |
realm |
nasipaddress | 10.34.27.223
nasportid | 2
nasporttype | Wireless-802.11
acctstarttime | 2020-06-22 18:35:05-03
acctupdatetime | 2020-06-22 18:35:05-03
acctstoptime | 2020-06-22 18:35:05-03
Mon Jun 22 19:04:09 2020 : Auth: (89109) Login OK: [flaviol] (from client AP-SD2-A07-Q04 port 0 via TLS tunnel)
Mon Jun 22 19:04:09 2020 : Auth: (89111) Login OK: [flaviol] (from client AP-SD2-A07-Q04 port 1 cli E0-5F-45-###)
-[ RECORD 1 ]------+---------------------------------
radacctid | 5994474
acctsessionid | 38FCC022-00000000
acctuniqueid | c980c8b18ff062712f838541c50d9d83
username | flaviol
realm |
nasipaddress | 10.34.58.220
nasportid | 1
nasporttype | Wireless-802.11
acctstarttime | 2020-06-22 19:04:09-03
acctupdatetime | 2020-06-22 19:04:11-03
acctstoptime | 2020-06-22 19:04:11-03
Both entries are from the same device (same MAC address), received Login OK, but the first one got that string as username. Client is not the same. But there is a lot of entries with the correct username for that client.
The odd thing is when it happens, the same string appears to the that user all the time. For other user, a different string appears and it will be always the same.
Sorry, but this is a difficult problem to explain... Even the title of thread was difficult to choose =[
Anyway, can anyone help me debug this problem?
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.12 (stretch)
Release: 9.12
Codename: stretch
# dpkg -l freeradius
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-========================-=================-=================-=====================================================
ii freeradius 3.0.12+dfsg-5+deb amd64 high-performance and highly configurable RADIUS serve
#
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.22 22:51:13 =~=~=~=~=~=~=~=~=~=~=~=
freeradius -X
FreeRADIUS Version 3.0.12
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/date
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file /etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/control-socket
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/status
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 204800
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = NTLM_AUTH
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Acct-Type = Status-Server
# Creating Autz-Type = Status-Server
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_exec
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "notice"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "notice"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 204800
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_date
# Loading module "date" from file /etc/freeradius/3.0/mods-enabled/date
date {
format = "%a, %d-%m-%Y %H:%M:%S"
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MPDFT --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
sql {
driver = "rlm_sql_postgresql"
server = "localhost"
port = 5432
login = "radius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}"
type {
accounting-on {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
}
accounting-off {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
}
start {
query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)"
}
interim-update {
query = "UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, AcctInterval = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM (COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
stop {
query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = '%{Acct-Terminate-Cause}', FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp}))"
}
}
rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
ntlm_auth_username = "username: %{mschap:User-Name}"
ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
}
allow_retry = yes
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
instantiate {
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
}
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
postgresql {
send_application_name = no
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13108
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13109
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13110
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13111
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13112
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 179 , fields = 6
rlm_sql (sql): Adding client 10.34.158.220 (AP-AGC-A03-220) to global clients list
rlm_sql (10.34.158.220): Client "AP-AGC-A03-220" (sql) added
rlm_sql (sql): Adding client 10.34.158.221 (AP-AGC-A03-221) to global clients list
rlm_sql (10.34.158.221): Client "AP-AGC-A03-221" (sql) added
rlm_sql (sql): Adding client 10.35.93.224 (AP-BR2-A01-Q01) to global clients list
rlm_sql (10.35.93.224): Client "AP-BR2-A01-Q01" (sql) added
rlm_sql (sql): Adding client 10.35.93.225 (AP-BR2-A01-Q02) to global clients list
rlm_sql (10.35.93.225): Client "AP-BR2-A01-Q02" (sql) added
rlm_sql (sql): Adding client 10.35.93.226 (AP-BR2-A01-Q03) to global clients list
rlm_sql (10.35.93.226): Client "AP-BR2-A01-Q03" (sql) added
rlm_sql (sql): Adding client 10.35.93.227 (AP-BR2-A01-Q04) to global clients list
rlm_sql (10.35.93.227): Client "AP-BR2-A01-Q04" (sql) added
rlm_sql (sql): Adding client 10.35.93.228 (AP-BR2-A02-Q01) to global clients list
rlm_sql (10.35.93.228): Client "AP-BR2-A02-Q01" (sql) added
rlm_sql (sql): Adding client 10.35.93.229 (AP-BR2-A02-Q02) to global clients list
rlm_sql (10.35.93.229): Client "AP-BR2-A02-Q02" (sql) added
rlm_sql (sql): Adding client 10.35.93.230 (AP-BR2-A02-Q03) to global clients list
rlm_sql (10.35.93.230): Client "AP-BR2-A02-Q03" (sql) added
rlm_sql (sql): Adding client 10.35.93.231 (AP-BR2-A02-Q04) to global clients list
rlm_sql (10.35.93.231): Client "AP-BR2-A02-Q04" (sql) added
rlm_sql (sql): Adding client 10.35.93.223 (AP-BR2-TER-223) to global clients list
rlm_sql (10.35.93.223): Client "AP-BR2-TER-223" (sql) added
rlm_sql (sql): Adding client 10.35.93.221 (AP-BR2-TER-Q02) to global clients list
rlm_sql (10.35.93.221): Client "AP-BR2-TER-Q02" (sql) added
rlm_sql (sql): Adding client 10.35.93.222 (AP-BR2-TER-Q03) to global clients list
rlm_sql (10.35.93.222): Client "AP-BR2-TER-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.82.220 (AP-BRZ-TER-220) to global clients list
rlm_sql (10.34.82.220): Client "AP-BRZ-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.82.221 (AP-BRZ-TER-221) to global clients list
rlm_sql (10.34.82.221): Client "AP-BRZ-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.82.222 (AP-BRZ-TER-222) to global clients list
rlm_sql (10.34.82.222): Client "AP-BRZ-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.87.220 (AP-CEI-A01-220) to global clients list
rlm_sql (10.34.87.220): Client "AP-CEI-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.87.222 (AP-CEI-A01-222) to global clients list
rlm_sql (10.34.87.222): Client "AP-CEI-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.87.224 (AP-CEI-SUB-224) to global clients list
rlm_sql (10.34.87.224): Client "AP-CEI-SUB-224" (sql) added
rlm_sql (sql): Adding client 10.34.87.221 (AP-CEI-TER-221) to global clients list
rlm_sql (10.34.87.221): Client "AP-CEI-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.87.223 (AP-CEI-TER-223) to global clients list
rlm_sql (10.34.87.223): Client "AP-CEI-TER-223" (sql) added
rlm_sql (sql): Adding client 10.34.92.225 (AP-CRI-A01-225) to global clients list
rlm_sql (10.34.92.225): Client "AP-CRI-A01-225" (sql) added
rlm_sql (sql): Adding client 10.34.92.226 (AP-CRI-A01-226) to global clients list
rlm_sql (10.34.92.226): Client "AP-CRI-A01-226" (sql) added
rlm_sql (sql): Adding client 10.34.92.223 (AP-CRI-A02-223) to global clients list
rlm_sql (10.34.92.223): Client "AP-CRI-A02-223" (sql) added
rlm_sql (sql): Adding client 10.34.92.227 (AP-CRI-A02-227) to global clients list
rlm_sql (10.34.92.227): Client "AP-CRI-A02-227" (sql) added
rlm_sql (sql): Adding client 10.34.92.234 (AP-CRI-A02-234) to global clients list
rlm_sql (10.34.92.234): Client "AP-CRI-A02-234" (sql) added
rlm_sql (sql): Adding client 10.34.97.221 (AP-GAM-A01-221) to global clients list
rlm_sql (10.34.97.221): Client "AP-GAM-A01-221" (sql) added
rlm_sql (sql): Adding client 10.34.97.223 (AP-GAM-A01-223) to global clients list
rlm_sql (10.34.97.223): Client "AP-GAM-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.97.220 (AP-GAM-SUB-220) to global clients list
rlm_sql (10.34.97.220): Client "AP-GAM-SUB-220" (sql) added
rlm_sql (sql): Adding client 10.34.97.222 (AP-GAM-TER-222) to global clients list
rlm_sql (10.34.97.222): Client "AP-GAM-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.102.220 (AP-GAR-A01-220) to global clients list
rlm_sql (10.34.102.220): Client "AP-GAR-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.117.221 (AP-INF-A01-221) to global clients list
rlm_sql (10.34.117.221): Client "AP-INF-A01-221" (sql) added
rlm_sql (sql): Adding client 10.34.117.222 (AP-INF-A01-222) to global clients list
rlm_sql (10.34.117.222): Client "AP-INF-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.121.100 (AP-INF-SUB-121) to global clients list
rlm_sql (10.34.121.100): Client "AP-INF-SUB-121" (sql) added
rlm_sql (sql): Adding client 10.34.117.224 (AP-INF-SUB-224) to global clients list
rlm_sql (10.34.117.224): Client "AP-INF-SUB-224" (sql) added
rlm_sql (sql): Adding client 10.34.117.225 (AP-INF-SUB-225) to global clients list
rlm_sql (10.34.117.225): Client "AP-INF-SUB-225" (sql) added
rlm_sql (sql): Adding client 10.34.117.220 (AP-INF-TER-220) to global clients list
rlm_sql (10.34.117.220): Client "AP-INF-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.117.223 (AP-INF-TER-223) to global clients list
rlm_sql (10.34.117.223): Client "AP-INF-TER-223" (sql) added
rlm_sql (sql): Adding client 10.34.177.220 (AP-NAI-A01-220) to global clients list
rlm_sql (10.34.177.220): Client "AP-NAI-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.127.221 (AP-PAR-A01-221) to global clients list
rlm_sql (10.34.127.221): Client "AP-PAR-A01-221" (sql) added
rlm_sql (sql): Adding client 10.34.127.224 (AP-PAR-A01-224) to global clients list
rlm_sql (10.34.127.224): Client "AP-PAR-A01-224" (sql) added
rlm_sql (sql): Adding client 10.34.127.223 (AP-PAR-SUB-223) to global clients list
rlm_sql (10.34.127.223): Client "AP-PAR-SUB-223" (sql) added
rlm_sql (sql): Adding client 10.34.127.225 (AP-PAR-SUB-225) to global clients list
rlm_sql (10.34.127.225): Client "AP-PAR-SUB-225" (sql) added
rlm_sql (sql): Adding client 10.34.127.220 (AP-PAR-TER-220) to global clients list
rlm_sql (10.34.127.220): Client "AP-PAR-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.127.222 (AP-PAR-TER-222) to global clients list
rlm_sql (10.34.127.222): Client "AP-PAR-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.132.222 (AP-PLA-A01-222) to global clients list
rlm_sql (10.34.132.222): Client "AP-PLA-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.132.223 (AP-PLA-A01-223) to global clients list
rlm_sql (10.34.132.223): Client "AP-PLA-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.132.224 (AP-PLA-SUB-224) to global clients list
rlm_sql (10.34.132.224): Client "AP-PLA-SUB-224" (sql) added
rlm_sql (sql): Adding client 10.34.132.220 (AP-PLA-TER-220) to global clients list
rlm_sql (10.34.132.220): Client "AP-PLA-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.132.221 (AP-PLA-TER-221) to global clients list
rlm_sql (10.34.132.221): Client "AP-PLA-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.187.222 (AP-REM-A01-222) to global clients list
rlm_sql (10.34.187.222): Client "AP-REM-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.187.223 (AP-REM-A01-223) to global clients list
rlm_sql (10.34.187.223): Client "AP-REM-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.187.220 (AP-REM-SUB-220) to global clients list
rlm_sql (10.34.187.220): Client "AP-REM-SUB-220" (sql) added
rlm_sql (sql): Adding client 10.34.187.221 (AP-REM-TER-221) to global clients list
rlm_sql (10.34.187.221): Client "AP-REM-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.137.223 (AP-SAM-A01-223) to global clients list
rlm_sql (10.34.137.223): Client "AP-SAM-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.137.224 (AP-SAM-A01-224) to global clients list
rlm_sql (10.34.137.224): Client "AP-SAM-A01-224" (sql) added
rlm_sql (sql): Adding client 10.34.137.222 (AP-SAM-SUB-222) to global clients list
rlm_sql (10.34.137.222): Client "AP-SAM-SUB-222" (sql) added
rlm_sql (sql): Adding client 10.34.137.225 (AP-SAM-SUB-225) to global clients list
rlm_sql (10.34.137.225): Client "AP-SAM-SUB-225" (sql) added
rlm_sql (sql): Adding client 10.34.137.226 (AP-SAM-SUB-226) to global clients list
rlm_sql (10.34.137.226): Client "AP-SAM-SUB-226" (sql) added
rlm_sql (sql): Adding client 10.34.137.220 (AP-SAM-TER-220) to global clients list
rlm_sql (10.34.137.220): Client "AP-SAM-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.137.221 (AP-SAM-TER-221) to global clients list
rlm_sql (10.34.137.221): Client "AP-SAM-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.9.222 (AP-SD1-A01-Q01) to global clients list
rlm_sql (10.34.9.222): Client "AP-SD1-A01-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.9.223 (AP-SD1-A01-Q02) to global clients list
