Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2020
- 53 participants
- 61 discussions
Hello, i wrote on 15.01.2020 17:50 about our Freeradius problems, now we tested it anew with a new version of Freeradius (3.0.21).
And i have the strong suspicion that the opendirectory module has a memory coruption bug. It would explain why some Auths woks, and others print in the shortUserName debug print some garbage. And i hat also a segmentation Fault of freeradius in debug mode and multiple other occurences in the system log:
May 25 08:54:00 server com.apple.xpc.launchd[1] (org.freeradius.radiusd[54628]): Service exited due to SIGSEGV | sent by exc handler[54628]
May 25 08:54:05 server com.apple.xpc.launchd[1] (org.freeradius.radiusd[61018]): Service exited due to SIGSEGV | sent by exc handler[61018]
May 25 08:54:05 server com.apple.xpc.launchd[1] (org.freeradius.radiusd): Service only ran for 5 seconds. Pushing respawn out by 5 seconds.
May 25 08:54:19 server com.apple.xpc.launchd[1] (org.freeradius.radiusd[61021]): Service exited due to SIGSEGV | sent by exc handler[61021]
May 25 08:54:19 server com.apple.xpc.launchd[1] (org.freeradius.radiusd): Service only ran for 9 seconds. Pushing respawn out by 1 seconds.
and more ...
At the end is an example Crashreport, all crash reports Crash at getUserNodeRef in rlm_mschap.dylib.
And after that a full radiusd -X output.
Kind regards,
Carsten Kirschner
Request Examples:
(6) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(6) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(6) mschap: OD username_string = CKirschner, OD shortUserName=CKirschner (length = 10)
(6) mschap: Stepbuf server challenge :
ffffffc0ffffff92ffffff96234b56ffffffd8ffffffbc6b67ffffffa7ffffffdbffffff88ffffffbe4777
(6) mschap: Stepbuf peer challenge :
1709083c13ffffffba6affffffe366ffffff86ffffffc9ffffff8d36ffffffdafffffff8fffffff0
(6) mschap: Stepbuf p24 :
ffffffe5ffffffde0f14100cffffffd37847fffffff1727f031e1e09fffffff3395723ffffff90ffffffb873ffffffca
(6) mschap: dsDoDirNodeAuth returns stepbuff: S=FA1D3E965B2187EA23BECF6655F1289024D6998B???? (len=40)
(6) eap_mschapv2: [mschap] = ok
(6) eap_mschapv2: } # authenticate = ok
(6) eap_mschapv2: MSCHAP Success
(14) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(14) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(14) mschap: OD username_string = CKirschner, OD shortUserName=CKirschnerYn?? (length = 14)
(14) mschap: Stepbuf server challenge :
fffffff9ffffffe942ffffffc4ffffff8c04ffffffc7ffffffb16cffffffb7ffffffadfffffff118ffffffa123ffffffad
(14) mschap: Stepbuf peer challenge :
ffffffbbffffffb16111ffffffba4620ffffffe6ffffff8162ffffff891119ffffffa63d16
(14) mschap: Stepbuf p24 :
ffffff9f53ffffffebffffffb8ffffff857a6affffffb7ffffffdd03ffffff927e65ffffffc1ffffff82ffffff8d13ffffff8cffffffebffffffb158ffffffa44affffffc1
(14) mschap: ERROR: rlm_mschap: authentication failed - status = eUndefinedError
(14) eap_mschapv2: [mschap] = reject
(14) eap_mschapv2: } # authenticate = reject
(21) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(21) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(21) mschap: OD username_string = CKirschner, OD shortUserName=CKirschnerMn?? (length = 14)
(21) mschap: Stepbuf server challenge :
ffffffc02573ffffffdeffffffe9686fffffff9131ffffffddffffffd377ffffffb5ffffff9f48ffffffb9
(21) mschap: Stepbuf peer challenge :
2742ffffff8a6c3d695effffffa6553f423b3b1a0558
(21) mschap: Stepbuf p24 :
ffffffab6fffffffd00bffffffb0ffffff8cffffff85ffffff88014f1cffffffa8605cffffffb707ffffff8bffffff80282b3bffffffc15c74
(21) mschap: ERROR: rlm_mschap: authentication failed - status = eUndefinedError
(21) eap_mschapv2: [mschap] = reject
(21) eap_mschapv2: } # authenticate = reject
(28) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(28) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(28) mschap: OD username_string = IRosenfeld, OD shortUserName=IRosenfeld (length = 10)
(28) mschap: Stepbuf server challenge :
ffffffea53157e49ffffffb7ffffffa75effffffbbffffffde0f532f7d6b3f
(28) mschap: Stepbuf peer challenge :
ffffff9054ffffff9fffffff99ffffffa6ffffff966f38ffffffaaffffffb9ffffffb2713f3bffffff9efffffff9
(28) mschap: Stepbuf p24 :
ffffffa9624dffffffeb1072ffffffd1340e3e7c59ffffffc5ffffffebffffffadffffffbd0bfffffff4ffffffe81f20ffffffb859ffffff89
(28) mschap: dsDoDirNodeAuth returns stepbuff: S=56A259C71E123194964ED672DD28A11A17A10CF0???? (len=40)
(28) eap_mschapv2: [mschap] = ok
(28) eap_mschapv2: } # authenticate = ok
(28) eap_mschapv2: MSCHAP Success
(36) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(36) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(36) mschap: OD username_string = IRosenfeld, OD shortUserName=IRosenfeld (length = 10)
(36) mschap: Stepbuf server challenge :
5bfffffffa0bffffffa517354e66175affffffb4ffffffd2ffffffe811fffffff077
(36) mschap: Stepbuf peer challenge :
fffffff42968ffffffcaffffffd1ffffffc95e797b24ffffffb67649ffffffe7112e
(36) mschap: Stepbuf p24 :
ffffffbc38ffffffc1ffffff8bffffff92fffffff209ffffffe8740bffffff84ffffff80ffffffb1ffffffb0ffffffa6ffffffd23dfffffff8ffffffc2ffffffb35affffffdaffffffcaffffffb7
(36) mschap: dsDoDirNodeAuth returns stepbuff: S=CF27A062D3329B16C38D19C07477BC316A5B04EA???? (len=40)
(36) eap_mschapv2: [mschap] = ok
(36) eap_mschapv2: } # authenticate = ok
(36) eap_mschapv2: MSCHAP Success
(44) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(44) mschap: No NT-Password configured. Trying OpenDirectory Authentication
(44) mschap: OD username_string = IRosenfeld, OD shortUserName=IRosenfelde (length = 11)
(44) mschap: Stepbuf server challenge :
fffffff5ffffffa9fffffffc4dffffffb8ffffff9fffffffd370ffffffdaffffffcb2fffffffae3dffffffa828ffffff94
(44) mschap: Stepbuf peer challenge :
ffffff814dffffffdc1b291d68ffffffef065968ffffffe319ffffffb051ffffffc6
(44) mschap: Stepbuf p24 :
ffffffb205ffffffac7fffffffa421ffffffffffffff8a1f5cffffff844d35ffffffeaffffff92ffffffa7584a5f77fffffff4fffffff2ffffff925d
(44) mschap: ERROR: rlm_mschap: authentication failed - status = eDSRecordNotFound
(44) eap_mschapv2: [mschap] = reject
(44) eap_mschapv2: } # authenticate = reject
(51) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(51) mschap: No NT-Password configured. Trying OpenDirectory Authentication
Segmentation fault: 11
Example Crashreports, all crash reports Crash at getUserNodeRef in rlm_mschap.dylib
:
sh-3.2# cat /Library/Logs/DiagnosticReports/radiusd_2020-05-19-091930_Server.crash
Process: radiusd [35334]
Path: /usr/local/sbin/radiusd
Identifier: radiusd
Version: 0
Code Type: X86-64 (Native)
Parent Process: launchd [1]