rlm_sql (10.34.9.223): Client "AP-SD1-A01-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.9.220 (AP-SD1-A01-Q03) to global clients list
rlm_sql (10.34.9.220): Client "AP-SD1-A01-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.9.221 (AP-SD1-A01-Q04) to global clients list
rlm_sql (10.34.9.221): Client "AP-SD1-A01-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.12.222 (AP-SD1-A02-Q01) to global clients list
rlm_sql (10.34.12.222): Client "AP-SD1-A02-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.12.223 (AP-SD1-A02-Q02) to global clients list
rlm_sql (10.34.12.223): Client "AP-SD1-A02-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.12.220 (AP-SD1-A02-Q03) to global clients list
rlm_sql (10.34.12.220): Client "AP-SD1-A02-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.12.221 (AP-SD1-A02-Q04) to global clients list
rlm_sql (10.34.12.221): Client "AP-SD1-A02-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.15.221 (AP-SD1-A03-Q01) to global clients list
rlm_sql (10.34.15.221): Client "AP-SD1-A03-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.15.220 (AP-SD1-A03-Q02) to global clients list
rlm_sql (10.34.15.220): Client "AP-SD1-A03-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.15.223 (AP-SD1-A03-Q03) to global clients list
rlm_sql (10.34.15.223): Client "AP-SD1-A03-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.15.222 (AP-SD1-A03-Q04) to global clients list
rlm_sql (10.34.15.222): Client "AP-SD1-A03-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.18.222 (AP-SD1-A04-Q01) to global clients list
rlm_sql (10.34.18.222): Client "AP-SD1-A04-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.18.223 (AP-SD1-A04-Q02) to global clients list
rlm_sql (10.34.18.223): Client "AP-SD1-A04-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.18.220 (AP-SD1-A04-Q03) to global clients list
rlm_sql (10.34.18.220): Client "AP-SD1-A04-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.21.223 (AP-SD1-A05-Q01) to global clients list
rlm_sql (10.34.21.223): Client "AP-SD1-A05-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.21.222 (AP-SD1-A05-Q02) to global clients list
rlm_sql (10.34.21.222): Client "AP-SD1-A05-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.21.221 (AP-SD1-A05-Q03) to global clients list
rlm_sql (10.34.21.221): Client "AP-SD1-A05-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.21.220 (AP-SD1-A05-Q04) to global clients list
rlm_sql (10.34.21.220): Client "AP-SD1-A05-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.24.223 (AP-SD1-A06-Q01) to global clients list
rlm_sql (10.34.24.223): Client "AP-SD1-A06-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.24.222 (AP-SD1-A06-Q02) to global clients list
rlm_sql (10.34.24.222): Client "AP-SD1-A06-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.24.221 (AP-SD1-A06-Q03) to global clients list
rlm_sql (10.34.24.221): Client "AP-SD1-A06-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.24.220 (AP-SD1-A06-Q04) to global clients list
rlm_sql (10.34.24.220): Client "AP-SD1-A06-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.27.220 (AP-SD1-A07-Q01) to global clients list
rlm_sql (10.34.27.220): Client "AP-SD1-A07-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.27.221 (AP-SD1-A07-Q02) to global clients list
rlm_sql (10.34.27.221): Client "AP-SD1-A07-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.27.222 (AP-SD1-A07-Q03) to global clients list
rlm_sql (10.34.27.222): Client "AP-SD1-A07-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.27.223 (AP-SD1-A07-Q04) to global clients list
rlm_sql (10.34.27.223): Client "AP-SD1-A07-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.30.220 (AP-SD1-A08-Q01) to global clients list
rlm_sql (10.34.30.220): Client "AP-SD1-A08-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.30.221 (AP-SD1-A08-Q02) to global clients list
rlm_sql (10.34.30.221): Client "AP-SD1-A08-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.30.222 (AP-SD1-A08-Q03) to global clients list
rlm_sql (10.34.30.222): Client "AP-SD1-A08-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.30.223 (AP-SD1-A08-Q04) to global clients list
rlm_sql (10.34.30.223): Client "AP-SD1-A08-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.33.221 (AP-SD1-A09-Q01) to global clients list
rlm_sql (10.34.33.221): Client "AP-SD1-A09-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.33.220 (AP-SD1-A09-Q02) to global clients list
rlm_sql (10.34.33.220): Client "AP-SD1-A09-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.33.222 (AP-SD1-A09-Q03) to global clients list
rlm_sql (10.34.33.222): Client "AP-SD1-A09-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.33.223 (AP-SD1-A09-Q04) to global clients list
rlm_sql (10.34.33.223): Client "AP-SD1-A09-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.7.220 (AP-SD1-MEZ-220) to global clients list
rlm_sql (10.34.7.220): Client "AP-SD1-MEZ-220" (sql) added
rlm_sql (sql): Adding client 10.34.5.220 (AP-SD1-SUB-Q02) to global clients list
rlm_sql (10.34.5.220): Client "AP-SD1-SUB-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.5.223 (AP-SD1-SUB-Q03) to global clients list
rlm_sql (10.34.5.223): Client "AP-SD1-SUB-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.5.222 (AP-SD1-SUB-Q04) to global clients list
rlm_sql (10.34.5.222): Client "AP-SD1-SUB-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.7.221 (AP-SD1-TER-221) to global clients list
rlm_sql (10.34.7.221): Client "AP-SD1-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.7.222 (AP-SD1-TER-222) to global clients list
rlm_sql (10.34.7.222): Client "AP-SD1-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.7.223 (AP-SD1-TER-223) to global clients list
rlm_sql (10.34.7.223): Client "AP-SD1-TER-223" (sql) added
rlm_sql (sql): Adding client 10.34.7.224 (AP-SD1-TER-224) to global clients list
rlm_sql (10.34.7.224): Client "AP-SD1-TER-224" (sql) added
rlm_sql (sql): Adding client 10.34.40.222 (AP-SD2-A01-Q01) to global clients list
rlm_sql (10.34.40.222): Client "AP-SD2-A01-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.40.223 (AP-SD2-A01-Q02) to global clients list
rlm_sql (10.34.40.223): Client "AP-SD2-A01-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.40.221 (AP-SD2-A01-Q03) to global clients list
rlm_sql (10.34.40.221): Client "AP-SD2-A01-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.40.220 (AP-SD2-A01-Q04) to global clients list
rlm_sql (10.34.40.220): Client "AP-SD2-A01-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.43.222 (AP-SD2-A02-Q01) to global clients list
rlm_sql (10.34.43.222): Client "AP-SD2-A02-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.43.223 (AP-SD2-A02-Q02) to global clients list
rlm_sql (10.34.43.223): Client "AP-SD2-A02-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.43.221 (AP-SD2-A02-Q03) to global clients list
rlm_sql (10.34.43.221): Client "AP-SD2-A02-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.43.220 (AP-SD2-A02-Q04) to global clients list
rlm_sql (10.34.43.220): Client "AP-SD2-A02-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.46.222 (AP-SD2-A03-Q01) to global clients list
rlm_sql (10.34.46.222): Client "AP-SD2-A03-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.46.223 (AP-SD2-A03-Q02) to global clients list
rlm_sql (10.34.46.223): Client "AP-SD2-A03-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.46.221 (AP-SD2-A03-Q03) to global clients list
rlm_sql (10.34.46.221): Client "AP-SD2-A03-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.46.220 (AP-SD2-A03-Q04) to global clients list
rlm_sql (10.34.46.220): Client "AP-SD2-A03-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.49.222 (AP-SD2-A04-Q01) to global clients list
rlm_sql (10.34.49.222): Client "AP-SD2-A04-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.49.223 (AP-SD2-A04-Q02) to global clients list
rlm_sql (10.34.49.223): Client "AP-SD2-A04-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.49.221 (AP-SD2-A04-Q03) to global clients list
rlm_sql (10.34.49.221): Client "AP-SD2-A04-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.49.220 (AP-SD2-A04-Q04) to global clients list
rlm_sql (10.34.49.220): Client "AP-SD2-A04-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.52.222 (AP-SD2-A05-Q01) to global clients list
rlm_sql (10.34.52.222): Client "AP-SD2-A05-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.52.223 (AP-SD2-A05-Q02) to global clients list
rlm_sql (10.34.52.223): Client "AP-SD2-A05-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.52.221 (AP-SD2-A05-Q03) to global clients list
rlm_sql (10.34.52.221): Client "AP-SD2-A05-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.52.220 (AP-SD2-A05-Q04) to global clients list
rlm_sql (10.34.52.220): Client "AP-SD2-A05-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.55.222 (AP-SD2-A06-Q01) to global clients list
rlm_sql (10.34.55.222): Client "AP-SD2-A06-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.55.223 (AP-SD2-A06-Q02) to global clients list
rlm_sql (10.34.55.223): Client "AP-SD2-A06-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.55.221 (AP-SD2-A06-Q03) to global clients list
rlm_sql (10.34.55.221): Client "AP-SD2-A06-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.55.220 (AP-SD2-A06-Q04) to global clients list
rlm_sql (10.34.55.220): Client "AP-SD2-A06-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.58.222 (AP-SD2-A07-Q01) to global clients list
rlm_sql (10.34.58.222): Client "AP-SD2-A07-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.58.223 (AP-SD2-A07-Q02) to global clients list
rlm_sql (10.34.58.223): Client "AP-SD2-A07-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.58.221 (AP-SD2-A07-Q03) to global clients list
rlm_sql (10.34.58.221): Client "AP-SD2-A07-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.58.220 (AP-SD2-A07-Q04) to global clients list
rlm_sql (10.34.58.220): Client "AP-SD2-A07-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.61.222 (AP-SD2-A08-Q01) to global clients list
rlm_sql (10.34.61.222): Client "AP-SD2-A08-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.61.223 (AP-SD2-A08-Q02) to global clients list
rlm_sql (10.34.61.223): Client "AP-SD2-A08-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.61.221 (AP-SD2-A08-Q03) to global clients list
rlm_sql (10.34.61.221): Client "AP-SD2-A08-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.61.220 (AP-SD2-A08-Q04) to global clients list
rlm_sql (10.34.61.220): Client "AP-SD2-A08-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.64.222 (AP-SD2-A09-Q01) to global clients list
rlm_sql (10.34.64.222): Client "AP-SD2-A09-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.64.223 (AP-SD2-A09-Q02) to global clients list
rlm_sql (10.34.64.223): Client "AP-SD2-A09-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.64.221 (AP-SD2-A09-Q03) to global clients list
rlm_sql (10.34.64.221): Client "AP-SD2-A09-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.64.220 (AP-SD2-A09-Q04) to global clients list
rlm_sql (10.34.64.220): Client "AP-SD2-A09-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.38.221 (AP-SD2-MEZ-Q01) to global clients list
rlm_sql (10.34.38.221): Client "AP-SD2-MEZ-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.38.220 (AP-SD2-MEZ-Q04) to global clients list
rlm_sql (10.34.38.220): Client "AP-SD2-MEZ-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.36.219 (AP-SD2-S02-Q01) to global clients list
rlm_sql (10.34.36.219): Client "AP-SD2-S02-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.36.220 (AP-SD2-SUB-220) to global clients list
rlm_sql (10.34.36.220): Client "AP-SD2-SUB-220" (sql) added
rlm_sql (sql): Adding client 10.34.36.222 (AP-SD2-TER-Q02) to global clients list
rlm_sql (10.34.36.222): Client "AP-SD2-TER-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.36.221 (AP-SD2-TER-Q03) to global clients list
rlm_sql (10.34.36.221): Client "AP-SD2-TER-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.36.224 (AP-SD2-TER-Q04) to global clients list
rlm_sql (10.34.36.224): Client "AP-SD2-TER-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.147.219 (AP-SEB-A01-219) to global clients list
rlm_sql (10.34.147.219): Client "AP-SEB-A01-219" (sql) added
rlm_sql (sql): Adding client 10.34.147.222 (AP-SEB-A01-222) to global clients list
rlm_sql (10.34.147.222): Client "AP-SEB-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.147.224 (AP-SEB-A01-224) to global clients list
rlm_sql (10.34.147.224): Client "AP-SEB-A01-224" (sql) added
rlm_sql (sql): Adding client 10.34.147.225 (AP-SEB-A01-225) to global clients list
rlm_sql (10.34.147.225): Client "AP-SEB-A01-225" (sql) added
rlm_sql (sql): Adding client 10.34.147.223 (AP-SEB-SUB-223) to global clients list
rlm_sql (10.34.147.223): Client "AP-SEB-SUB-223" (sql) added
rlm_sql (sql): Adding client 10.34.147.227 (AP-SEB-SUB-227) to global clients list
rlm_sql (10.34.147.227): Client "AP-SEB-SUB-227" (sql) added
rlm_sql (sql): Adding client 10.34.147.218 (AP-SEB-TER-218) to global clients list
rlm_sql (10.34.147.218): Client "AP-SEB-TER-218" (sql) added
rlm_sql (sql): Adding client 10.34.147.220 (AP-SEB-TER-220) to global clients list
rlm_sql (10.34.147.220): Client "AP-SEB-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.147.221 (AP-SEB-TER-221) to global clients list