Responsible: radiusd [35334]
User ID: 0
Date/Time: 2020-05-19 09:19:29.903 +0200
OS Version: Mac OS X 10.15.4 (19E287)
Report Version: 12
Anonymous UUID: 7B24091D-94A5-69D8-3216-7C8D93854234
Time Awake Since Boot: 670000 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000e800000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [35334]
VM Regions Near 0xe800000000:
__LINKEDIT 0000000112a9b000-0000000112ad3000 [ 224K] r--/r-- SM=COW /usr/lib/dyld
-->
STACK GUARD 000070000a3e3000-000070000a3e4000 [ 4K] ---/rwx SM=NUL stack guard for thread 1
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 rlm_mschap.dylib 0x00000001095d0687 getUserNodeRef + 1463
1 rlm_mschap.dylib 0x00000001095cf6c7 od_mschap_auth + 423
2 rlm_mschap.dylib 0x00000001095ca5ec mod_authenticate + 4732
3 radiusd 0x0000000109099ee5 call_modsingle + 357
4 radiusd 0x00000001090933ee modcall_recurse + 1406
5 radiusd 0x000000010909a0b7 modcall_child + 183
6 radiusd 0x0000000109093f4b modcall_recurse + 4315
7 radiusd 0x0000000109092e14 modcall + 180
8 radiusd 0x000000010908f5f6 indexed_modcall + 854
9 radiusd 0x0000000109091cdf process_authenticate + 31
10 rlm_eap_mschapv2.dylib 0x000000010963d6dc mod_process + 3132
11 rlm_eap.dylib 0x000000010953fabf eap_module_call + 319
12 rlm_eap.dylib 0x000000010953f917 eap_method_select + 1111
13 rlm_eap.dylib 0x000000010953de07 mod_authenticate + 327
14 radiusd 0x0000000109099ee5 call_modsingle + 357
15 radiusd 0x00000001090933ee modcall_recurse + 1406
16 radiusd 0x000000010909a0b7 modcall_child + 183
17 radiusd 0x0000000109093f4b modcall_recurse + 4315
18 radiusd 0x0000000109092e14 modcall + 180
19 radiusd 0x000000010908f5f6 indexed_modcall + 854
20 radiusd 0x0000000109091cdf process_authenticate + 31
21 radiusd 0x0000000109076185 rad_check_password + 853
22 radiusd 0x000000010907589c rad_authenticate + 1500
23 radiusd 0x000000010907673f rad_virtual_server + 1327
24 rlm_eap_ttls.dylib 0x0000000109626603 eapttls_process + 2755
25 rlm_eap_ttls.dylib 0x00000001096259a4 mod_process + 1012
26 rlm_eap.dylib 0x000000010953fabf eap_module_call + 319
27 rlm_eap.dylib 0x000000010953f917 eap_method_select + 1111
28 rlm_eap.dylib 0x000000010953de07 mod_authenticate + 327
29 radiusd 0x0000000109099ee5 call_modsingle + 357
30 radiusd 0x00000001090933ee modcall_recurse + 1406
31 radiusd 0x000000010909a0b7 modcall_child + 183
32 radiusd 0x0000000109093f4b modcall_recurse + 4315
33 radiusd 0x0000000109092e14 modcall + 180
34 radiusd 0x000000010908f5f6 indexed_modcall + 854
35 radiusd 0x0000000109091cdf process_authenticate + 31
36 radiusd 0x0000000109076185 rad_check_password + 853
37 radiusd 0x000000010907589c rad_authenticate + 1500
38 radiusd 0x00000001090a9d95 request_running + 357
39 radiusd 0x00000001090a9bff request_queue_or_run + 383
40 radiusd 0x00000001090a8d0a request_receive + 2106
41 radiusd 0x0000000109088c51 auth_socket_recv + 1425
42 radiusd 0x00000001090b502d event_socket_handler + 285
43 libfreeradius-radius.dylib 0x0000000109199fd5 fr_event_loop + 805
44 radiusd 0x00000001090ac54e radius_event_process + 46
45 radiusd 0x000000010909c674 main + 3396
46 libdyld.dylib 0x00007fff671becc9 start + 1
Thread 1:
0 libsystem_pthread.dylib 0x00007fff673beb68 start_wqthread + 0
Thread 2:
0 libsystem_pthread.dylib 0x00007fff673beb68 start_wqthread + 0
Thread 3:
0 libsystem_pthread.dylib 0x00007fff673beb68 start_wqthread + 0
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x00007f886a805160 rbx: 0x0000000000000000 rcx: 0x000000e800000000 rdx: 0x0000000000000006
rdi: 0x00007f886a805160 rsi: 0x00007f886a80533c rbp: 0x00007ffee6b86dc0 rsp: 0x00007ffee6b86cb0
r8: 0x0000000000000006 r9: 0x000000000000010f r10: 0x00000000ffff81ff r11: 0xfffffffffffffe24
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x00000001095d0687 rfl: 0x0000000000010246 cr2: 0x000000e800000000
Logical CPU: 0
Error Code: 0x00000006 (no mapping for user data write)
Trap Number: 14
Binary Images:
0x109073000 - 0x1090e5ff3 +radiusd (0) <0FA0DC9F-22C6-327D-BB46-4C5B3A05F02C> /usr/local/sbin/radiusd
0x109115000 - 0x10914cfff +libfreeradius-server.dylib (0) <D62BB0D8-EF8C-304F-A7E3-C5F5D63F654B> /usr/local/lib/libfreeradius-server.dylib
0x109164000 - 0x1091a6fff +libfreeradius-radius.dylib (0) <7DAF7764-412F-3C40-86D8-5AE20EB26D96> /usr/local/lib/libfreeradius-radius.dylib
0x1091c7000 - 0x1091d1fff +libfreeradius-eap.dylib (0) <949B6C66-CA7F-31DA-B74C-878693F538A2> /usr/local/lib/libfreeradius-eap.dylib
0x1091db000 - 0x1093a72e3 +libcrypto.1.1.dylib (0) <1A6E39CC-8016-3637-8BE9-2E7EDD8865A1> /usr/local/lib/libcrypto.1.1.dylib
0x10943f000 - 0x10949cffb +libssl.1.1.dylib (0) <D8F84717-3D85-3C62-836C-E4707FA90D0B> /usr/local/lib/libssl.1.1.dylib
0x1094c6000 - 0x1094cdffb +libtalloc.2.3.1.dylib (0) <C80C1AD3-F5C9-30BB-B278-5D49C786E69E> /usr/local/lib/libtalloc.2.3.1.dylib
0x109536000 - 0x109538fff +rlm_detail.dylib (0) <246A5BA0-3E71-3DED-BDCD-ECAC12327504> /usr/local/lib/rlm_detail.dylib
0x10953d000 - 0x109545ff3 +rlm_eap.dylib (0) <6FBC1EED-ABF0-3C86-B463-E20AD4A0B760> /usr/local/lib/rlm_eap.dylib
0x10954c000 - 0x10954dfff +rlm_exec.dylib (0) <69CC0A1A-9F5E-355C-BB0D-59C085109B7B> /usr/local/lib/rlm_exec.dylib
0x109552000 - 0x109552fff +rlm_utf8.dylib (0) <A905087F-8447-35A5-B98A-29B35AC3A4AD> /usr/local/lib/rlm_utf8.dylib
0x109556000 - 0x109556fff +rlm_always.dylib (0) <662CE0C6-9332-3338-B06B-DF042194CC21> /usr/local/lib/rlm_always.dylib
0x10955a000 - 0x10955cfff +rlm_digest.dylib (0) <2E035966-CC52-3731-9A8B-3369DABAA037> /usr/local/lib/rlm_digest.dylib
0x109560000 - 0x109560fff +rlm_date.dylib (0) <EC139A21-5BB4-3D00-AF4B-181F2CE22F6F> /usr/local/lib/rlm_date.dylib
0x109564000 - 0x109566fff +rlm_preprocess.dylib (0) <88566A67-16A1-3A80-9523-61045BE5F732> /usr/local/lib/rlm_preprocess.dylib
0x10956b000 - 0x10956fffb +rlm_pap.dylib (0) <AE675564-C63E-3385-9621-CE876A77AAA5> /usr/local/lib/rlm_pap.dylib
0x109574000 - 0x10957aff3 +rlm_expr.dylib (0) <A639DF57-1985-3A0F-AB3A-AEC7CA4C37E2> /usr/local/lib/rlm_expr.dylib
0x109581000 - 0x109583fff +rlm_radutmp.dylib (0) <F83E339C-F77E-3E38-9945-2B58BC3E7F78> /usr/local/lib/rlm_radutmp.dylib
0x109588000 - 0x109589fff +rlm_linelog.dylib (0) <225A2F7B-E025-3BFC-B909-CF1E19F2E118> /usr/local/lib/rlm_linelog.dylib
0x10958e000 - 0x10958fffb +rlm_unix.dylib (0) <6C7E3E6C-FBBF-3E17-A8A3-A9F65E7FA148> /usr/local/lib/rlm_unix.dylib
0x109594000 - 0x109595ff3 +rlm_attr_filter.dylib (0) <6AB0AC26-2977-3AB2-8900-80B1FB766446> /usr/local/lib/rlm_attr_filter.dylib
0x10959a000 - 0x10959cff3 +rlm_files.dylib (0) <93DE4983-CC8C-3970-A03B-363B9D672158> /usr/local/lib/rlm_files.dylib
0x1095a1000 - 0x1095a2ffb +rlm_replicate.dylib (0) <026525EE-D909-3D0B-9536-3E27C5B9C483> /usr/local/lib/rlm_replicate.dylib
0x1095a6000 - 0x1095a7ff7 +rlm_chap.dylib (0) <E222B3DE-495E-3602-B484-3328551C3EAF> /usr/local/lib/rlm_chap.dylib
0x1095ab000 - 0x1095acff7 +rlm_unpack.dylib (0) <1482E97E-9075-3566-A6DA-12585440876B> /usr/local/lib/rlm_unpack.dylib
0x1095b0000 - 0x1095b2ff3 +rlm_logintime.dylib (0) <298DF225-3B2D-3F8D-8F6A-EBAD1EE1D2CC> /usr/local/lib/rlm_logintime.dylib
0x1095b7000 - 0x1095b7ff7 +rlm_expiration.dylib (0) <D084B881-CDC1-3772-8EBE-E2C932A02282> /usr/local/lib/rlm_expiration.dylib
0x1095bb000 - 0x1095beff7 +rlm_cache.dylib (0) <1EBEE1DA-185C-3500-9F4D-B38659174941> /usr/local/lib/rlm_cache.dylib
0x1095c3000 - 0x1095c4ff7 +rlm_soh.dylib (0) <BA1841CF-3982-343E-A975-C7C350DF6874> /usr/local/lib/rlm_soh.dylib
0x1095c8000 - 0x1095d3fff +rlm_mschap.dylib (0) <F62ACA8F-3BB0-3932-A158-210CCD0B8F07> /usr/local/lib/rlm_mschap.dylib
0x1095da000 - 0x1095daff3 +rlm_dynamic_clients.dylib (0) <F4634476-CBE4-33D1-9579-29FB02278A33> /usr/local/lib/rlm_dynamic_clients.dylib
0x1095de000 - 0x1095e0fff +rlm_passwd.dylib (0) <9188D7BE-35B2-373D-8A4C-9B305FFC098B> /usr/local/lib/rlm_passwd.dylib
0x1095e5000 - 0x1095e7ff7 +rlm_realm.dylib (0) <B7BB88C3-EF14-3A46-9C29-145FFBB7E0EF> /usr/local/lib/rlm_realm.dylib
0x1095eb000 - 0x1095edff3 +rlm_opendirectory.dylib (0) <3AA71310-4F21-329D-87DC-5C9A6A20D943> /usr/local/lib/rlm_opendirectory.dylib
0x1095f2000 - 0x1095faff3 +rlm_sql.dylib (0) <3B72D87B-6821-36B0-AFCB-99EEEC78517F> /usr/local/lib/rlm_sql.dylib
0x109601000 - 0x109604fff +rlm_sql_sqlite.dylib (0) <EC984C10-53F2-3843-A13C-A600E96451A4> /usr/local/lib/rlm_sql_sqlite.dylib
0x109609000 - 0x10960affb +rlm_eap_md5.dylib (0) <F4B40CF6-17D3-364D-8E6A-B4C3DD2AE0B0> /usr/local/lib/rlm_eap_md5.dylib
0x10960f000 - 0x109613ffb +rlm_eap_leap.dylib (0) <9936B58F-C00E-35DA-B61F-363846CA8AB7> /usr/local/lib/rlm_eap_leap.dylib
0x109619000 - 0x10961aff7 +rlm_eap_gtc.dylib (0) <F9E3BD22-9FB4-3CE1-83D7-1C69C0B709CF> /usr/local/lib/rlm_eap_gtc.dylib
0x10961e000 - 0x10961fff7 +rlm_eap_tls.dylib (0) <F180BC76-4143-31A9-9EC5-C7C0D7B2444B> /usr/local/lib/rlm_eap_tls.dylib
0x109624000 - 0x10962afff +rlm_eap_ttls.dylib (0) <9063D507-143D-3DC7-A755-BDCB2387CB6F> /usr/local/lib/rlm_eap_ttls.dylib
0x109630000 - 0x109636ff7 +rlm_eap_peap.dylib (0) <6513E754-D025-3667-A70C-E852660DEDEC> /usr/local/lib/rlm_eap_peap.dylib
0x10963c000 - 0x10963efff +rlm_eap_mschapv2.dylib (0) <4DCA761E-A3BE-3639-A3BE-850B80C940E4> /usr/local/lib/rlm_eap_mschapv2.dylib
0x109643000 - 0x109644ff3 +rlm_cache_rbtree.dylib (0) <C614EDD6-91F1-3897-82A7-708ECAE481F2> /usr/local/lib/rlm_cache_rbtree.dylib
0x1129ce000 - 0x112a5feff dyld (750.5) <1F893B81-89A5-3502-8510-95B97B9F730D> /usr/lib/dyld
0x7fff29021000 - 0x7fff29021fff com.apple.Accelerate (1.11 - Accelerate 1.11) <8BE0965F-6A6A-35B0-89D0-F0A75835C2CA> /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x7fff29039000 - 0x7fff2968ffef com.apple.vImage (8.1 - 524.2) <DAE0E5C5-BA70-325D-8B4C-6B821F009CBF> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vImage.framework/Versions/A/vImage
0x7fff29690000 - 0x7fff298f7ff7 libBLAS.dylib (1303.60.1) <4E980D6B-4B3A-33D6-B52C-AFC7D120D11A> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib
0x7fff298f8000 - 0x7fff29dcbfef libBNNS.dylib (144.100.2) <C05F9F9D-4498-37BD-9C1C-2F7B920B401D> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBNNS.dylib
0x7fff29dcc000 - 0x7fff2a167fff libLAPACK.dylib (1303.60.1) <F8E9D081-7C60-32EC-A47D-2D30CAD73C5F> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLAPACK.dylib
0x7fff2a168000 - 0x7fff2a17dfec libLinearAlgebra.dylib (1303.60.1) <79CB28C5-F811-3EAF-AD8E-7D7D879FE662> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libLinearAlgebra.dylib
0x7fff2a17e000 - 0x7fff2a183ff3 libQuadrature.dylib (7) <EB7C9E98-D1E7-314C-90B4-3EB04428CC7C> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libQuadrature.dylib
0x7fff2a184000 - 0x7fff2a1f4fff libSparse.dylib (103) <8C55F5F2-6AE3-393C-B2FF-22B8CFCBD7FC> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libSparse.dylib
0x7fff2a1f5000 - 0x7fff2a207fef libSparseBLAS.dylib (1303.60.1) <08F6D629-5DAC-3A99-B261-2B6095DD38B4> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libSparseBLAS.dylib
0x7fff2a208000 - 0x7fff2a3dffd7 libvDSP.dylib (735.100.4) <0744F29B-F822-3571-9B4A-B592146D4E03> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvDSP.dylib
0x7fff2a3e0000 - 0x7fff2a4a2fef libvMisc.dylib (735.100.4) <E6C94B52-931B-3858-AF4D-C2EA52ACB7F5> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libvMisc.dylib
0x7fff2a4a3000 - 0x7fff2a4a3fff com.apple.Accelerate.vecLib (3.11 - vecLib 3.11) <66282197-81EE-316F-978E-EF1471551DEF> /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/vecLib
0x7fff2bc04000 - 0x7fff2bf92ffd com.apple.CFNetwork (1125.2 - 1125.2) <1D4D81F7-FC48-3588-87FC-481E2586E345> /System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x7fff2d38d000 - 0x7fff2d80cffb com.apple.CoreFoundation (6.9 - 1675.129) <9E632A1E-9622-33D6-BCCE-23AC16DAA6B7> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x7fff2e775000 - 0x7fff2e775fff com.apple.CoreServices (1069.22 - 1069.22) <888FE7B9-CE6C-3C7C-BA33-63364462228A> /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x7fff2e776000 - 0x7fff2e7fbfff com.apple.AE (838.1 - 838.1) <2BAB1B88-C198-3D20-8DA3-056E66510E7A> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
0x7fff2e7fc000 - 0x7fff2eaddff7 com.apple.CoreServices.CarbonCore (1217 - 1217) <D0FECC17-7E16-308F-98EA-AF311CB77FE6> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
0x7fff2eade000 - 0x7fff2eb2bffd com.apple.DictionaryServices (1.2 - 323.6) <11513ED9-8B4B-39BB-A6B2-AA6AA0A2DF72> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/DictionaryServices
0x7fff2eb2c000 - 0x7fff2eb34ff7 com.apple.CoreServices.FSEvents (1268.100.1 - 1268.100.1) <CE3D8B13-2583-3527-8532-D5DDAAD7D56B> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/FSEvents
0x7fff2eb35000 - 0x7fff2ed6effc com.apple.LaunchServices (1069.22 - 1069.22) <E51EE658-608C-3034-9635-4FDF1E241E62> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
0x7fff2ed6f000 - 0x7fff2ee07ff1 com.apple.Metadata (10.7.0 - 2076.3) <EE42CCA1-FEC2-3F1C-9B62-2E73EFB05FCC> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata
0x7fff2ee08000 - 0x7fff2ee35fff com.apple.CoreServices.OSServices (1069.22 - 1069.22) <A0654B4E-3194-3066-911F-FF1FBEE1D2C2> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