rlm_sql (10.34.147.221): Client "AP-SEB-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.147.226 (AP-SEB-TER-226) to global clients list
rlm_sql (10.34.147.226): Client "AP-SEB-TER-226" (sql) added
rlm_sql (sql): Adding client 10.34.152.219 (AP-SOB-A02-219) to global clients list
rlm_sql (10.34.152.219): Client "AP-SOB-A02-219" (sql) added
rlm_sql (sql): Adding client 10.34.152.221 (AP-SOB-TER-221) to global clients list
rlm_sql (10.34.152.221): Client "AP-SOB-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.142.220 (AP-STA-A01-220) to global clients list
rlm_sql (10.34.142.220): Client "AP-STA-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.142.223 (AP-STA-A01-223) to global clients list
rlm_sql (10.34.142.223): Client "AP-STA-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.142.222 (AP-STA-SUB-222) to global clients list
rlm_sql (10.34.142.222): Client "AP-STA-SUB-222" (sql) added
rlm_sql (sql): Adding client 10.34.142.221 (AP-STA-TER-221) to global clients list
rlm_sql (10.34.142.221): Client "AP-STA-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.157.220 (AP-TAG-A01-220) to global clients list
rlm_sql (10.34.157.220): Client "AP-TAG-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.157.221 (AP-TAG-A01-221) to global clients list
rlm_sql (10.34.157.221): Client "AP-TAG-A01-221" (sql) added
rlm_sql (sql): Adding client 10.34.157.224 (AP-TAG-SUB-224) to global clients list
rlm_sql (10.34.157.224): Client "AP-TAG-SUB-224" (sql) added
rlm_sql (sql): Adding client 10.34.157.223 (AP-TAG-TER-223) to global clients list
rlm_sql (10.34.157.223): Client "AP-TAG-TER-223" (sql) added
rlm_sql (sql): Adding client 10.34.182.220 (AP-TJ-GUA-220) to global clients list
rlm_sql (10.34.182.220): Client "AP-TJ-GUA-220" (sql) added
rlm_sql (sql): Adding client 10.34.157.222 (AP-TAG-TER-222) to global clients list
rlm_sql (10.34.157.222): Client "AP-TAG-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.240.20 (nagios) to global clients list
rlm_sql (10.34.240.20): Client "nagios" (sql) added
rlm_sql (sql): Adding client 10.34.241.56 (nagios2) to global clients list
rlm_sql (10.34.241.56): Client "nagios2" (sql) added
rlm_sql (sql): Adding client 10.34.173.10 (nagiosCont) to global clients list
rlm_sql (10.34.173.10): Client "nagiosCont" (sql) added
rlm_sql (sql): Adding client 10.34.5.221 (AP-SD1-SUB-Q01) to global clients list
rlm_sql (10.34.5.221): Client "AP-SD1-SUB-Q01" (sql) added
rlm_sql (sql): Adding client 10.35.93.220 (AP-BR2-S01-220) to global clients list
rlm_sql (10.35.93.220): Client "AP-BR2-S01-220" (sql) added
rlm_sql (sql): Adding client 10.34.152.220 (AP-SOB-A01-220) to global clients list
rlm_sql (10.34.152.220): Client "AP-SOB-A01-220" (sql) added
rlm_sql (sql): Adding client 10.35.36.201 (AP-SD2-S02-201) to global clients list
rlm_sql (10.35.36.201): Client "AP-SD2-S02-201" (sql) added
rlm_sql (sql): Adding client 10.34.97.219 (AP-GAM-S01-219) to global clients list
rlm_sql (10.34.97.219): Client "AP-GAM-S01-219" (sql) added
rlm_sql (sql): Adding client 10.34.97.224 (AP-GAM-TER-224) to global clients list
rlm_sql (10.34.97.224): Client "AP-GAM-TER-224" (sql) added
rlm_sql (sql): Adding client 10.34.36.223 (AP-SD2-S01-Q01) to global clients list
rlm_sql (10.34.36.223): Client "AP-SD2-S01-Q01" (sql) added
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13113
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
rlm_mschap (mschap): Opening additional connection (0), 1 of 32 pending slots used
rlm_mschap (mschap): Opening additional connection (1), 1 of 31 pending slots used
rlm_mschap (mschap): Opening additional connection (2), 1 of 30 pending slots used
rlm_mschap (mschap): Opening additional connection (3), 1 of 29 pending slots used
rlm_mschap (mschap): Opening additional connection (4), 1 of 28 pending slots used
rlm_mschap (mschap): authenticating directly to winbind
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
rlm_detail (detail): 'User-Password' suppressed, will not appear in detail output
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server status { # from file /etc/freeradius/3.0/sites-enabled/status
# Loading authorize {...}
} # server status
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "control"
listen {
socket = "/var/run/freeradius/freeradius.sock"
mode = "rw"
peercred = yes
}
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "status"
ipaddr = 127.0.0.1
port = 18121
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
Listening on command file /var/run/freeradius/freeradius.sock
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on proxy address * port 54845
Listening on proxy address :: port 40154
Ready to process requests
3
7
Is it possible?
I tried in users file:
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
DEFAULT Group == "Domain Computers", Auth-Type := Reject
Reply-Message = "Autenticacao de maquinas desabilitada."
DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
Reply-Message = "Autenticacao de contas de servico desabilitada."
Domain Computers doesnt work. TodasContasEspeciais Works fine.
This entry here works fine too:
DEFAULT Group == "domain users", Simultaneous-Use := 2
Idle-Timeout := 300,
Fall-Through = Yes
Logs, if needed. (Sorry for another post so soon... I solved a lot of problems but some...)
(83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296
(83533) User-Name = "host/n65144.mpdft.gov.br"
(83533) NAS-IP-Address = 10.34.177.220
(83533) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83533) NAS-Port-Id = "00000001"
(83533) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83533) NAS-Port-Type = Wireless-802.11
(83533) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83533) Service-Type = Framed-User
(83533) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83533) Connect-Info = "CONNECT 0Mbps 802.11b"
(83533) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83533) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83533) WLAN-Pairwise-Cipher = 1027076
(83533) WLAN-Group-Cipher = 1027076
(83533) WLAN-AKM-Suite = 1027073
(83533) Framed-MTU = 1400
(83533) EAP-Message = 0x02bf001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83533) Message-Authenticator = 0x7c8882b39ec98c99e1110bdf525b977f
(83533) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83533) authorize {
(83533) policy filter_username {
(83533) if (&User-Name) {
(83533) if (&User-Name) -> TRUE
(83533) if (&User-Name) {
(83533) if (&User-Name != "%{tolower:%{User-Name}}") {
(83533) EXPAND %{tolower:%{User-Name}}
(83533) --> host/n65144.mpdft.gov.br
(83533) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83533) if (&User-Name =~ / /) {
(83533) if (&User-Name =~ / /) -> FALSE
(83533) if (&User-Name =~ /@[^@]*@/ ) {
(83533) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83533) if (&User-Name =~ /\.\./ ) {
(83533) if (&User-Name =~ /\.\./ ) -> FALSE
(83533) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83533) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83533) if (&User-Name =~ /\.$/) {
(83533) if (&User-Name =~ /\.$/) -> FALSE
(83533) if (&User-Name =~ /(a)\./) {
(83533) if (&User-Name =~ /(a)\./) -> FALSE
(83533) } # if (&User-Name) = notfound
(83533) } # policy filter_username = notfound
(83533) [preprocess] = ok
(83533) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83533) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83533) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83533) auth_log: EXPAND %t
(83533) auth_log: --> Tue Jun 23 13:47:25 2020
(83533) [auth_log] = ok
(83533) [chap] = noop
(83533) [mschap] = noop
(83533) [digest] = noop
(83533) suffix: Checking for suffix after "@"
(83533) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83533) suffix: No such realm "NULL"
(83533) [suffix] = noop
(83533) eap: Peer sent EAP Response (code 2) ID 191 length 29
(83533) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(83533) [eap] = ok
(83533) } # authorize = ok
(83533) Found Auth-Type = eap
(83533) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83533) authenticate {
(83533) eap: Peer sent packet with method EAP Identity (1)
(83533) eap: Calling submodule eap_md5 to process data
(83533) eap_md5: Issuing MD5 Challenge
(83533) eap: Sending EAP Request (code 1) ID 192 length 22
(83533) eap: EAP session adding &reply:State = 0x592274a559e270cf
(83533) [eap] = handled
(83533) } # authenticate = handled
(83533) Using Post-Auth-Type Challenge
(83533) Post-Auth-Type sub-section not found. Ignoring.
(83533) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83533) Sent Access-Challenge Id 116 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83533) EAP-Message = 0x01c00016041005768a2deba77dd47f9bb481032d785f
(83533) Message-Authenticator = 0x00000000000000000000000000000000
(83533) State = 0x592274a559e270cf5d11088ba56bbac4
(83533) Finished request
(83534) Received Access-Request Id 117 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83534) User-Name = "host/n65144.mpdft.gov.br"
(83534) NAS-IP-Address = 10.34.177.220
(83534) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83534) NAS-Port-Id = "00000001"
(83534) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83534) NAS-Port-Type = Wireless-802.11
(83534) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83534) Service-Type = Framed-User
(83534) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83534) Connect-Info = "CONNECT 0Mbps 802.11b"
(83534) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83534) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83534) WLAN-Pairwise-Cipher = 1027076
(83534) WLAN-Group-Cipher = 1027076
(83534) WLAN-AKM-Suite = 1027073
(83534) Framed-MTU = 1400
(83534) EAP-Message = 0x02c000060319
(83534) State = 0x592274a559e270cf5d11088ba56bbac4
(83534) Message-Authenticator = 0x255275434bb38a137ce44e1cdbbd154d
(83534) session-state: No cached attributes
(83534) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83534) authorize {
(83534) policy filter_username {
(83534) if (&User-Name) {
(83534) if (&User-Name) -> TRUE
(83534) if (&User-Name) {
(83534) if (&User-Name != "%{tolower:%{User-Name}}") {
(83534) EXPAND %{tolower:%{User-Name}}
(83534) --> host/n65144.mpdft.gov.br
(83534) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83534) if (&User-Name =~ / /) {
(83534) if (&User-Name =~ / /) -> FALSE
(83534) if (&User-Name =~ /@[^@]*@/ ) {
(83534) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83534) if (&User-Name =~ /\.\./ ) {
(83534) if (&User-Name =~ /\.\./ ) -> FALSE
(83534) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83534) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83534) if (&User-Name =~ /\.$/) {
(83534) if (&User-Name =~ /\.$/) -> FALSE
(83534) if (&User-Name =~ /(a)\./) {
(83534) if (&User-Name =~ /(a)\./) -> FALSE
(83534) } # if (&User-Name) = notfound
(83534) } # policy filter_username = notfound
(83534) [preprocess] = ok
(83534) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83534) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83534) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83534) auth_log: EXPAND %t
(83534) auth_log: --> Tue Jun 23 13:47:25 2020
(83534) [auth_log] = ok
(83534) [chap] = noop
(83534) [mschap] = noop
(83534) [digest] = noop
(83534) suffix: Checking for suffix after "@"
(83534) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83534) suffix: No such realm "NULL"
(83534) [suffix] = noop
(83534) eap: Peer sent EAP Response (code 2) ID 192 length 6
(83534) eap: No EAP Start, assuming it's an on-going EAP conversation
(83534) [eap] = updated
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) [files] = noop
(83534) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83534) sql: --> host/n65144.mpdft.gov.br
(83534) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83534) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83534) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83534) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83534) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83534) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83534) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83534) sql: User not found in any groups
(83534) [sql] = notfound
(83534) [expiration] = noop
(83534) [logintime] = noop
(83534) if (ok) {
(83534) if (ok) -> FALSE
(83534) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(83534) pap: WARNING: Authentication will fail unless a "known good" password is available
(83534) [pap] = noop
(83534) } # authorize = updated
(83534) Found Auth-Type = eap
(83534) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83534) authenticate {
(83534) eap: Expiring EAP session with state 0x9017180393030136
(83534) eap: Finished EAP session with state 0x592274a559e270cf
(83534) eap: Previous EAP request found for state 0x592274a559e270cf, released from the list
(83534) eap: Peer sent packet with method EAP NAK (3)
(83534) eap: Found mutually acceptable type PEAP (25)
(83534) eap: Calling submodule eap_peap to process data
(83534) eap_peap: Initiating new EAP-TLS session
(83534) eap_peap: [eaptls start] = request
(83534) eap: Sending EAP Request (code 1) ID 193 length 6
(83534) eap: EAP session adding &reply:State = 0x592274a558e36dcf
(83534) [eap] = handled
(83534) } # authenticate = handled
(83534) Using Post-Auth-Type Challenge
(83534) Post-Auth-Type sub-section not found. Ignoring.