0x7fff2ee36000 - 0x7fff2ee9dfff com.apple.SearchKit (1.4.1 - 1.4.1) <D4F82BC9-FD9B-3E04-B78E-D9E2A73B0BD7> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SearchKit.framework/Versions/A/SearchKit
0x7fff2ee9e000 - 0x7fff2eec2ff5 com.apple.coreservices.SharedFileList (131.4 - 131.4) <AEB4E42C-F5A2-3F63-80B0-4226483AD4F5> /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/SharedFileList.framework/Versions/A/SharedFileList
0x7fff2f62d000 - 0x7fff2f638ff7 com.apple.DirectoryService.Framework (10.15 - 220.40.1) <A2504DEB-2C9D-3F87-90FF-70104421DAF7> /System/Library/Frameworks/DirectoryService.framework/Versions/A/DirectoryService
0x7fff2f708000 - 0x7fff2f70efff com.apple.DiskArbitration (2.7 - 2.7) <D7617B57-B01C-3848-8818-593FB12039E9> /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x7fff2fa43000 - 0x7fff2fe08ff8 com.apple.Foundation (6.9 - 1675.129) <9A74FA97-7F7B-3929-B381-D9514B1E4754> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x7fff3017c000 - 0x7fff30220ff3 com.apple.framework.IOKit (2.0.2 - 1726.100.16) <3D8BA34A-AAF7-3AF2-9B5B-189AC4755404> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x7fff33d1f000 - 0x7fff33d2bffe com.apple.NetFS (6.0 - 4.0) <7A96A8FE-17F3-3850-8E81-9DDDC5A48DDB> /System/Library/Frameworks/NetFS.framework/Versions/A/NetFS
0x7fff3690d000 - 0x7fff36929fff com.apple.CFOpenDirectory (10.15 - 220.40.1) <58835104-9E7A-32E8-862B-530CE899C9B4> /System/Library/Frameworks/OpenDirectory.framework/Versions/A/Frameworks/CFOpenDirectory.framework/Versions/A/CFOpenDirectory
0x7fff3692a000 - 0x7fff36935ffd com.apple.OpenDirectory (10.15 - 220.40.1) <D846BA35-59A1-3B78-B1C8-7E0EDE972AD2> /System/Library/Frameworks/OpenDirectory.framework/Versions/A/OpenDirectory
0x7fff39ccf000 - 0x7fff3a018ff1 com.apple.security (7.0 - 59306.101.1) <430E04FE-F068-3476-9CA2-72CB5F040D1F> /System/Library/Frameworks/Security.framework/Versions/A/Security
0x7fff3a019000 - 0x7fff3a0a1ffb com.apple.securityfoundation (6.0 - 55236.60.1) <BC15B825-955D-33CF-B416-A64D69A1D008> /System/Library/Frameworks/SecurityFoundation.framework/Versions/A/SecurityFoundation
0x7fff3a0d0000 - 0x7fff3a0d4ff8 com.apple.xpc.ServiceManagement (1.0 - 1) <C66FC9CF-224B-348C-94A5-ABAC579F5C0A> /System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement
0x7fff3ad7f000 - 0x7fff3adedff7 com.apple.SystemConfiguration (1.19 - 1.19) <71AC15DE-7018-3D2B-B599-F2972F0288AE> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x7fff3ed4a000 - 0x7fff3ee0fff7 com.apple.APFS (1412.101.1 - 1412.101.1) <2F5A48FB-9788-3A24-87FE-C1B7DDBC8A07> /System/Library/PrivateFrameworks/APFS.framework/Versions/A/APFS
0x7fff40b11000 - 0x7fff40b20fd7 com.apple.AppleFSCompression (119.100.1 - 1.0) <E1B024EB-DAB1-30A1-A43D-01D9E9357F2B> /System/Library/PrivateFrameworks/AppleFSCompression.framework/Versions/A/AppleFSCompression
0x7fff422df000 - 0x7fff422e8ff7 com.apple.coreservices.BackgroundTaskManagement (1.0 - 104) <2088BC70-5329-3390-A851-C4ECF654047C> /System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/BackgroundTaskManagement
0x7fff4509e000 - 0x7fff450aeff3 com.apple.CoreEmoji (1.0 - 107) <AC83B860-61BD-384E-81BF-CA3CBE655968> /System/Library/PrivateFrameworks/CoreEmoji.framework/Versions/A/CoreEmoji
0x7fff456ee000 - 0x7fff45758ff0 com.apple.CoreNLP (1.0 - 213) <687A4C31-A307-3255-83BE-9B123971FF62> /System/Library/PrivateFrameworks/CoreNLP.framework/Versions/A/CoreNLP
0x7fff465d3000 - 0x7fff46601ffd com.apple.CSStore (1069.22 - 1069.22) <39E431F9-3584-34DF-A64D-C5895AA72068> /System/Library/PrivateFrameworks/CoreServicesStore.framework/Versions/A/CoreServicesStore
0x7fff52816000 - 0x7fff528e4ffd com.apple.LanguageModeling (1.0 - 215.1) <3FAF1700-F7D4-3F92-88AA-A3920702B8BB> /System/Library/PrivateFrameworks/LanguageModeling.framework/Versions/A/LanguageModeling
0x7fff528e5000 - 0x7fff5292dfff com.apple.Lexicon-framework (1.0 - 72) <212D02CE-11BC-3C7F-BDFD-DF1A0C4017EE> /System/Library/PrivateFrameworks/Lexicon.framework/Versions/A/Lexicon
0x7fff52934000 - 0x7fff52939ff3 com.apple.LinguisticData (1.0 - 353.18) <BA3869B7-9C39-32DA-A4BA-12F1BC4B04CF> /System/Library/PrivateFrameworks/LinguisticData.framework/Versions/A/LinguisticData
0x7fff53ca0000 - 0x7fff53cecfff com.apple.spotlight.metadata.utilities (1.0 - 2076.3) <EF8AC054-B15F-375F-AACB-018DC73CD16E> /System/Library/PrivateFrameworks/MetadataUtilities.framework/Versions/A/MetadataUtilities
0x7fff547a1000 - 0x7fff547abfff com.apple.NetAuth (6.2 - 6.2) <D324C7CC-E614-35F6-8619-DECBE90ECAEB> /System/Library/PrivateFrameworks/NetAuth.framework/Versions/A/NetAuth
0x7fff5da0b000 - 0x7fff5da1bff3 com.apple.TCC (1.0 - 1) <AEE98D6E-03FD-3C80-90AC-5B45B4AE7A2E> /System/Library/PrivateFrameworks/TCC.framework/Versions/A/TCC
0x7fff610e6000 - 0x7fff610e8ff3 com.apple.loginsupport (1.0 - 1) <B84ABC31-431B-3F99-BABE-44ED0A7DB3C0> /System/Library/PrivateFrameworks/login.framework/Versions/A/Frameworks/loginsupport.framework/Versions/A/loginsupport
0x7fff63c01000 - 0x7fff63c35fff libCRFSuite.dylib (48) <E52BECF7-1819-3998-ACC4-8D1A332CE4EB> /usr/lib/libCRFSuite.dylib
0x7fff63c38000 - 0x7fff63c42fff libChineseTokenizer.dylib (34) <EE842A48-3D30-34B0-B9D2-F045DE582650> /usr/lib/libChineseTokenizer.dylib
0x7fff63cce000 - 0x7fff63cd0ff7 libDiagnosticMessagesClient.dylib (112) <BE749883-9400-334A-8FBF-F3321CF205F5> /usr/lib/libDiagnosticMessagesClient.dylib
0x7fff641a4000 - 0x7fff641a5fff libSystem.B.dylib (1281.100.1) <DB8310F1-272D-3533-A840-3B390AF55C26> /usr/lib/libSystem.B.dylib
0x7fff64232000 - 0x7fff64233fff libThaiTokenizer.dylib (3) <DC582222-7C1F-3C27-8C3A-BAF696A2197D> /usr/lib/libThaiTokenizer.dylib
0x7fff6424b000 - 0x7fff64261fff libapple_nghttp2.dylib (1.39.2) <268F4E3E-95DC-35FB-82DC-5B0D1855A676> /usr/lib/libapple_nghttp2.dylib
0x7fff64296000 - 0x7fff64308ff7 libarchive.2.dylib (72.100.1) <65E0870E-02AB-365D-84F9-5800B5BB69FC> /usr/lib/libarchive.2.dylib
0x7fff643a6000 - 0x7fff643a6ff3 libauto.dylib (187) <FD0E5750-7004-36A7-B9C2-D6B6B4EF559B> /usr/lib/libauto.dylib
0x7fff6446c000 - 0x7fff6447cffb libbsm.0.dylib (60.100.1) <B0373A39-DBC6-3A84-879B-BA46E30D04BF> /usr/lib/libbsm.0.dylib
0x7fff6447d000 - 0x7fff64489fff libbz2.1.0.dylib (44) <FFCD4427-AF87-36D2-8097-8870FDC75A1B> /usr/lib/libbz2.1.0.dylib
0x7fff6448a000 - 0x7fff644dcfff libc++.1.dylib (902.1) <08199809-33CA-321E-9B9D-FD5B2BC64580> /usr/lib/libc++.1.dylib
0x7fff644dd000 - 0x7fff644f2ffb libc++abi.dylib (902) <1C880020-396D-3F91-BE27-5A09A9239F68> /usr/lib/libc++abi.dylib
0x7fff644f3000 - 0x7fff644f3fff libcharset.1.dylib (59) <4E63BA25-04A3-329A-923D-251155C03F30> /usr/lib/libcharset.1.dylib
0x7fff644f4000 - 0x7fff64505fff libcmph.dylib (8) <D4C5E0A8-92D9-33D5-9F83-6F4742FFBE29> /usr/lib/libcmph.dylib
0x7fff64506000 - 0x7fff6451dfd7 libcompression.dylib (87) <7F258A06-E01D-32D2-9CD2-6B2931DA5DA7> /usr/lib/libcompression.dylib
0x7fff647f7000 - 0x7fff6480dff7 libcoretls.dylib (167) <EFC237BB-78F7-33C6-BFF9-53860062DD99> /usr/lib/libcoretls.dylib
0x7fff6480e000 - 0x7fff6480ffff libcoretls_cfhelpers.dylib (167) <2E542A2B-7730-33EE-9B3B-154B08608AA6> /usr/lib/libcoretls_cfhelpers.dylib
0x7fff64f19000 - 0x7fff64f36fff libedit.3.dylib (55) <A41E499B-D031-38EA-8D1D-F271EED15830> /usr/lib/libedit.3.dylib
0x7fff64f37000 - 0x7fff64f37fff libenergytrace.dylib (21) <FFB9FB70-8DBD-3025-BC92-51F02481A489> /usr/lib/libenergytrace.dylib
0x7fff64f5e000 - 0x7fff64f60fff libfakelink.dylib (149.1) <B04F9A05-7E52-3382-9186-F603BE4BFBB2> /usr/lib/libfakelink.dylib
0x7fff64f6f000 - 0x7fff64f74fff libgermantok.dylib (24) <8091F952-B592-38E3-982B-7DEA0A44E211> /usr/lib/libgermantok.dylib
0x7fff64f7f000 - 0x7fff6506ffff libiconv.2.dylib (59) <9458704B-A702-37CB-9707-66ABBB5DB71E> /usr/lib/libiconv.2.dylib
0x7fff65070000 - 0x7fff652c7fff libicucore.A.dylib (64260.0.1) <DCC4A4EE-32FD-350F-84D8-E857F2F29855> /usr/lib/libicucore.A.dylib
0x7fff652e1000 - 0x7fff652e2fff liblangid.dylib (133) <E9595222-602B-38F0-8572-0F1872A00527> /usr/lib/liblangid.dylib
0x7fff652e3000 - 0x7fff652fbff3 liblzma.5.dylib (16) <0AA1EB11-A433-327E-B8DB-7395CFF06554> /usr/lib/liblzma.5.dylib
0x7fff65313000 - 0x7fff653baff7 libmecab.dylib (883.10) <13136C11-8763-37BA-AEB2-676092798DAA> /usr/lib/libmecab.dylib
0x7fff653bb000 - 0x7fff6561dfe1 libmecabra.dylib (883.10) <6AC22857-F528-35CE-94A9-D70F6F766C15> /usr/lib/libmecabra.dylib
0x7fff6598a000 - 0x7fff659b9fff libncurses.5.4.dylib (57) <6BD6F430-C8B3-39D8-87B5-2C16E6578FD5> /usr/lib/libncurses.5.4.dylib
0x7fff65ae9000 - 0x7fff65f64ff5 libnetwork.dylib (1880.100.30) <9519B6F8-44E2-3F53-B995-1527C5333240> /usr/lib/libnetwork.dylib
0x7fff66004000 - 0x7fff66037fde libobjc.A.dylib (787.1) <20AC082F-2DB7-3974-A2D4-8C5E01787584> /usr/lib/libobjc.A.dylib
0x7fff6604a000 - 0x7fff6604efff libpam.2.dylib (25.100.1) <D5CEC1AD-A2EC-362C-B71A-22FD521917F1> /usr/lib/libpam.2.dylib
0x7fff66051000 - 0x7fff66087ff7 libpcap.A.dylib (89.100.1) <171BAAB0-A5C8-32C5-878E-83D46073BF8C> /usr/lib/libpcap.A.dylib
0x7fff6610b000 - 0x7fff66123fff libresolv.9.dylib (67.40.1) <92A522F9-95E2-35EE-A8AD-FC8DEE6B2C1F> /usr/lib/libresolv.9.dylib
0x7fff6617f000 - 0x7fff66369ff7 libsqlite3.dylib (308.4) <BBC375B7-AF20-3D2C-8826-78D3BDC8A004> /usr/lib/libsqlite3.dylib
0x7fff665ba000 - 0x7fff665bdffb libutil.dylib (57) <07ED7CF0-1744-3386-B8B2-0DDBD446999E> /usr/lib/libutil.dylib
0x7fff665be000 - 0x7fff665cbff7 libxar.1.dylib (425.2) <625F24E1-1A0F-3301-9F99-F0F3DADE0287> /usr/lib/libxar.1.dylib
0x7fff665d1000 - 0x7fff666b3ff7 libxml2.2.dylib (33.3) <24147A90-E3EB-3926-BFB0-5F0FC9F706E2> /usr/lib/libxml2.2.dylib
0x7fff666b7000 - 0x7fff666dffff libxslt.1.dylib (16.9) <8C8648B1-F2CA-38EA-A409-D6F19715C6E6> /usr/lib/libxslt.1.dylib
0x7fff666e0000 - 0x7fff666f2ff3 libz.1.dylib (76) <6A449C6A-DF88-36C1-8F2D-DB9A808263B5> /usr/lib/libz.1.dylib
0x7fff66fa0000 - 0x7fff66fa5ff3 libcache.dylib (83) <5F90FFCE-403B-3724-991D-BA32401D99C5> /usr/lib/system/libcache.dylib
0x7fff66fa6000 - 0x7fff66fb1fff libcommonCrypto.dylib (60165) <C7A5E3F7-1E5A-3785-875A-B6647082B614> /usr/lib/system/libcommonCrypto.dylib
0x7fff66fb2000 - 0x7fff66fb9fff libcompiler_rt.dylib (101.2) <A517E149-2D25-3C04-BCEF-F69149C85B18> /usr/lib/system/libcompiler_rt.dylib
0x7fff66fba000 - 0x7fff66fc3ff7 libcopyfile.dylib (166.40.1) <1A5270B5-0D97-35DA-9296-4F4A428BC6A2> /usr/lib/system/libcopyfile.dylib
0x7fff66fc4000 - 0x7fff67056fe3 libcorecrypto.dylib (866.100.30) <FCDEC0D1-8C30-3989-BDD1-996BBC715C29> /usr/lib/system/libcorecrypto.dylib
0x7fff67163000 - 0x7fff671a3ff0 libdispatch.dylib (1173.100.2) <EB592997-B11C-3AB3-85B1-F725F3D0B412> /usr/lib/system/libdispatch.dylib
0x7fff671a4000 - 0x7fff671dafff libdyld.dylib (750.5) <D2A07EF5-A64B-3692-BE13-89DAA2EC5E80> /usr/lib/system/libdyld.dylib
0x7fff671db000 - 0x7fff671dbffb libkeymgr.dylib (30) <CC5A2B43-770B-3C6C-BA10-AA3A6B4A142D> /usr/lib/system/libkeymgr.dylib
0x7fff671dc000 - 0x7fff671e8ff3 libkxld.dylib (6153.101.6) <77282DCB-83D6-3199-874E-9A4A0FD7D4F3> /usr/lib/system/libkxld.dylib
0x7fff671e9000 - 0x7fff671e9ff7 liblaunch.dylib (1738.100.39) <A7FF7357-600F-3014-8C28-A4F367717E8D> /usr/lib/system/liblaunch.dylib
0x7fff671ea000 - 0x7fff671efff7 libmacho.dylib (959.0.1) <D8FED478-25A2-3844-AE4B-A5C9F9827615> /usr/lib/system/libmacho.dylib
0x7fff671f0000 - 0x7fff671f2ff3 libquarantine.dylib (110.40.3) <51E0304F-AB11-3BF7-99DC-BB916CC9088B> /usr/lib/system/libquarantine.dylib
0x7fff671f3000 - 0x7fff671f4ff7 libremovefile.dylib (48) <078F29AB-26BA-3493-BCAA-E1E75A187521> /usr/lib/system/libremovefile.dylib
0x7fff671f5000 - 0x7fff6720cff3 libsystem_asl.dylib (377.60.2) <0F1BAC19-2AE0-3F8E-9B90-AACF819B2BF7> /usr/lib/system/libsystem_asl.dylib
0x7fff6720d000 - 0x7fff6720dff7 libsystem_blocks.dylib (74) <32224AFF-C06F-3279-B753-097194EDEF49> /usr/lib/system/libsystem_blocks.dylib
0x7fff6720e000 - 0x7fff67295fff libsystem_c.dylib (1353.100.2) <4F5EED22-4D46-3F04-8C64-C492CDAD70EB> /usr/lib/system/libsystem_c.dylib
0x7fff67296000 - 0x7fff67299ffb libsystem_configuration.dylib (1061.101.1) <2A2C778D-07EB-35C7-A954-8BF8FD74BD75> /usr/lib/system/libsystem_configuration.dylib
0x7fff6729a000 - 0x7fff6729dfff libsystem_coreservices.dylib (114) <FDA41CC4-170A-3D93-85BD-838A563B03C4> /usr/lib/system/libsystem_coreservices.dylib
0x7fff6729e000 - 0x7fff672a6fff libsystem_darwin.dylib (1353.100.2) <B567B86D-8818-38A4-A861-03EB83B55867> /usr/lib/system/libsystem_darwin.dylib
0x7fff672a7000 - 0x7fff672aefff libsystem_dnssd.dylib (1096.100.3) <7C690DF5-E119-33FB-85CD-9EFC67A36E40> /usr/lib/system/libsystem_dnssd.dylib
0x7fff672af000 - 0x7fff672b0ffb libsystem_featureflags.dylib (17) <415D83EF-084C-3485-B757-53001870EA94> /usr/lib/system/libsystem_featureflags.dylib
0x7fff672b1000 - 0x7fff672feff7 libsystem_info.dylib (538) <17049D3F-C798-3651-B391-1551FC699D3E> /usr/lib/system/libsystem_info.dylib
0x7fff672ff000 - 0x7fff6732bff7 libsystem_kernel.dylib (6153.101.6) <E76440E1-D1E8-3D9A-8B47-D01F554FF1C4> /usr/lib/system/libsystem_kernel.dylib
0x7fff6732c000 - 0x7fff67373fff libsystem_m.dylib (3178) <74741FA8-5C29-3241-9046-4FC91C6A6D4A> /usr/lib/system/libsystem_m.dylib