(83534) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83534) Sent Access-Challenge Id 117 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83534) EAP-Message = 0x01c100061920
(83534) Message-Authenticator = 0x00000000000000000000000000000000
(83534) State = 0x592274a558e36dcf5d11088ba56bbac4
(83534) Finished request
(83535) Received Access-Request Id 118 from 10.34.177.220:37268 to 10.34.242.3:1812 length 451
(83535) User-Name = "host/n65144.mpdft.gov.br"
(83535) NAS-IP-Address = 10.34.177.220
(83535) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83535) NAS-Port-Id = "00000001"
(83535) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83535) NAS-Port-Type = Wireless-802.11
(83535) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83535) Service-Type = Framed-User
(83535) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83535) Connect-Info = "CONNECT 0Mbps 802.11b"
(83535) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83535) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83535) WLAN-Pairwise-Cipher = 1027076
(83535) WLAN-Group-Cipher = 1027076
(83535) WLAN-AKM-Suite = 1027073
(83535) Framed-MTU = 1400
(83535) EAP-Message = 0x02c100a619800000009c16030300970100009303035ef232201f924dbda3d2ec6cfae7c1dd5d52c00d55fa1bc32d9736d6302f8c6c00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d
(83535) State = 0x592274a558e36dcf5d11088ba56bbac4
(83535) Message-Authenticator = 0xe12affe4dba2b169cdc68ff635c36fb5
(83535) session-state: No cached attributes
(83535) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83535) authorize {
(83535) policy filter_username {
(83535) if (&User-Name) {
(83535) if (&User-Name) -> TRUE
(83535) if (&User-Name) {
(83535) if (&User-Name != "%{tolower:%{User-Name}}") {
(83535) EXPAND %{tolower:%{User-Name}}
(83535) --> host/n65144.mpdft.gov.br
(83535) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83535) if (&User-Name =~ / /) {
(83535) if (&User-Name =~ / /) -> FALSE
(83535) if (&User-Name =~ /@[^@]*@/ ) {
(83535) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83535) if (&User-Name =~ /\.\./ ) {
(83535) if (&User-Name =~ /\.\./ ) -> FALSE
(83535) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83535) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83535) if (&User-Name =~ /\.$/) {
(83535) if (&User-Name =~ /\.$/) -> FALSE
(83535) if (&User-Name =~ /(a)\./) {
(83535) if (&User-Name =~ /(a)\./) -> FALSE
(83535) } # if (&User-Name) = notfound
(83535) } # policy filter_username = notfound
(83535) [preprocess] = ok
(83535) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83535) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83535) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83535) auth_log: EXPAND %t
(83535) auth_log: --> Tue Jun 23 13:47:25 2020
(83535) [auth_log] = ok
(83535) [chap] = noop
(83535) [mschap] = noop
(83535) [digest] = noop
(83535) suffix: Checking for suffix after "@"
(83535) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83535) suffix: No such realm "NULL"
(83535) [suffix] = noop
(83535) eap: Peer sent EAP Response (code 2) ID 193 length 166
(83535) eap: Continuing tunnel setup
(83535) [eap] = ok
(83535) } # authorize = ok
(83535) Found Auth-Type = eap
(83535) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83535) authenticate {
(83535) eap: Expiring EAP session with state 0x9017180393030136
(83535) eap: Finished EAP session with state 0x592274a558e36dcf
(83535) eap: Previous EAP request found for state 0x592274a558e36dcf, released from the list
(83535) eap: Peer sent packet with method EAP PEAP (25)
(83535) eap: Calling submodule eap_peap to process data
(83535) eap_peap: Continuing EAP-TLS
(83535) eap_peap: Peer indicated complete TLS record size will be 156 bytes
(83535) eap_peap: Got complete TLS record (156 bytes)
(83535) eap_peap: [eaptls verify] = length included
(83535) eap_peap: (other): before SSL initialization
(83535) eap_peap: TLS_accept: before SSL initialization
(83535) eap_peap: TLS_accept: before SSL initialization
(83535) eap_peap: <<< recv TLS 1.2 [length 0097]
(83535) eap_peap: TLS_accept: SSLv3/TLS read client hello
(83535) eap_peap: >>> send TLS 1.2 [length 003d]
(83535) eap_peap: TLS_accept: SSLv3/TLS write server hello
(83535) eap_peap: >>> send TLS 1.2 [length 0309]
(83535) eap_peap: TLS_accept: SSLv3/TLS write certificate
(83535) eap_peap: >>> send TLS 1.2 [length 014d]
(83535) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(83535) eap_peap: >>> send TLS 1.2 [length 0004]
(83535) eap_peap: TLS_accept: SSLv3/TLS write server done
(83535) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(83535) eap_peap: In SSL Handshake Phase
(83535) eap_peap: In SSL Accept mode
(83535) eap_peap: [eaptls process] = handled
(83535) eap: Sending EAP Request (code 1) ID 194 length 1004
(83535) eap: EAP session adding &reply:State = 0x592274a55be06dcf
(83535) [eap] = handled
(83535) } # authenticate = handled
(83535) Using Post-Auth-Type Challenge
(83535) Post-Auth-Type sub-section not found. Ignoring.
(83535) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83535) Sent Access-Challenge Id 118 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83535) EAP-Message = 0x01c203ec19c0000004ab160303003d0200003903039308bda32e5a82ed478ea55a2e3b34d753ba6e340f36dcfffba42072b5d3038700c030000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(83535) Message-Authenticator = 0x00000000000000000000000000000000
(83535) State = 0x592274a55be06dcf5d11088ba56bbac4
(83535) Finished request
(83536) Received Access-Request Id 119 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83536) User-Name = "host/n65144.mpdft.gov.br"
(83536) NAS-IP-Address = 10.34.177.220
(83536) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83536) NAS-Port-Id = "00000001"
(83536) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83536) NAS-Port-Type = Wireless-802.11
(83536) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83536) Service-Type = Framed-User
(83536) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83536) Connect-Info = "CONNECT 0Mbps 802.11b"
(83536) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83536) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83536) WLAN-Pairwise-Cipher = 1027076
(83536) WLAN-Group-Cipher = 1027076
(83536) WLAN-AKM-Suite = 1027073
(83536) Framed-MTU = 1400
(83536) EAP-Message = 0x02c200061900
(83536) State = 0x592274a55be06dcf5d11088ba56bbac4
(83536) Message-Authenticator = 0x75aeeb98b14c048409007526e8333933
(83536) session-state: No cached attributes
(83536) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83536) authorize {
(83536) policy filter_username {
(83536) if (&User-Name) {
(83536) if (&User-Name) -> TRUE
(83536) if (&User-Name) {
(83536) if (&User-Name != "%{tolower:%{User-Name}}") {
(83536) EXPAND %{tolower:%{User-Name}}
(83536) --> host/n65144.mpdft.gov.br
(83536) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83536) if (&User-Name =~ / /) {
(83536) if (&User-Name =~ / /) -> FALSE
(83536) if (&User-Name =~ /@[^@]*@/ ) {
(83536) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83536) if (&User-Name =~ /\.\./ ) {
(83536) if (&User-Name =~ /\.\./ ) -> FALSE
(83536) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83536) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83536) if (&User-Name =~ /\.$/) {
(83536) if (&User-Name =~ /\.$/) -> FALSE
(83536) if (&User-Name =~ /(a)\./) {
(83536) if (&User-Name =~ /(a)\./) -> FALSE
(83536) } # if (&User-Name) = notfound
(83536) } # policy filter_username = notfound
(83536) [preprocess] = ok
(83536) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83536) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83536) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83536) auth_log: EXPAND %t
(83536) auth_log: --> Tue Jun 23 13:47:25 2020
(83536) [auth_log] = ok
(83536) [chap] = noop
(83536) [mschap] = noop
(83536) [digest] = noop
(83536) suffix: Checking for suffix after "@"
(83536) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83536) suffix: No such realm "NULL"
(83536) [suffix] = noop
(83536) eap: Peer sent EAP Response (code 2) ID 194 length 6
(83536) eap: Continuing tunnel setup
(83536) [eap] = ok
(83536) } # authorize = ok
(83536) Found Auth-Type = eap
(83536) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83536) authenticate {
(83536) eap: Expiring EAP session with state 0x9017180393030136
(83536) eap: Finished EAP session with state 0x592274a55be06dcf
(83536) eap: Previous EAP request found for state 0x592274a55be06dcf, released from the list
(83536) eap: Peer sent packet with method EAP PEAP (25)
(83536) eap: Calling submodule eap_peap to process data
(83536) eap_peap: Continuing EAP-TLS
(83536) eap_peap: Peer ACKed our handshake fragment
(83536) eap_peap: [eaptls verify] = request
(83536) eap_peap: [eaptls process] = handled
(83536) eap: Sending EAP Request (code 1) ID 195 length 207
(83536) eap: EAP session adding &reply:State = 0x592274a55ae16dcf
(83536) [eap] = handled
(83536) } # authenticate = handled
(83536) Using Post-Auth-Type Challenge
(83536) Post-Auth-Type sub-section not found. Ignoring.
(83536) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83536) Sent Access-Challenge Id 119 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83536) EAP-Message = 0x01c300cf19003adad27975fdfa785ffac44ee108d8838b13e1123beab2b8798afd3e35cd995637b894ae0e18112d45144eba479ff30dc4e993ff3f295c8c064c8d46e7e064f5730fc35330cdfec07f886298dba50e9d2d2aaa6aac6198571a6155afbbdc35ebcd32d90dc658f48e3a273e031294d34abf
(83536) Message-Authenticator = 0x00000000000000000000000000000000
(83536) State = 0x592274a55ae16dcf5d11088ba56bbac4
(83536) Finished request
(83537) Received Access-Request Id 120 from 10.34.177.220:37268 to 10.34.242.3:1812 length 421
(83537) User-Name = "host/n65144.mpdft.gov.br"
(83537) NAS-IP-Address = 10.34.177.220
(83537) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83537) NAS-Port-Id = "00000001"
(83537) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83537) NAS-Port-Type = Wireless-802.11
(83537) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83537) Service-Type = Framed-User
(83537) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83537) Connect-Info = "CONNECT 0Mbps 802.11b"
(83537) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83537) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83537) WLAN-Pairwise-Cipher = 1027076
(83537) WLAN-Group-Cipher = 1027076
(83537) WLAN-AKM-Suite = 1027073
(83537) Framed-MTU = 1400
(83537) EAP-Message = 0x02c3008819800000007e1603030046100000424104ca73327a1aa86d548f1bab867288bf53e4bb907e877b520127d42986a20dc91111d47d38caadab01d14914ea7fecb7f982b3ad50f1706ca7ac7508604badfa501403030001011603030028000000000000000074fe6c972b1cbfe176c9161a99d6ee
(83537) State = 0x592274a55ae16dcf5d11088ba56bbac4
(83537) Message-Authenticator = 0x13188abc81665fe76a84d5ae53be2694
(83537) session-state: No cached attributes
(83537) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83537) authorize {
(83537) policy filter_username {
(83537) if (&User-Name) {
(83537) if (&User-Name) -> TRUE
(83537) if (&User-Name) {
(83537) if (&User-Name != "%{tolower:%{User-Name}}") {
(83537) EXPAND %{tolower:%{User-Name}}
(83537) --> host/n65144.mpdft.gov.br
(83537) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83537) if (&User-Name =~ / /) {
(83537) if (&User-Name =~ / /) -> FALSE
(83537) if (&User-Name =~ /@[^@]*@/ ) {
(83537) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83537) if (&User-Name =~ /\.\./ ) {
(83537) if (&User-Name =~ /\.\./ ) -> FALSE
(83537) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83537) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83537) if (&User-Name =~ /\.$/) {
(83537) if (&User-Name =~ /\.$/) -> FALSE
(83537) if (&User-Name =~ /(a)\./) {
(83537) if (&User-Name =~ /(a)\./) -> FALSE
(83537) } # if (&User-Name) = notfound
(83537) } # policy filter_username = notfound
(83537) [preprocess] = ok
(83537) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83537) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83537) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83537) auth_log: EXPAND %t
(83537) auth_log: --> Tue Jun 23 13:47:25 2020
(83537) [auth_log] = ok
(83537) [chap] = noop
(83537) [mschap] = noop
(83537) [digest] = noop
(83537) suffix: Checking for suffix after "@"
(83537) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83537) suffix: No such realm "NULL"
(83537) [suffix] = noop
(83537) eap: Peer sent EAP Response (code 2) ID 195 length 136
(83537) eap: Continuing tunnel setup
(83537) [eap] = ok
(83537) } # authorize = ok
(83537) Found Auth-Type = eap
(83537) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83537) authenticate {
(83537) eap: Expiring EAP session with state 0x9017180393030136
(83537) eap: Finished EAP session with state 0x592274a55ae16dcf
(83537) eap: Previous EAP request found for state 0x592274a55ae16dcf, released from the list
(83537) eap: Peer sent packet with method EAP PEAP (25)
(83537) eap: Calling submodule eap_peap to process data
(83537) eap_peap: Continuing EAP-TLS
(83537) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(83537) eap_peap: Got complete TLS record (126 bytes)
(83537) eap_peap: [eaptls verify] = length included
(83537) eap_peap: TLS_accept: SSLv3/TLS write server done
(83537) eap_peap: <<< recv TLS 1.2 [length 0046]
(83537) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(83537) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(83537) eap_peap: <<< recv TLS 1.2 [length 0010]
(83537) eap_peap: TLS_accept: SSLv3/TLS read finished
(83537) eap_peap: >>> send TLS 1.2 [length 0001]
(83537) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(83537) eap_peap: >>> send TLS 1.2 [length 0010]
(83537) eap_peap: TLS_accept: SSLv3/TLS write finished
(83537) eap_peap: (other): SSL negotiation finished successfully
(83537) eap_peap: SSL Connection Established
(83537) eap_peap: [eaptls process] = handled
(83537) eap: Sending EAP Request (code 1) ID 196 length 57
(83537) eap: EAP session adding &reply:State = 0x592274a55de66dcf
(83537) [eap] = handled
(83537) } # authenticate = handled
(83537) Using Post-Auth-Type Challenge
(83537) Post-Auth-Type sub-section not found. Ignoring.