0x7fff67374000 - 0x7fff6739bfff libsystem_malloc.dylib (283.100.5) <97833239-2F83-3AEB-A426-0593997C8A54> /usr/lib/system/libsystem_malloc.dylib
0x7fff6739c000 - 0x7fff673a9ffb libsystem_networkextension.dylib (1095.100.29) <C9E988B2-6A18-35C0-9577-63201E9D6018> /usr/lib/system/libsystem_networkextension.dylib
0x7fff673aa000 - 0x7fff673b3ff7 libsystem_notify.dylib (241.100.2) <E405F84B-BD4F-3874-9755-CB3EC86E18D5> /usr/lib/system/libsystem_notify.dylib
0x7fff673b4000 - 0x7fff673bcfef libsystem_platform.dylib (220.100.1) <6EF12F34-C33F-36BF-9A9A-2A35EA19EFE0> /usr/lib/system/libsystem_platform.dylib
0x7fff673bd000 - 0x7fff673c7fff libsystem_pthread.dylib (416.100.3) <A8514582-E000-3854-911A-0A73D2C79600> /usr/lib/system/libsystem_pthread.dylib
0x7fff673c8000 - 0x7fff673ccff3 libsystem_sandbox.dylib (1217.101.2) <E9D78CDE-FB67-32E7-BABC-9EFC23AA0DC6> /usr/lib/system/libsystem_sandbox.dylib
0x7fff673cd000 - 0x7fff673cffff libsystem_secinit.dylib (62.100.2) <AAC639E5-7103-3366-A602-8FC6944E2C13> /usr/lib/system/libsystem_secinit.dylib
0x7fff673d0000 - 0x7fff673d7ffb libsystem_symptoms.dylib (1238.100.26) <487B92DE-45F9-39F9-A478-89BBD478157D> /usr/lib/system/libsystem_symptoms.dylib
0x7fff673d8000 - 0x7fff673eeff2 libsystem_trace.dylib (1147.100.8) <BB90B1FD-8C09-3DF4-BD8B-9E4AEADFEA2B> /usr/lib/system/libsystem_trace.dylib
0x7fff673f0000 - 0x7fff673f5ff7 libunwind.dylib (35.4) <CC87C836-BE9D-334E-A0E6-0297D52E9D73> /usr/lib/system/libunwind.dylib
0x7fff673f6000 - 0x7fff6742bffe libxpc.dylib (1738.100.39) <32B0E31E-9DA3-328B-A962-BC9591B93537> /usr/lib/system/libxpc.dylib
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 95
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 454121
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=461.2M resident=0K(0%) swapped_out_or_unallocated=461.2M(100%)
Writable regions: Total=58.8M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=58.8M(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Activity Tracing 256K 1
Dispatch continuations 8192K 1
Kernel Alloc Once 8K 1
MALLOC 40.7M 29
MALLOC guard page 16K 4
SQLite page cache 64K 1
STACK GUARD 56.0M 4
Stack 9752K 4
VM_ALLOCATE 8K 1
__DATA 6270K 171
__DATA_CONST 388K 45
__LINKEDIT 389.1M 46
__OBJC_RO 32.2M 1
__OBJC_RW 1892K 2
__TEXT 72.1M 167
__UNICODE 564K 1
mapped file 27.2M 2
shared memory 28K 4
=========== ======= =======
TOTAL 644.1M 485
sh-3.2# sudo /usr/local/sbin/radiusd -X
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/opendirectory
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/rfc7542
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/debug
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = opendirectory
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_detail
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /usr/local/etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
use_open_directory = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_opendirectory
# Loading module "opendirectory" from file /usr/local/etc/raddb/mods-enabled/opendirectory
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_sqlite"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-%l}, acctsessiontime = (%{%{integer:Event-Timestamp}:-%l} - acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{%{integer:Event-Timestamp}:-%l}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-%l}, acctsessiontime = (%{%{integer:Event-Timestamp}:-%l} - acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{%{integer:Event-Timestamp}:-%l}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6address, framedipv6prefix, framedinterfaceid, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-%l}, %{%{integer:Event-Timestamp}:-%l}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Address}', '%{Framed-IPv6-Prefix}', '%{Framed-Interface-Id}', '%{Delegated-IPv6-Prefix}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-%l}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-%l}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M')"
}
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
Creating attribute SQL-Group
instantiate {
}
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.intern.corussoft.de.key.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.intern.corussoft.de.pem"
ca_file = "/usr/local/etc/raddb/certs/corussoft-intermediate-ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Please use tls_min_version and tls_max_version instead of disable_tlsv1
Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_sqlite: libsqlite version: 3.28.0
sqlite {
filename = "/var/db/radius/freeradius.db"
busy_timeout = 200
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.10.50 (4. Etage Serverraum) to global clients list
rlm_sql (192.168.10.50): Client "4. Etage Serverraum" (sql) added
rlm_sql (sql): Adding client 192.168.10.51 (4. Etage Drucker) to global clients list
rlm_sql (192.168.10.51): Client "4. Etage Drucker" (sql) added
rlm_sql (sql): Adding client 192.168.10.1 (Firewall) to global clients list
rlm_sql (192.168.10.1): Client "Firewall" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_sqlite: Opening SQLite database "/var/db/radius/freeradius.db"
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:336
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 63029
Listening on proxy address :: port 63030
Ready to process requests
2
3
Hi,
what is proper way to edit SQL queries in mods-config/sql/main/{dialect}/queries.conf to make them „update persistent“?
Is direct editing queries.conf ok, or should I create new file which overrides just some queries I need to change and include it?
Thank you
Regards,
Jiri H.
3
3
Hi, I have freeradius with jradius for authentication and authorization.
I would like to have freeradius pass NAS-IP-Address attribute to jradius.
How to config freeradius?
Thanks
Jim
2
1
Greetings,
I am attempting to authenticate iPhone clients using the built in IPSEC client with a username/password. Configuration is a MikroTik router hosting the VPN, using a separate FreeRADIUS server on Ubuntu 18.04 for AAA.
The iPhone seems to require EAP-TLS for this configuration. I've set up the appropriate CA, certificate, and private key, and verified that these all match up using OpenSSL (same modulus on the cert and key, -verify shows that the cert can be verified up to the installed CA cert)
My current configuration results in a "ERROR: TLS failed during operation" message, and an authentication failure, whenever iPhone clients try to log in. No further information as to the precise nature of the TLS failure appears to be visible in the debug output.
Speaking of which, here it is. The only actions taken were starting freeradius and attempting to log in with the iPhone:
---
FreeRADIUS Version 3.0.17
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "radius"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
instantiate {
}
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.3.22
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 192.168.88.1 (mikrotik) to global clients list
rlm_sql (192.168.88.1): Client "mikrotik" (sql) added
rlm_sql (sql): Adding client 127.0.0.1 (localhost) to global clients list
rlm_sql (127.0.0.1): Client "localhost" (sql) added
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/radius.key"
certificate_file = "/etc/ssl/certs/radius.pem"
ca_file = "/etc/ssl/certs/vpnca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on proxy address * port 60649
Ready to process requests
(0) Received Access-Request Id 147 from 192.168.88.1:51332 to 192.168.88.10:1812 length 131
(0) User-Name = "ios"
(0) Called-Station-Id = "184.167.60.170"
(0) Calling-Station-Id = "192.168.88.230"
(0) NAS-Port-Id = "\000\000\000\r"
(0) NAS-Port-Type = Virtual
(0) Service-Type = Framed-User
(0) Event-Timestamp = "Jun 4 2020 10:22:57 BST"
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0200000801696f73
(0) Message-Authenticator = 0x853108f4809b405a89e4927468437799
(0) NAS-Identifier = "MikroTik"
(0) NAS-IP-Address = 192.168.88.1
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "ios", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 8
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0xf1152d4ff11429db
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 147 from 192.168.88.10:1812 to 192.168.88.1:51332 length 0
(0) EAP-Message = 0x010100160410fcb7fa95be6c8c9b365a2ae33e982c81
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xf1152d4ff11429db2580ab3ea34e373b
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 148 from 192.168.88.1:43544 to 192.168.88.10:1812 length 149
(1) User-Name = "ios"
(1) Called-Station-Id = "184.167.60.170"
(1) Calling-Station-Id = "192.168.88.230"
(1) NAS-Port-Id = "\000\000\000\r"
(1) NAS-Port-Type = Virtual
(1) Service-Type = Framed-User
(1) Event-Timestamp = "Jun 4 2020 10:22:57 BST"
(1) Framed-MTU = 1400
(1) State = 0xf1152d4ff11429db2580ab3ea34e373b
(1) EAP-Message = 0x0201000803191a0d
(1) Message-Authenticator = 0x674f27faff2bbd09d70fe5f9bb499061
(1) NAS-Identifier = "MikroTik"
(1) NAS-IP-Address = 192.168.88.1
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "ios", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) sql: EXPAND %{User-Name}
(1) sql: --> ios
(1) sql: SQL-User-Name set to 'ios'
rlm_sql (sql): Reserved connection (1)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ios' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'ios' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql: Cleartext-Password := "bzGCJedi"
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ios' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ios' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'ios' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'ios' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
(1) [sql] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xf1152d4ff11429db
(1) eap: Finished EAP session with state 0xf1152d4ff11429db
(1) eap: Previous EAP request found for state 0xf1152d4ff11429db, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0xf1152d4ff01734db
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 148 from 192.168.88.10:1812 to 192.168.88.1:43544 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xf1152d4ff01734db2580ab3ea34e373b
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 149 from 192.168.88.1:45700 to 192.168.88.10:1812 length 302
(2) User-Name = "ios"
(2) Called-Station-Id = "184.167.60.170"
(2) Calling-Station-Id = "192.168.88.230"
(2) NAS-Port-Id = "\000\000\000\r"
(2) NAS-Port-Type = Virtual
(2) Service-Type = Framed-User
(2) Event-Timestamp = "Jun 4 2020 10:22:57 BST"
(2) Framed-MTU = 1400
(2) State = 0xf1152d4ff01734db2580ab3ea34e373b
(2) EAP-Message = 0x020200a119800000009716030100920100008e03035ed9381f90c2ffd69116b1236a6149b732198ff30993234dd1a802f637b27df800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(2) Message-Authenticator = 0xb5c1e5ca6863cd789c86662d361a0615
(2) NAS-Identifier = "MikroTik"
(2) NAS-IP-Address = 192.168.88.1
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "ios", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 161
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xf1152d4ff01734db
(2) eap: Finished EAP session with state 0xf1152d4ff01734db
(2) eap: Previous EAP request found for state 0xf1152d4ff01734db, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(2) eap_peap: Got complete TLS record (151 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0092]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 089a]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0xf1152d4ff31634db
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 149 from 192.168.88.10:1812 to 192.168.88.1:45700 length 0
(2) EAP-Message = 0x010303ec19c000000a3c160303003d020000390303a068d3c81aedb4c1acdf4198dbd61a918dd8451cbf65d353444f574e4752440100c030000011ff01000100000b00040300010200170000160303089a0b0008960008930004603082045c30820344a00302010202085b1117c0ff09d38b300d06092a
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xf1152d4ff31634db2580ab3ea34e373b
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 150 from 192.168.88.1:54448 to 192.168.88.10:1812 length 147
(3) User-Name = "ios"
(3) Called-Station-Id = "184.167.60.170"
(3) Calling-Station-Id = "192.168.88.230"
(3) NAS-Port-Id = "\000\000\000\r"
(3) NAS-Port-Type = Virtual
(3) Service-Type = Framed-User
(3) Event-Timestamp = "Jun 4 2020 10:22:57 BST"
(3) Framed-MTU = 1400
(3) State = 0xf1152d4ff31634db2580ab3ea34e373b
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0x6d49c542853e58415a17517452a4fec2
(3) NAS-Identifier = "MikroTik"
(3) NAS-IP-Address = 192.168.88.1
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "ios", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xf1152d4ff31634db
(3) eap: Finished EAP session with state 0xf1152d4ff31634db
(3) eap: Previous EAP request found for state 0xf1152d4ff31634db, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1000
(3) eap: EAP session adding &reply:State = 0xf1152d4ff21134db
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 150 from 192.168.88.10:1812 to 192.168.88.1:54448 length 0
(3) EAP-Message = 0x010403e81940580120a85138bd5cc5e5baeacbcf3f587112291186e80d9261ed896170b5d1645a0b9fe653ab9ef4cd6e698cd1004ad9871fa7a41a4aee46c383fbf10bdcf38e9dbbec727aaefe4ab93b5181ad4e8cd2e9bd42236ffbf194baa05f3bd5ca13fac28171c65369db26e22d70fbb73a4108b1
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xf1152d4ff21134db2580ab3ea34e373b
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 151 from 192.168.88.1:33463 to 192.168.88.10:1812 length 147
(4) User-Name = "ios"
(4) Called-Station-Id = "184.167.60.170"
(4) Calling-Station-Id = "192.168.88.230"
(4) NAS-Port-Id = "\000\000\000\r"
(4) NAS-Port-Type = Virtual
(4) Service-Type = Framed-User
(4) Event-Timestamp = "Jun 4 2020 10:22:57 BST"
(4) Framed-MTU = 1400
(4) State = 0xf1152d4ff21134db2580ab3ea34e373b
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x33d8b12a37e758955e71d2a17fadee7e
(4) NAS-Identifier = "MikroTik"
(4) NAS-IP-Address = 192.168.88.1
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "ios", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xf1152d4ff21134db
(4) eap: Finished EAP session with state 0xf1152d4ff21134db
(4) eap: Previous EAP request found for state 0xf1152d4ff21134db, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 638
(4) eap: EAP session adding &reply:State = 0xf1152d4ff51034db
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 151 from 192.168.88.10:1812 to 192.168.88.1:33463 length 0
(4) EAP-Message = 0x0105027e190020526f757465724f53300d06092a864886f70d01010b0500038201010053685560db677ebae1bbce094f89ddc22d9d37f16507ef27a5b0e38e2a1c7d18bd79766532b1818aab418405b86951b298ff0f27095fb3f97ababdcdb9cac8a6fc1c99c4ceac61daf8a275f6bc4dbace767b1a7c
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xf1152d4ff51034db2580ab3ea34e373b
(4) Finished request
Waking up in 4.7 seconds.
(5) Received Access-Request Id 152 from 192.168.88.1:58427 to 192.168.88.10:1812 length 158
(5) User-Name = "ios"
(5) Called-Station-Id = "184.167.60.170"
(5) Calling-Station-Id = "192.168.88.230"
(5) NAS-Port-Id = "\000\000\000\r"
(5) NAS-Port-Type = Virtual
(5) Service-Type = Framed-User
(5) Event-Timestamp = "Jun 4 2020 10:22:57 BST"
(5) Framed-MTU = 1400
(5) State = 0xf1152d4ff51034db2580ab3ea34e373b
(5) EAP-Message = 0x0205001119800000000715030300020100
(5) Message-Authenticator = 0x3a65e25e556b20f1ddc6d51302d4f0b3
(5) NAS-Identifier = "MikroTik"
(5) NAS-IP-Address = 192.168.88.1
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "ios", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 17
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xf1152d4ff51034db
(5) eap: Finished EAP session with state 0xf1152d4ff51034db
(5) eap: Previous EAP request found for state 0xf1152d4ff51034db, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(5) eap_peap: Got complete TLS record (7 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.2 [length 0002]
(5) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(5) eap_peap: In SSL Handshake Phase
(5) eap_peap: In SSL Accept mode
(5) eap_peap: SSL Application Data
(5) eap_peap: ERROR: TLS failed during operation
(5) eap_peap: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) sql: EXPAND .query
(5) sql: --> .query
(5) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(5) sql: EXPAND %{User-Name}
(5) sql: --> ios
(5) sql: SQL-User-Name set to 'ios'
(5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(5) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ios', '', 'Access-Reject', '2020-06-04 19:06:24')
(5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'ios', '', 'Access-Reject', '2020-06-04 19:06:24')
(5) sql: SQL query returned: success
(5) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.3.22-MariaDB-0+deb10u1, protocol version 10
(5) [sql] = ok
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> ios
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) (5) Discarding duplicate request from client mikrotik port 58427 - ID: 152 due to delayed response
(5) Sending delayed response
(5) Sent Access-Reject Id 152 from 192.168.88.10:1812 to 192.168.88.1:58427 length 44
(5) EAP-Message = 0x04050004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
---
Any ideas what's happening here?
Thanks,
Mike
4
9
I currently have a few groups setup with users assigned to them and am steering the users to the correct VLAN by settings in the group.
Is it also possible to set the EAP type that should be used on a per group basis?