(83537) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83537) Sent Access-Challenge Id 120 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83537) EAP-Message = 0x01c4003919001403030001011603030028fb13cb712244c06c9b03a1b435796e337e52fd31841ccd87539254fce0bde1743fdf2c63be546af0
(83537) Message-Authenticator = 0x00000000000000000000000000000000
(83537) State = 0x592274a55de66dcf5d11088ba56bbac4
(83537) Finished request
(83538) Received Access-Request Id 121 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83538) User-Name = "host/n65144.mpdft.gov.br"
(83538) NAS-IP-Address = 10.34.177.220
(83538) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83538) NAS-Port-Id = "00000001"
(83538) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83538) NAS-Port-Type = Wireless-802.11
(83538) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83538) Service-Type = Framed-User
(83538) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83538) Connect-Info = "CONNECT 0Mbps 802.11b"
(83538) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83538) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83538) WLAN-Pairwise-Cipher = 1027076
(83538) WLAN-Group-Cipher = 1027076
(83538) WLAN-AKM-Suite = 1027073
(83538) Framed-MTU = 1400
(83538) EAP-Message = 0x02c400061900
(83538) State = 0x592274a55de66dcf5d11088ba56bbac4
(83538) Message-Authenticator = 0x039c283f11ffbfe1b00e0453467c8cea
(83538) session-state: No cached attributes
(83538) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83538) authorize {
(83538) policy filter_username {
(83538) if (&User-Name) {
(83538) if (&User-Name) -> TRUE
(83538) if (&User-Name) {
(83538) if (&User-Name != "%{tolower:%{User-Name}}") {
(83538) EXPAND %{tolower:%{User-Name}}
(83538) --> host/n65144.mpdft.gov.br
(83538) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83538) if (&User-Name =~ / /) {
(83538) if (&User-Name =~ / /) -> FALSE
(83538) if (&User-Name =~ /@[^@]*@/ ) {
(83538) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83538) if (&User-Name =~ /\.\./ ) {
(83538) if (&User-Name =~ /\.\./ ) -> FALSE
(83538) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83538) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83538) if (&User-Name =~ /\.$/) {
(83538) if (&User-Name =~ /\.$/) -> FALSE
(83538) if (&User-Name =~ /(a)\./) {
(83538) if (&User-Name =~ /(a)\./) -> FALSE
(83538) } # if (&User-Name) = notfound
(83538) } # policy filter_username = notfound
(83538) [preprocess] = ok
(83538) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83538) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83538) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83538) auth_log: EXPAND %t
(83538) auth_log: --> Tue Jun 23 13:47:25 2020
(83538) [auth_log] = ok
(83538) [chap] = noop
(83538) [mschap] = noop
(83538) [digest] = noop
(83538) suffix: Checking for suffix after "@"
(83538) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83538) suffix: No such realm "NULL"
(83538) [suffix] = noop
(83538) eap: Peer sent EAP Response (code 2) ID 196 length 6
(83538) eap: Continuing tunnel setup
(83538) [eap] = ok
(83538) } # authorize = ok
(83538) Found Auth-Type = eap
(83538) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83538) authenticate {
(83538) eap: Expiring EAP session with state 0x9017180393030136
(83538) eap: Finished EAP session with state 0x592274a55de66dcf
(83538) eap: Previous EAP request found for state 0x592274a55de66dcf, released from the list
(83538) eap: Peer sent packet with method EAP PEAP (25)
(83538) eap: Calling submodule eap_peap to process data
(83538) eap_peap: Continuing EAP-TLS
(83538) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(83538) eap_peap: [eaptls verify] = success
(83538) eap_peap: [eaptls process] = success
(83538) eap_peap: Session established. Decoding tunneled attributes
(83538) eap_peap: PEAP state TUNNEL ESTABLISHED
(83538) eap: Sending EAP Request (code 1) ID 197 length 40
(83538) eap: EAP session adding &reply:State = 0x592274a55ce76dcf
(83538) [eap] = handled
(83538) } # authenticate = handled
(83538) Using Post-Auth-Type Challenge
(83538) Post-Auth-Type sub-section not found. Ignoring.
(83538) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83538) Sent Access-Challenge Id 121 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83538) EAP-Message = 0x01c500281900170303001dfb13cb712244c06dd3b3319eda935797571c500deb4e259f6c76c7fd82
(83538) Message-Authenticator = 0x00000000000000000000000000000000
(83538) State = 0x592274a55ce76dcf5d11088ba56bbac4
(83538) Finished request
(83539) Received Access-Request Id 122 from 10.34.177.220:37268 to 10.34.242.3:1812 length 345
(83539) User-Name = "host/n65144.mpdft.gov.br"
(83539) NAS-IP-Address = 10.34.177.220
(83539) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83539) NAS-Port-Id = "00000001"
(83539) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83539) NAS-Port-Type = Wireless-802.11
(83539) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83539) Service-Type = Framed-User
(83539) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83539) Connect-Info = "CONNECT 0Mbps 802.11b"
(83539) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83539) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83539) WLAN-Pairwise-Cipher = 1027076
(83539) WLAN-Group-Cipher = 1027076
(83539) WLAN-AKM-Suite = 1027073
(83539) Framed-MTU = 1400
(83539) EAP-Message = 0x02c5003c1900170303003100000000000000019e684626cfe0b3f0d0437b3374b0ca4957085fe2da28a7496a052aa8648f75adddf043780ba025962c
(83539) State = 0x592274a55ce76dcf5d11088ba56bbac4
(83539) Message-Authenticator = 0xd669040d031f113bf06fc26177e7970f
(83539) session-state: No cached attributes
(83539) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83539) authorize {
(83539) policy filter_username {
(83539) if (&User-Name) {
(83539) if (&User-Name) -> TRUE
(83539) if (&User-Name) {
(83539) if (&User-Name != "%{tolower:%{User-Name}}") {
(83539) EXPAND %{tolower:%{User-Name}}
(83539) --> host/n65144.mpdft.gov.br
(83539) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83539) if (&User-Name =~ / /) {
(83539) if (&User-Name =~ / /) -> FALSE
(83539) if (&User-Name =~ /@[^@]*@/ ) {
(83539) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83539) if (&User-Name =~ /\.\./ ) {
(83539) if (&User-Name =~ /\.\./ ) -> FALSE
(83539) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83539) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83539) if (&User-Name =~ /\.$/) {
(83539) if (&User-Name =~ /\.$/) -> FALSE
(83539) if (&User-Name =~ /(a)\./) {
(83539) if (&User-Name =~ /(a)\./) -> FALSE
(83539) } # if (&User-Name) = notfound
(83539) } # policy filter_username = notfound
(83539) [preprocess] = ok
(83539) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83539) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83539) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83539) auth_log: EXPAND %t
(83539) auth_log: --> Tue Jun 23 13:47:25 2020
(83539) [auth_log] = ok
(83539) [chap] = noop
(83539) [mschap] = noop
(83539) [digest] = noop
(83539) suffix: Checking for suffix after "@"
(83539) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83539) suffix: No such realm "NULL"
(83539) [suffix] = noop
(83539) eap: Peer sent EAP Response (code 2) ID 197 length 60
(83539) eap: Continuing tunnel setup
(83539) [eap] = ok
(83539) } # authorize = ok
(83539) Found Auth-Type = eap
(83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83539) authenticate {
(83539) eap: Expiring EAP session with state 0x9017180393030136
(83539) eap: Finished EAP session with state 0x592274a55ce76dcf
(83539) eap: Previous EAP request found for state 0x592274a55ce76dcf, released from the list
(83539) eap: Peer sent packet with method EAP PEAP (25)
(83539) eap: Calling submodule eap_peap to process data
(83539) eap_peap: Continuing EAP-TLS
(83539) eap_peap: [eaptls verify] = ok
(83539) eap_peap: Done initial handshake
(83539) eap_peap: [eaptls process] = ok
(83539) eap_peap: Session established. Decoding tunneled attributes
(83539) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(83539) eap_peap: Identity - host/n65144.mpdft.gov.br
(83539) eap_peap: Got inner identity 'host/n65144.mpdft.gov.br'
(83539) eap_peap: Setting default EAP type for tunneled EAP session
(83539) eap_peap: Got tunneled request
(83539) eap_peap: EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83539) eap_peap: Sending tunneled request to inner-tunnel
(83539) eap_peap: EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(83539) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83539) Virtual server inner-tunnel received request
(83539) EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539) FreeRADIUS-Proxied-To = 127.0.0.1
(83539) User-Name = "host/n65144.mpdft.gov.br"
(83539) WARNING: Outer and inner identities are the same. User privacy is compromised.
(83539) server inner-tunnel {
(83539) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83539) authorize {
(83539) policy filter_username {
(83539) if (&User-Name) {
(83539) if (&User-Name) -> TRUE
(83539) if (&User-Name) {
(83539) if (&User-Name != "%{tolower:%{User-Name}}") {
(83539) EXPAND %{tolower:%{User-Name}}
(83539) --> host/n65144.mpdft.gov.br
(83539) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83539) if (&User-Name =~ / /) {
(83539) if (&User-Name =~ / /) -> FALSE
(83539) if (&User-Name =~ /@[^@]*@/ ) {
(83539) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83539) if (&User-Name =~ /\.\./ ) {
(83539) if (&User-Name =~ /\.\./ ) -> FALSE
(83539) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83539) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83539) if (&User-Name =~ /\.$/) {
(83539) if (&User-Name =~ /\.$/) -> FALSE
(83539) if (&User-Name =~ /(a)\./) {
(83539) if (&User-Name =~ /(a)\./) -> FALSE
(83539) } # if (&User-Name) = notfound
(83539) } # policy filter_username = notfound
(83539) [chap] = noop
(83539) [mschap] = noop
(83539) suffix: Checking for suffix after "@"
(83539) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83539) suffix: No such realm "NULL"
(83539) [suffix] = noop
(83539) update control {
(83539) &Proxy-To-Realm := LOCAL
(83539) } # update control = noop
(83539) eap: Peer sent EAP Response (code 2) ID 197 length 29
(83539) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(83539) [eap] = ok
(83539) } # authorize = ok
(83539) Found Auth-Type = eap
(83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83539) authenticate {
(83539) eap: Peer sent packet with method EAP Identity (1)
(83539) eap: Calling submodule eap_mschapv2 to process data
(83539) eap_mschapv2: Issuing Challenge
(83539) eap: Sending EAP Request (code 1) ID 198 length 43
(83539) eap: EAP session adding &reply:State = 0x3abf883e3a79928a
(83539) [eap] = handled
(83539) } # authenticate = handled
(83539) } # server inner-tunnel
(83539) Virtual server sending reply
(83539) EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539) Message-Authenticator = 0x00000000000000000000000000000000
(83539) State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled reply code 11
(83539) eap_peap: EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83539) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled reply RADIUS code 11
(83539) eap_peap: EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83539) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled Access-Challenge
(83539) eap: Sending EAP Request (code 1) ID 198 length 74
(83539) eap: EAP session adding &reply:State = 0x592274a55fe46dcf
(83539) [eap] = handled
(83539) } # authenticate = handled
(83539) Using Post-Auth-Type Challenge
(83539) Post-Auth-Type sub-section not found. Ignoring.
(83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83539) Sent Access-Challenge Id 122 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83539) EAP-Message = 0x01c6004a1900170303003ffb13cb712244c06e54a5366995c39bdc1107aafc963bcbefefa5912d6b2b1ae5eb5108197757709c9aae011a2ddbf372662fc09dd88087fb1e9bb0f2978db4
(83539) Message-Authenticator = 0x00000000000000000000000000000000
(83539) State = 0x592274a55fe46dcf5d11088ba56bbac4
(83539) Finished request
(83540) Received Access-Request Id 123 from 10.34.177.220:37268 to 10.34.242.3:1812 length 399
(83540) User-Name = "host/n65144.mpdft.gov.br"
(83540) NAS-IP-Address = 10.34.177.220
(83540) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83540) NAS-Port-Id = "00000001"
(83540) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83540) NAS-Port-Type = Wireless-802.11
(83540) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83540) Service-Type = Framed-User
(83540) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83540) Connect-Info = "CONNECT 0Mbps 802.11b"
(83540) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83540) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83540) WLAN-Pairwise-Cipher = 1027076
(83540) WLAN-Group-Cipher = 1027076
(83540) WLAN-AKM-Suite = 1027073
(83540) Framed-MTU = 1400
(83540) EAP-Message = 0x02c600721900170303006700000000000000021552c7414a6fe33963587194385413497356adaccb7d04280027aee00ff540e05eed36464f01c0e63d44edf60788f9e825b052378b1c052d4cd743622358e5780eade74a4113b0ac7efc5a15f9a5af8688350db96638d52ca7c4b4b1645a0a
(83540) State = 0x592274a55fe46dcf5d11088ba56bbac4
(83540) Message-Authenticator = 0x66ccd547f1f593cdda006e7b27c1d398
(83540) session-state: No cached attributes
(83540) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83540) authorize {
(83540) policy filter_username {
(83540) if (&User-Name) {
(83540) if (&User-Name) -> TRUE
(83540) if (&User-Name) {
(83540) if (&User-Name != "%{tolower:%{User-Name}}") {
(83540) EXPAND %{tolower:%{User-Name}}
(83540) --> host/n65144.mpdft.gov.br
(83540) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83540) if (&User-Name =~ / /) {
(83540) if (&User-Name =~ / /) -> FALSE
(83540) if (&User-Name =~ /@[^@]*@/ ) {
(83540) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83540) if (&User-Name =~ /\.\./ ) {
(83540) if (&User-Name =~ /\.\./ ) -> FALSE
(83540) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83540) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83540) if (&User-Name =~ /\.$/) {
(83540) if (&User-Name =~ /\.$/) -> FALSE
(83540) if (&User-Name =~ /(a)\./) {
(83540) if (&User-Name =~ /(a)\./) -> FALSE
(83540) } # if (&User-Name) = notfound
(83540) } # policy filter_username = notfound
(83540) [preprocess] = ok
(83540) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83540) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83540) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83540) auth_log: EXPAND %t
(83540) auth_log: --> Tue Jun 23 13:47:25 2020
(83540) [auth_log] = ok
(83540) [chap] = noop
(83540) [mschap] = noop
(83540) [digest] = noop
(83540) suffix: Checking for suffix after "@"
(83540) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83540) suffix: No such realm "NULL"
(83540) [suffix] = noop
(83540) eap: Peer sent EAP Response (code 2) ID 198 length 114
(83540) eap: Continuing tunnel setup
(83540) [eap] = ok
(83540) } # authorize = ok
(83540) Found Auth-Type = eap
(83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83540) authenticate {
(83540) eap: Expiring EAP session with state 0x9017180393030136
(83540) eap: Finished EAP session with state 0x592274a55fe46dcf
(83540) eap: Previous EAP request found for state 0x592274a55fe46dcf, released from the list
(83540) eap: Peer sent packet with method EAP PEAP (25)
(83540) eap: Calling submodule eap_peap to process data
(83540) eap_peap: Continuing EAP-TLS
(83540) eap_peap: [eaptls verify] = ok
(83540) eap_peap: Done initial handshake
(83540) eap_peap: [eaptls process] = ok
(83540) eap_peap: Session established. Decoding tunneled attributes
(83540) eap_peap: PEAP state phase2
(83540) eap_peap: EAP method MSCHAPv2 (26)
(83540) eap_peap: Got tunneled request
(83540) eap_peap: EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83540) eap_peap: Sending tunneled request to inner-tunnel
(83540) eap_peap: EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(83540) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83540) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09
(83540) Virtual server inner-tunnel received request
(83540) EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540) FreeRADIUS-Proxied-To = 127.0.0.1
(83540) User-Name = "host/n65144.mpdft.gov.br"
(83540) State = 0x3abf883e3a79928a4508626b4c893c09
(83540) WARNING: Outer and inner identities are the same. User privacy is compromised.
(83540) server inner-tunnel {
(83540) session-state: No cached attributes
(83540) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540) authorize {
(83540) policy filter_username {
(83540) if (&User-Name) {
(83540) if (&User-Name) -> TRUE
(83540) if (&User-Name) {
(83540) if (&User-Name != "%{tolower:%{User-Name}}") {
(83540) EXPAND %{tolower:%{User-Name}}
(83540) --> host/n65144.mpdft.gov.br
(83540) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83540) if (&User-Name =~ / /) {
(83540) if (&User-Name =~ / /) -> FALSE
(83540) if (&User-Name =~ /@[^@]*@/ ) {
(83540) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83540) if (&User-Name =~ /\.\./ ) {
(83540) if (&User-Name =~ /\.\./ ) -> FALSE
(83540) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83540) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83540) if (&User-Name =~ /\.$/) {
(83540) if (&User-Name =~ /\.$/) -> FALSE
(83540) if (&User-Name =~ /(a)\./) {
(83540) if (&User-Name =~ /(a)\./) -> FALSE
(83540) } # if (&User-Name) = notfound
(83540) } # policy filter_username = notfound
(83540) [chap] = noop
(83540) [mschap] = noop
(83540) suffix: Checking for suffix after "@"
(83540) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83540) suffix: No such realm "NULL"
(83540) [suffix] = noop
(83540) update control {
(83540) &Proxy-To-Realm := LOCAL
(83540) } # update control = noop
(83540) eap: Peer sent EAP Response (code 2) ID 198 length 83
(83540) eap: No EAP Start, assuming it's an on-going EAP conversation
(83540) [eap] = updated
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) [files] = noop
(83540) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83540) sql: --> host/n65144.mpdft.gov.br
(83540) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83540) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83540) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83540) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83540) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83540) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83540) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83540) sql: User not found in any groups
(83540) [sql] = notfound
(83540) [expiration] = noop
(83540) [logintime] = noop
(83540) [pap] = noop
(83540) } # authorize = updated
(83540) Found Auth-Type = eap
(83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540) authenticate {
(83540) eap: Expiring EAP session with state 0x9017180393030136
(83540) eap: Finished EAP session with state 0x3abf883e3a79928a
(83540) eap: Previous EAP request found for state 0x3abf883e3a79928a, released from the list
(83540) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(83540) eap: Calling submodule eap_mschapv2 to process data
(83540) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540) eap_mschapv2: authenticate {
(83540) mschap: Creating challenge hash with username: host/n65144.mpdft.gov.br
(83540) mschap: Client is using MS-CHAPv2
(83540) mschap: EXPAND %{mschap:User-Name}
(83540) mschap: --> n65144$
(83540) mschap: EXPAND %{mschap:NT-Domain}
(83540) mschap: --> mpdft
(83540) mschap: sending authentication request user='n65144$' domain='mpdft'
(83540) mschap: Authenticated successfully
(83540) mschap: Adding MS-CHAPv2 MPPE keys
(83540) [mschap] = ok
(83540) } # authenticate = ok
(83540) MSCHAP Success
(83540) eap: Sending EAP Request (code 1) ID 199 length 51
(83540) eap: EAP session adding &reply:State = 0x3abf883e3b78928a
(83540) [eap] = handled
(83540) } # authenticate = handled
(83540) } # server inner-tunnel
(83540) Virtual server sending reply
(83540) EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540) Message-Authenticator = 0x00000000000000000000000000000000
(83540) State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled reply code 11
(83540) eap_peap: EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83540) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled reply RADIUS code 11
(83540) eap_peap: EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83540) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled Access-Challenge
(83540) eap: Sending EAP Request (code 1) ID 199 length 82
(83540) eap: EAP session adding &reply:State = 0x592274a55ee56dcf
(83540) [eap] = handled
(83540) } # authenticate = handled
(83540) Using Post-Auth-Type Challenge
(83540) Post-Auth-Type sub-section not found. Ignoring.
(83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83540) Sent Access-Challenge Id 123 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83540) EAP-Message = 0x01c7005219001703030047fb13cb712244c06fb9349c1a922348d032aa6f4c23c7d2f5143a72f99f00383819d97b9eb2ede7a3a9837f7deac267f4c81c6172bb7f9a4aae783a922eb875456f78c2ade1a752
(83540) Message-Authenticator = 0x00000000000000000000000000000000
(83540) State = 0x592274a55ee56dcf5d11088ba56bbac4
(83540) Finished request
(83541) Received Access-Request Id 124 from 10.34.177.220:37268 to 10.34.242.3:1812 length 322
(83541) User-Name = "host/n65144.mpdft.gov.br"
(83541) NAS-IP-Address = 10.34.177.220
(83541) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83541) NAS-Port-Id = "00000001"
(83541) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83541) NAS-Port-Type = Wireless-802.11
(83541) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83541) Service-Type = Framed-User
(83541) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83541) Connect-Info = "CONNECT 0Mbps 802.11b"
(83541) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83541) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83541) WLAN-Pairwise-Cipher = 1027076
(83541) WLAN-Group-Cipher = 1027076
(83541) WLAN-AKM-Suite = 1027073
(83541) Framed-MTU = 1400
(83541) EAP-Message = 0x02c700251900170303001a0000000000000003331ad865b28d977d1e131e3443c76ac7ba97
(83541) State = 0x592274a55ee56dcf5d11088ba56bbac4
(83541) Message-Authenticator = 0x57e05acff1a9e398d34e97b0934830a6
(83541) session-state: No cached attributes
(83541) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83541) authorize {
(83541) policy filter_username {
(83541) if (&User-Name) {
(83541) if (&User-Name) -> TRUE
(83541) if (&User-Name) {
(83541) if (&User-Name != "%{tolower:%{User-Name}}") {
(83541) EXPAND %{tolower:%{User-Name}}
(83541) --> host/n65144.mpdft.gov.br
(83541) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83541) if (&User-Name =~ / /) {
(83541) if (&User-Name =~ / /) -> FALSE
(83541) if (&User-Name =~ /@[^@]*@/ ) {
(83541) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83541) if (&User-Name =~ /\.\./ ) {
(83541) if (&User-Name =~ /\.\./ ) -> FALSE
(83541) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83541) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83541) if (&User-Name =~ /\.$/) {
(83541) if (&User-Name =~ /\.$/) -> FALSE
(83541) if (&User-Name =~ /(a)\./) {
(83541) if (&User-Name =~ /(a)\./) -> FALSE
(83541) } # if (&User-Name) = notfound
(83541) } # policy filter_username = notfound
(83541) [preprocess] = ok
(83541) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83541) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83541) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83541) auth_log: EXPAND %t
(83541) auth_log: --> Tue Jun 23 13:47:25 2020
(83541) [auth_log] = ok
(83541) [chap] = noop
(83541) [mschap] = noop
(83541) [digest] = noop
(83541) suffix: Checking for suffix after "@"
(83541) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83541) suffix: No such realm "NULL"
(83541) [suffix] = noop
(83541) eap: Peer sent EAP Response (code 2) ID 199 length 37
(83541) eap: Continuing tunnel setup
(83541) [eap] = ok
(83541) } # authorize = ok
(83541) Found Auth-Type = eap
(83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83541) authenticate {
(83541) eap: Expiring EAP session with state 0x9017180393030136
(83541) eap: Finished EAP session with state 0x592274a55ee56dcf
(83541) eap: Previous EAP request found for state 0x592274a55ee56dcf, released from the list
(83541) eap: Peer sent packet with method EAP PEAP (25)
(83541) eap: Calling submodule eap_peap to process data
(83541) eap_peap: Continuing EAP-TLS
(83541) eap_peap: [eaptls verify] = ok
(83541) eap_peap: Done initial handshake
(83541) eap_peap: [eaptls process] = ok
(83541) eap_peap: Session established. Decoding tunneled attributes
(83541) eap_peap: PEAP state phase2
(83541) eap_peap: EAP method MSCHAPv2 (26)
(83541) eap_peap: Got tunneled request
(83541) eap_peap: EAP-Message = 0x02c700061a03
(83541) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83541) eap_peap: Sending tunneled request to inner-tunnel
(83541) eap_peap: EAP-Message = 0x02c700061a03
(83541) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09
(83541) Virtual server inner-tunnel received request
(83541) EAP-Message = 0x02c700061a03
(83541) FreeRADIUS-Proxied-To = 127.0.0.1
(83541) User-Name = "host/n65144.mpdft.gov.br"
(83541) State = 0x3abf883e3b78928a4508626b4c893c09
(83541) WARNING: Outer and inner identities are the same. User privacy is compromised.
(83541) server inner-tunnel {
(83541) session-state: No cached attributes
(83541) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541) authorize {
(83541) policy filter_username {
(83541) if (&User-Name) {
(83541) if (&User-Name) -> TRUE
(83541) if (&User-Name) {
(83541) if (&User-Name != "%{tolower:%{User-Name}}") {
(83541) EXPAND %{tolower:%{User-Name}}
(83541) --> host/n65144.mpdft.gov.br
(83541) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83541) if (&User-Name =~ / /) {
(83541) if (&User-Name =~ / /) -> FALSE
(83541) if (&User-Name =~ /@[^@]*@/ ) {
(83541) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83541) if (&User-Name =~ /\.\./ ) {
(83541) if (&User-Name =~ /\.\./ ) -> FALSE
(83541) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83541) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83541) if (&User-Name =~ /\.$/) {
(83541) if (&User-Name =~ /\.$/) -> FALSE
(83541) if (&User-Name =~ /(a)\./) {
(83541) if (&User-Name =~ /(a)\./) -> FALSE
(83541) } # if (&User-Name) = notfound
(83541) } # policy filter_username = notfound
(83541) [chap] = noop
(83541) [mschap] = noop
(83541) suffix: Checking for suffix after "@"
(83541) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83541) suffix: No such realm "NULL"
(83541) [suffix] = noop
(83541) update control {
(83541) &Proxy-To-Realm := LOCAL
(83541) } # update control = noop
(83541) eap: Peer sent EAP Response (code 2) ID 199 length 6
(83541) eap: No EAP Start, assuming it's an on-going EAP conversation
(83541) [eap] = updated
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) [files] = noop
(83541) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83541) sql: --> host/n65144.mpdft.gov.br
(83541) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83541) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83541) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83541) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83541) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83541) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83541) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83541) sql: User not found in any groups
(83541) [sql] = notfound
(83541) [expiration] = noop
(83541) [logintime] = noop
(83541) [pap] = noop
(83541) } # authorize = updated
(83541) Found Auth-Type = eap
(83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541) authenticate {
(83541) eap: Expiring EAP session with state 0x9017180393030136
(83541) eap: Finished EAP session with state 0x3abf883e3b78928a
(83541) eap: Previous EAP request found for state 0x3abf883e3b78928a, released from the list
(83541) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(83541) eap: Calling submodule eap_mschapv2 to process data
(83541) eap: Sending EAP Success (code 3) ID 199 length 4
(83541) eap: Freeing handler
(83541) [eap] = ok
(83541) } # authenticate = ok
(83541) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541) post-auth {
(83541) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(83541) reply_log: --> /var/log/freeradius/radacct/10.34.177.220/reply-detail
(83541) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.177.220/reply-detail
(83541) reply_log: EXPAND %t
(83541) reply_log: --> Tue Jun 23 13:47:25 2020
(83541) [reply_log] = ok
(83541) } # post-auth = ok
(83541) Login OK: [host/n65144.mpdft.gov.br] (from client AP-NAI-A01-220 port 0 via TLS tunnel)
(83541) } # server inner-tunnel
(83541) Virtual server sending reply
(83541) MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541) MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541) MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541) EAP-Message = 0x03c70004
(83541) Message-Authenticator = 0x00000000000000000000000000000000
(83541) User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Got tunneled reply code 2
(83541) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541) eap_peap: MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541) eap_peap: MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541) eap_peap: EAP-Message = 0x03c70004
(83541) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Got tunneled reply RADIUS code 2
(83541) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541) eap_peap: MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541) eap_peap: MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541) eap_peap: EAP-Message = 0x03c70004
(83541) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Tunneled authentication was successful
(83541) eap_peap: SUCCESS
(83541) eap: Sending EAP Request (code 1) ID 200 length 46
(83541) eap: EAP session adding &reply:State = 0x592274a551ea6dcf
(83541) [eap] = handled
(83541) } # authenticate = handled
(83541) Using Post-Auth-Type Challenge
(83541) Post-Auth-Type sub-section not found. Ignoring.
(83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83541) Sent Access-Challenge Id 124 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83541) EAP-Message = 0x01c8002e19001703030023fb13cb712244c0706e6e84e2592d8fff1bee7760032145bba442c608ceedd4c750c687
(83541) Message-Authenticator = 0x00000000000000000000000000000000
(83541) State = 0x592274a551ea6dcf5d11088ba56bbac4
(83541) Finished request
(83542) Received Access-Request Id 125 from 10.34.177.220:37268 to 10.34.242.3:1812 length 331
(83542) User-Name = "host/n65144.mpdft.gov.br"
(83542) NAS-IP-Address = 10.34.177.220
(83542) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83542) NAS-Port-Id = "00000001"
(83542) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83542) NAS-Port-Type = Wireless-802.11
(83542) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83542) Service-Type = Framed-User
(83542) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83542) Connect-Info = "CONNECT 0Mbps 802.11b"
(83542) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83542) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83542) WLAN-Pairwise-Cipher = 1027076
(83542) WLAN-Group-Cipher = 1027076
(83542) WLAN-AKM-Suite = 1027073
(83542) Framed-MTU = 1400
(83542) EAP-Message = 0x02c8002e190017030300230000000000000004db3dc05d0228ead2f3ceaf6f5db445f3463c81d6f596111a7e908d
(83542) State = 0x592274a551ea6dcf5d11088ba56bbac4
(83542) Message-Authenticator = 0xb85792e60ceecbb66116afddc05d25c5
(83542) session-state: No cached attributes
(83542) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83542) authorize {
(83542) policy filter_username {
(83542) if (&User-Name) {
(83542) if (&User-Name) -> TRUE
(83542) if (&User-Name) {
(83542) if (&User-Name != "%{tolower:%{User-Name}}") {
(83542) EXPAND %{tolower:%{User-Name}}
(83542) --> host/n65144.mpdft.gov.br
(83542) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83542) if (&User-Name =~ / /) {
(83542) if (&User-Name =~ / /) -> FALSE
(83542) if (&User-Name =~ /@[^@]*@/ ) {
(83542) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83542) if (&User-Name =~ /\.\./ ) {
(83542) if (&User-Name =~ /\.\./ ) -> FALSE
(83542) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(83542) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(83542) if (&User-Name =~ /\.$/) {
(83542) if (&User-Name =~ /\.$/) -> FALSE
(83542) if (&User-Name =~ /(a)\./) {
(83542) if (&User-Name =~ /(a)\./) -> FALSE
(83542) } # if (&User-Name) = notfound
(83542) } # policy filter_username = notfound
(83542) [preprocess] = ok
(83542) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83542) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83542) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83542) auth_log: EXPAND %t
(83542) auth_log: --> Tue Jun 23 13:47:25 2020
(83542) [auth_log] = ok
(83542) [chap] = noop
(83542) [mschap] = noop
(83542) [digest] = noop
(83542) suffix: Checking for suffix after "@"
(83542) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83542) suffix: No such realm "NULL"
(83542) [suffix] = noop
(83542) eap: Peer sent EAP Response (code 2) ID 200 length 46
(83542) eap: Continuing tunnel setup
(83542) [eap] = ok
(83542) } # authorize = ok
(83542) Found Auth-Type = eap
(83542) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83542) authenticate {
(83542) eap: Expiring EAP session with state 0x9017180393030136
(83542) eap: Finished EAP session with state 0x592274a551ea6dcf
(83542) eap: Previous EAP request found for state 0x592274a551ea6dcf, released from the list
(83542) eap: Peer sent packet with method EAP PEAP (25)
(83542) eap: Calling submodule eap_peap to process data
(83542) eap_peap: Continuing EAP-TLS
(83542) eap_peap: [eaptls verify] = ok
(83542) eap_peap: Done initial handshake
(83542) eap_peap: [eaptls process] = ok
(83542) eap_peap: Session established. Decoding tunneled attributes
(83542) eap_peap: PEAP state send tlv success
(83542) eap_peap: Received EAP-TLV response
(83542) eap_peap: Success
(83542) eap: Sending EAP Success (code 3) ID 200 length 4
(83542) eap: Freeing handler
(83542) [eap] = ok
(83542) } # authenticate = ok
(83542) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(83542) post-auth {
(83542) update {
(83542) No attributes updated
(83542) } # update = noop
(83542) sql: EXPAND .query
(83542) sql: --> .query
(83542) sql: Using query template 'query'
(83542) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83542) sql: --> host/n65144.mpdft.gov.br
(83542) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83542) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp}))
(83542) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('host/n65144.mpdft.gov.br', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', TO_TIMESTAMP(1592930844))
(83542) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('host/n65144.mpdft.gov.br', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', TO_TIMESTAMP(1592930844))
(83542) sql: SQL query returned: success
(83542) sql: 1 record(s) updated
(83542) [sql] = ok
(83542) [exec] = noop
(83542) policy remove_reply_message_if_eap {
(83542) if (&reply:EAP-Message && &reply:Reply-Message) {
(83542) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(83542) else {
(83542) [noop] = noop
(83542) } # else = noop
(83542) } # policy remove_reply_message_if_eap = noop
(83542) } # post-auth = ok
(83542) Login OK: [host/n65144.mpdft.gov.br] (from client AP-NAI-A01-220 port 0 cli 5C-C9-D3-7C-98-79)
(83542) Sent Access-Accept Id 125 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83542) MS-MPPE-Recv-Key = 0xc67d0eee420d607c416ac6b9c783634d1566c5980653e2416d115bd4d80e7ad0
(83542) MS-MPPE-Send-Key = 0xc2093b112098bd8a87cc2799b7cfbabf4a04e544efac9655d813d5cd83885a26
(83542) EAP-Message = 0x03c80004
(83542) Message-Authenticator = 0x00000000000000000000000000000000
(83542) User-Name = "host/n65144.mpdft.gov.br"
(83542) Finished request
(83565) Received Accounting-Request Id 126 from 10.34.177.220:34685 to 10.34.242.3:1813 length 265
(83565) Acct-Status-Type = Start
(83565) Acct-Authentic = RADIUS
(83565) User-Name = "host/n65144.mpdft.gov.br"
(83565) NAS-IP-Address = 10.34.177.220
(83565) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83565) NAS-Port-Id = "00000001"
(83565) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83565) NAS-Port-Type = Wireless-802.11
(83565) Event-Timestamp = "Jun 23 2020 13:47:27 -03"
(83565) Service-Type = Framed-User
(83565) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83565) Connect-Info = "CONNECT 0Mbps 802.11b"
(83565) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83565) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83565) WLAN-Pairwise-Cipher = 1027076
(83565) WLAN-Group-Cipher = 1027076
(83565) WLAN-AKM-Suite = 1027073
(83565) Framed-IP-Address = 172.28.252.122
(83565) Acct-Delay-Time = 0
(83565) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(83565) preacct {
(83565) [preprocess] = ok
(83565) update request {
(83565) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(83565) --> 1592930848
(83565) FreeRADIUS-Acct-Session-Start-Time = Jun 23 2020 13:47:28 -03
(83565) } # update request = noop
(83565) policy acct_unique {
(83565) update request {
(83565) Tmp-String-9 := "ai:"
(83565) } # update request = noop
(83565) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(83565) EXPAND %{hex:&Class}
(83565) -->
(83565) EXPAND ^%{hex:&Tmp-String-9}
(83565) --> ^61693a
(83565) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(83565) else {
(83565) update request {
(83565) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{Calling-Station-Id}}
(83565) --> baf7ceacc097faf87151791ad22e16e8
(83565) &Acct-Unique-Session-Id := baf7ceacc097faf87151791ad22e16e8
(83565) } # update request = noop
(83565) } # else = noop
(83565) } # policy acct_unique = noop
(83565) suffix: Checking for suffix after "@"
(83565) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83565) suffix: No such realm "NULL"
(83565) [suffix] = noop
(83565) files: acct_users: Matched entry DEFAULT at line 22
(83565) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(83565) files: --> host/n65144.mpdft.gov.br
(83565) [files] = ok
(83565) } # preacct = ok
(83565) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(83565) accounting {
(83565) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(83565) log_accounting: --> Accounting-Request.Start
(83565) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(83565) log_accounting: --> Tue, 23-06-2020 13:47:27 Connect: [host/n65144.mpdft.gov.br] (did 50-D4-F7-5B-96-CA:MPDFT cli 5C-C9-D3-7C-98-79 port ip 172.28.252.122)
(83565) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(83565) log_accounting: --> /var/log/freeradius/linelog-accounting
(83565) [log_accounting] = ok
(83565) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(83565) sql: --> type.start.query
(83565) sql: Using query template 'query'
(83565) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83565) sql: --> host/n65144.mpdft.gov.br
(83565) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83565) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(83565) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b96ca-74D3D7E99FDF31B4', 'baf7ceacc097faf87151791ad22e16e8', 'host/n65144.mpdft.gov.br', NULLIF('', ''), '10.34.177.220', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1592930847), TO_TIMESTAMP(1592930847), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', NULL, 'Framed-User', '', NULLIF('172.28.252.122', '')::inet)
(83565) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b96ca-74D3D7E99FDF31B4', 'baf7ceacc097faf87151791ad22e16e8', 'host/n65144.mpdft.gov.br', NULLIF('', ''), '10.34.177.220', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1592930847), TO_TIMESTAMP(1592930847), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', NULL, 'Framed-User', '', NULLIF('172.28.252.122', '')::inet)
(83565) sql: SQL query returned: success
(83565) sql: 1 record(s) updated
(83565) [sql] = ok
(83565) if (&request:Acct-Status-Type == start) {
(83565) if (&request:Acct-Status-Type == start) -> TRUE
(83565) if (&request:Acct-Status-Type == start) {
(83565) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83565) --> host/n65144.mpdft.gov.br
(83565) SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83565) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1592930847), AcctUpdateTime = TO_TIMESTAMP(1592930847), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 0Mbps 802.11b' WHERE UserName = 'host/n65144.mpdft.gov.br' AND AcctUniqueId <> 'baf7ceacc097faf87151791ad22e16e8' AND CallingStationId = '5C-C9-D3-7C-98-79' AND AcctStopTime IS NULL
(83565) SQL query affected no rows
(83565) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(83565) -->
(83565) } # if (&request:Acct-Status-Type == start) = ok
(83565) [exec] = noop
(83565) attr_filter.accounting_response: EXPAND %{User-Name}
(83565) attr_filter.accounting_response: --> host/n65144.mpdft.gov.br
(83565) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(83565) [attr_filter.accounting_response] = updated
(83565) } # accounting = updated
(83565) Sent Accounting-Response Id 126 from 10.34.242.3:1813 to 10.34.177.220:34685 length 0
(83565) Finished request
(83565) Cleaning up request packet ID 126 with timestamp +51982
(83533) Cleaning up request packet ID 116 with timestamp +51979
(83534) Cleaning up request packet ID 117 with timestamp +51979
(83535) Cleaning up request packet ID 118 with timestamp +51979
(83536) Cleaning up request packet ID 119 with timestamp +51979
(83537) Cleaning up request packet ID 120 with timestamp +51979
(83538) Cleaning up request packet ID 121 with timestamp +51979
(83539) Cleaning up request packet ID 122 with timestamp +51979
(83540) Cleaning up request packet ID 123 with timestamp +51979
(83541) Cleaning up request packet ID 124 with timestamp +51979
(83542) Cleaning up request packet ID 125 with timestamp +51979
2
2
24 Jun '20
Hi all,
I'm facing hard times trying to understand how radius auth Works. Every time I think I understood, a new problem appears and mass with my head.
Reading files, I saw that inner tunnel username can be different from outer username due to privacy. But, in those cases, outer username must be an anonymous username, otherwise, it might be spoofing.
What happens in my logs is NOT anonymous. Some devices (always android) send username as a number and for inner-tunnel, the real username. One problem is that this number is different for each user, but it never change, like user01, his number will always be the same for him, but differs from user02. So, I cant use filter username.
So, searching e-mails, I found some update outer.reply stuff (and some other things) to put in post-auth, but had no success.
So, until now, I have this (real usernames):
User joao.bosco will connect to wifi, so he enables wifi in his device.
Then, the first request come with this username: User-Name = "321457" (and for him, always the same)
So, freeradius goes on, create inner tunnel and his real username appears:
(224) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(224) sql: --> joao.bosco
(224) sql: SQL-User-Name set to 'joao.bosco'
(224) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(224) sql: --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(224) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
Here, it checks for simultaneous sessions. This part is ok.
Then, freeradius goes on, and things I found in my searches appears to work (outer.reply stuff):
(224) update outer.reply {
(224) User-Name := &request:User-Name -> 'joao.bosco'
(224) } # update outer.reply = noop
(224) } # post-auth = ok
(224) Login OK: [joao.bosco] (from client AP-CEI-TER-221 port 0 via TLS tunnel)
(224) } # server inner-tunnel
(224) Virtual server sending reply
(224) Idle-Timeout = 300
(224) MS-MPPE-Encryption-Policy = Encryption-Allowed
(224) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224) MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224) MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224) EAP-Message = 0x03cb0004
(224) Message-Authenticator = 0x00000000000000000000000000000000
(224*******) User-Name = "joao.bosco"
(224) eap_peap: Got tunneled reply code 2
(224) eap_peap: Idle-Timeout = 300
(224) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(224) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224) eap_peap: MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224) eap_peap: MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224) eap_peap: EAP-Message = 0x03cb0004
(224) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(224) eap_peap: User-Name = "joao.bosco"
(224) eap_peap: Got tunneled reply RADIUS code 2
(224) eap_peap: Idle-Timeout = 300
(224) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(224) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224) eap_peap: MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224) eap_peap: MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224) eap_peap: EAP-Message = 0x03cb0004
(224) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(224) eap_peap: User-Name = "joao.bosco"
(224) eap_peap: Tunneled authentication was successful
(224) eap_peap: SUCCESS
(224) eap: Sending EAP Request (code 1) ID 204 length 46
(224) eap: EAP session adding &reply:State = 0x2899acb82055b5bd
(224) [eap] = handled
(224) } # authenticate = handled
(224) Using Post-Auth-Type Challenge
(224) Post-Auth-Type sub-section not found. Ignoring.
(224) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(224) Sent Access-Challenge Id 127 from 10.34.242.3:1812 to 10.34.87.221:44442 length 0
(224*********) User-Name := "joao.bosco"
(224) EAP-Message = 0x01cc002e1900170303002307a25f0b393cc4df3f654be203d74fbcdd1ec936ebbbb6fdba3e8867a9583c5f6677bc
(224) Message-Authenticator = 0x00000000000000000000000000000000
(224) State = 0x2899acb82055b5bdee6ad9f73e1a7846
Those ******** show what I think is the right consequence for outer.reply.
Continuing, next packet, the number is back:
(225) Received Access-Request Id 128 from 10.34.87.221:44442 to 10.34.242.3:1812 length 313
(225) User-Name = "321457"
Then, it executes post-auth in name of 321457, inserting into DB wrong username:
(225) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(225) post-auth {
(225) update {
(225) No attributes updated
(225) } # update = noop
(225) sql: EXPAND .query
(225) sql: --> .query
(225) sql: Using query template 'query'
(225) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(225) sql: --> 321457
(225) sql: SQL-User-Name set to '321457'
(225) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()}))
(225) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593000289))
(225) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593000289))
(225) sql: SQL query returned: success
(225) sql: 1 record(s) updated
(225) [sql] = ok
(225) [exec] = noop
(225) policy remove_reply_message_if_eap {
(225) if (&reply:EAP-Message && &reply:Reply-Message) {
(225) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(225) else {
(225) [noop] = noop
(225) } # else = noop
(225) } # policy remove_reply_message_if_eap = noop
(225) } # post-auth = ok
(225) Login OK: [321457] (from client AP-CEI-TER-221 port 0 cli 70-FD-46-BE-0D-8A)
This part:
(225) post-auth {
(225) update {
(225) No attributes updated
(225) } # update = noop
I thought put something here to update username... but then: "from where could I pick the right one?" No clue.
And here comes the Access-Accept:
(225) Sent Access-Accept Id 128 from 10.34.242.3:1812 to 10.34.87.221:44442 length 0
(225) MS-MPPE-Recv-Key = 0x64f41978c0fde374a2b11308204593aed2e7feba32223cdcd5dbec47c0c80593
(225) MS-MPPE-Send-Key = 0xd71b8e63dce5a856f8e77f0f86fc9459bd07f8130dbc72a001f6431043ec29aa
(225) EAP-Message = 0x03cc0004
(225) Message-Authenticator = 0x00000000000000000000000000000000
(225) User-Name = "321457"
Wrong username again.
And, for the last, Account-Request:
(236) Received Accounting-Request Id 129 from 10.34.87.221:37992 to 10.34.242.3:1813 length 247
(236) Acct-Status-Type = Start
(236) Acct-Authentic = RADIUS
(236) User-Name = "321457"
That send to line-log this: Connect: [321457] (did 74-DA-88-ED-D3-32:MPDFT cli 70-FD-46-BE-0D-8A port ip 172.28.255.182)
And insert into radacct this:
(236) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('74da88edd332-203B18825AE31355', '2e382eabcf5b705081c1d8cdbbb1d876', '321457', NULLIF('', ''), '10.34.87.221', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593000292), TO_TIMESTAMP(1593000292), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet)
(236) sql: SQL query returned: success
(236) sql: 1 record(s) updated
Well, with this scenario, everything works fine for 321457. I have queries that closes stalled sessions, etc... but, I don't know the real username, AND, simultaneous user will never work, since its checking the real username... I cant call accounting queries from inner-tunnel...
In another e-mail, somebody told me to use CUI. I read all documentation, but I simply did not understand. What it will do? I need to register at radacct the real username...
It appears that the more a read, the less I understand... I have android and I don't even know how to configure it to create this scenario with 2 different usernames ...
2
6
Hi Alan
I really appreciate your help - thank you
I'm working though this - I may have some extra questions from this -
a couple of initial questions if I may ?
Currently for uses that we suspend I have a group defined and assign
users to that group if they are disabled
id GroupName Attribute op Value
219 disabledusers Filter-Id = T3
Which effectively puts the sessions into a known VRF - so that part is
in place. The VRF works and traffic blackholed. This works if they
enter the right username and password - the NAS and network does the
rest ...
In this case I ideally want:
i) Users we know BUT the user has the wrong password - AND there's an
'@' in the username
or
ii) Unknown users AND there's an '@' in the username
The server should allow the users but.. have the same effect as being
in the disabledusers group or add that attribute and set the user to
get an IP from sqlippool (I already have that module setup for other
users - it's just setting these users to be assigned to a specific
(single) pool
I mentioned above that this should only be the case if the username
has an '@' the alternative is that this only happens when the request
comes from certain NAS addresses - this is because I also have some
wireless hotspots etc using the radius server and I don't want this
behaviour to affect them.
We also have a couple of realms we proxy for another home server -
that's sort of in my control... Now I could copy this onto there
server - but wondered if there's any way to implement this so it
covers both uers authenticated locally - OR after a proxy has taken
place
I probably wasn't clear on logging - which was my fault - we have a
portal that I created that feeds from the SQL database - radpostauth
and radacct. In the ideal world I'd like there to be something I can
add to radpostauith query that flags this user has connected - BUT
with the 'disabled' flag - I assume I could set a variable somewhere
in the auth part and access this in the post-auth section to add to
the SQL query ?
My aim is to test this on a clone of one of the current servers but
not *yet* used by any of the NAS's so I can send requests to it - and
test until I have this correct
IF I have got the wrong end of the stick .... please feel free to
point me to the correct end ....
Thanks again
Richard
> --- Original message ---
> Subject: Re: A question - User Auth etc
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Date: Wednesday, 24/06/2020 2:37 PM
>
> On Jun 24, 2020, at 9:27 AM, Richard J Palmer <richard(a)merula.net>
> wrote:
>>
>> I have 'possibly' a slightly odd request - I am sure this can be
>> solved with FreeRadius but I'd really appreciate some pointers.
>
> FreeRADIUS can do almost anything. v4 will be able to do more. :)
>
>>
>> We are using FreeRadius to authenticate broadband connections reaching
>> us via L2TP over a number of providers. So far it works really well
>> and I've had a few questions and help from here in the past which I
>> really appriciate
>
> Good to hear.
>
>>
>> Obviously we get some connections reach us with invalid username's or
>> wrong passwords.
>>
>> The problem (and which we don't have any control over) is that in the
>> case of a wrong username - the customers router etc can simply try
>> constantly to log on. Obviously it never connects (as the current
>> design) but this obviously causes extra records in postauth and so on.
>>
>> What I'd like to do is
>>
>> 1) user logs on and works (as now)
>> 2) user with wrong login (wrong password / unknown username) - we
>> allow this to log on - send a specific reply back that pushes them
>> into a VRF which has a walled garden. it should also make the user ad
>> being in an IP Pool so it gets an IP from there)
>
> Sure. That's relatively common. Let them on, but push them to a
> blocked VLAN, etc.
>
>>
>> 3) BUT ideally logs this connection as 'failed' OR adds a flag so we
>> can see easily that the login was accepted by the above rule - so it's
>> not a 'working' session
>
> You can use the "linelog" module to selectively log bad
> authentications. i.e.
>
> if (!known user) {
> linelog_bad_user
> }
>
> Where you can create a "linelog" module:"
>
> linelog linelog_bad_user {
> ... stuff to log ...
> }
>
> And that logs what you want, where you want.
>
> How to check for an unknown user is up to you. It depends on a
> number of things. And no, you can't just do "if (!known_user)".
> That's just an example.
>
>>
>> The change to radreply - I know and have something we already use for
>> a disabled or suspended user,
>
> i.e. add a custom reply attribute which says "bad user". This
> doesn't have to be an attribute which is sent to the NAS. It can just
> be in raddb/dictionary
>
>>
>> I am however after some guidance on how I can allow the user to get an
>> 'accept' packet back with the extra reply attribute - and the logging
>> information. There's some extra complexity which is this should only
>> be the case where I am authenticating on a username with a '@'
>> (realm). Any login being authenticated via Calling Station ID or with
>> no realm (just a username) should perform as now.
>
> You can write whatever complex rules you want in "unlang". :)
>
> if (User-Name =~ /@/) {
> ... check database for known users...
>
> if (!known_user) {
> linelog_bad_user
> put them in a VRF / VLAN / whatever
> accept
> }
> }
> }
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
2
1
Yes! Super old version! But going to be super happy to be updated!!!
Thanks for the feedback and help so quickly! Its very much appreciated!
1
0
Can you run 2 radiusd server? One on port 1645/1646 and one
on 1812/1813?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
nk.ca started 1 June 1995 . https://www.empire.kred/ROOTNK?t=94a1f39b
They are not born of the Lord, who alter His Word to please fools. -unknown
2
1
For a quick history, I'm currently migrating an old server running Freeradius 1.0.5 on FreeBSD to a new server running Freeradius 3.0.16 on Ubuntu 18.04 (the one available via apt install).
We have thousands of clients configured in the clients.conf file with random passwords. But I have found that when I use a combination of a comma (,) and greater than (>) or less than signs (<) in a shared secret, I get an error. I have been able to at least narrow down this combination, but I'm suspecting there are more rules I should be aware of.
My question is what special characters are not able to be used with freeradius, or is there an escape method that will work in the shared secret field that will make them work? The less I have to change on end devices the better. I have tried scouring the documents and mailing list, but have not found anything showing special character rules.
For a sample of this, here's a clients.conf entry it errors on:
client 127.0.0.1 {
secret = abc,def<ghi123
shortname = test_sharedsecret
}
Running freeradius -CX, I get:
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
/etc/freeradius/3.0/clients.conf[2]: Parse error after "def": unexpected token "<"
Thank you!
Chris
2
1