2
3
Hello,
I was for several years successfully using Radius 2 with authentication
types EAP (PEAP) mschapv2. Now I've upgraded to Radius 3 with the same
authentication.
>From laptop under MS Windows 10 I' trying to connect to WiFi network through
Access Points (AP). After some time I've managed to connect wifi network.
Then I've disconnected intentionally from network and attempted once more
connect to network but this time failed to connect.
Radius debug log is very big, so I provide
extract from Radius debug log below.
>From debug log I see that laptop is eventually authenticated through AP
192.168.14.241 but going through many unsuccessful steps.
The line
Login OK: [oreshkin] (from client 3com9150 port 0 cli 30-E3-7A-D5-61-F0)
shows that.
Why is it required so many steps to successfully connect ?
Some errors in radius configuration ?
Second attempt to connect after disconnection is failed. Why ?
This time authentication is done through AP 192.168.14.247
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/files
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/control
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/files
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/control
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/files
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/control
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 192.168.14.241 {
ipaddr = 192.168.14.241
require_message_authenticator = no
secret = <<< secret >>>
shortname = "3com9150"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 192.168.14.247 {
ipaddr = 192.168.14.247
require_message_authenticator = no
secret = <<< secret >>>
shortname = "3com9552"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address
}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address
}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/" ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
instantiate {
}
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:291
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 44420
Listening on proxy address :: port 36131
Ready to process requests
....
(27) Received Access-Request Id 9 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 159
(27) User-Name = "oreshkin"
(27) NAS-IP-Address = 192.168.14.241
(27) NAS-Port = 0
(27) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(27) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(27) Framed-MTU = 1400
(27) NAS-Port-Type = Wireless-802.11
(27) Connect-Info = "CONNECT 0Mbps 802.11"
(27) EAP-Message = 0x0201000d016f726573686b696e
(27) Message-Authenticator = 0x10afad72dec6e948c7598d93b080d695
(27) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(27) authorize {
(27) policy filter_username {
(27) if (&User-Name) {
(27) if (&User-Name) -> TRUE
(27) if (&User-Name) {
(27) if (&User-Name =~ / /) {
(27) if (&User-Name =~ / /) -> FALSE
(27) if (&User-Name =~ /@[^@]*@/ ) {
(27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(27) if (&User-Name =~ /\.\./ ) {
(27) if (&User-Name =~ /\.\./ ) -> FALSE
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(27) if (&User-Name =~ /\.$/) {
(27) if (&User-Name =~ /\.$/) -> FALSE
(27) if (&User-Name =~ /(a)\./) {
(27) if (&User-Name =~ /(a)\./) -> FALSE
(27) } # if (&User-Name) = notfound
(27) } # policy filter_username = notfound
(27) [preprocess] = ok
(27) [chap] = noop
(27) [mschap] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(27) suffix: No such realm "NULL"
(27) [suffix] = noop
(27) ntdomain: Checking for prefix before "\"
(27) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(27) ntdomain: No such realm "NULL"
(27) [ntdomain] = noop
(27) eap: Peer sent EAP Response (code 2) ID 1 length 13
(27) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) authenticate {
(27) eap: Peer sent packet with method EAP Identity (1)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Initiating new EAP-TLS session
27) eap_peap: [eaptls start] = request
(27) eap: Sending EAP Request (code 1) ID 2 length 6
(27) eap: EAP session adding &reply:State = 0x2222bfcc2220a606
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) Challenge { ... } # empty sub-section is ignored
(27) Sent Access-Challenge Id 9 from xx.xx.xx.xx:1812 to 192.168.14.241:3074
length 0
(27) EAP-Message = 0x010200061920
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0x2222bfcc2220a60628942d36d3525ed7
(27) Finished request
(28) Received Access-Request Id 10 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 330
(28) User-Name = "oreshkin"
(28) NAS-IP-Address = 192.168.14.241
(28) NAS-Port = 0
(28) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(28) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(28) Framed-MTU = 1400
(28) NAS-Port-Type = Wireless-802.11
(28) Connect-Info = "CONNECT 0Mbps 802.11"
(28) EAP-Message =
0x020200a619800000009c16030300970100009303035ed4e24d6ec1584f510f0866c1215851558a510205500495d8d13de5caee61ca00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d
(28) State = 0x2222bfcc2220a60628942d36d3525ed7
(28) Message-Authenticator = 0x6de97a654208715266eb91099cdb366a
(28) session-state: No cached attributes
(28) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(28) authorize {
(28) policy filter_username {
(28) if (&User-Name) {
(28) if (&User-Name) -> TRUE
(28) if (&User-Name) {
(28) if (&User-Name =~ / /) {
(28) if (&User-Name =~ / /) -> FALSE
(28) if (&User-Name =~ /@[^@]*@/ ) {
(28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(28) if (&User-Name =~ /\.\./ ) {
(28) if (&User-Name =~ /\.\./ ) -> FALSE
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(28) if (&User-Name =~ /\.$/) {
(28) if (&User-Name =~ /\.$/) -> FALSE
(28) if (&User-Name =~ /(a)\./) {
(28) if (&User-Name =~ /(a)\./) -> FALSE
(28) } # if (&User-Name) = notfound
(28) } # policy filter_username = notfound
(28) [preprocess] = ok
(28) [chap] = noop
(28) [mschap] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(28) suffix: No such realm "NULL"
(28) [suffix] = noop
(28) ntdomain: Checking for prefix before "\"
(28) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(28) ntdomain: No such realm "NULL"
(28) [ntdomain] = noop
(28) eap: Peer sent EAP Response (code 2) ID 2 length 166
(28) eap: Continuing tunnel setup
(28) [eap] = ok
(28) } # authorize = ok
(28) Found Auth-Type = eap
(28) # Executing group from file /etc/raddb/sites-enabled/default
(28) authenticate {
(28) eap: Expiring EAP session with state 0x2222bfcc2220a606
(28) eap: Finished EAP session with state 0x2222bfcc2220a606
(28) eap: Previous EAP request found for state 0x2222bfcc2220a606, released
from the list
(28) eap: Peer sent packet with method EAP PEAP (25)
(28) eap: Calling submodule eap_peap to process data
(28) eap_peap: Continuing EAP-TLS
(28) eap_peap: Peer indicated complete TLS record size will be 156 bytes
(28) eap_peap: Got complete TLS record (156 bytes)
(28) eap_peap: [eaptls verify] = length included
(28) eap_peap: (other): before/accept initialization
(28) eap_peap: TLS_accept: before/accept initialization
(28) eap_peap: <<< recv TLS 1.2 [length 0097]
(28) eap_peap: TLS_accept: SSLv3 read client hello A
(28) eap_peap: >>> send TLS 1.2 [length 0039]
(28) eap_peap: TLS_accept: SSLv3 write server hello A
(28) eap_peap: >>> send TLS 1.2 [length 08d3]
(28) eap_peap: TLS_accept: SSLv3 write certificate A
(28) eap_peap: >>> send TLS 1.2 [length 014d]
(28) eap_peap: TLS_accept: SSLv3 write key exchange A
(28) eap_peap: >>> send TLS 1.2 [length 0004]
(28) eap_peap: TLS_accept: SSLv3 write server done A
(28) eap_peap: TLS_accept: SSLv3 flush data
(28) eap_peap: TLS_accept: SSLv3 read client certificate A
(28) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(28) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(28) eap_peap: In SSL Handshake Phase
(28) eap_peap: In SSL Accept mode
(28) eap_peap: [eaptls process] = handled
(28) eap: Sending EAP Request (code 1) ID 3 length 1004
(28) eap: EAP session adding &reply:State = 0x2222bfcc2321a606
(28) [eap] = handled
(28) } # authenticate = handled
(28) Using Post-Auth-Type Challenge
(28) # Executing group from file /etc/raddb/sites-enabled/default
(28) Challenge { ... } # empty sub-section is ignored
(28) Sent Access-Challenge Id 10 from xx.xx.xx.xx:1812 to
192.168.14.241:3074 length 0
(28) EAP-Message =
0x010303ec19c000000a711603030039020000350303b8ccee05d9782beb17d6b77494dd7361478f4ed8ffecf71d49e93e03d5d4f67a00c03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0x2222bfcc2321a60628942d36d3525ed7
(28) Finished request
(22) Cleaning up request packet ID 64 with timestamp +16
(23) Cleaning up request packet ID 65 with timestamp +16
(24) Cleaning up request packet ID 66 with timestamp +16
(25) Cleaning up request packet ID 67 with timestamp +16
(29) Received Access-Request Id 11 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 170
(29) User-Name = "oreshkin"
(29) NAS-IP-Address = 192.168.14.241
(29) NAS-Port = 0
(29) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(29) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(29) Framed-MTU = 1400
(29) NAS-Port-Type = Wireless-802.11
(29) Connect-Info = "CONNECT 0Mbps 802.11"
(29) EAP-Message = 0x020300061900
(29) State = 0x2222bfcc2321a60628942d36d3525ed7
(29) Message-Authenticator = 0xcebca6a1adb3df4e5aeddedcd23c1249
(29) session-state: No cached attributes
(29) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /(a)\./) {
(29) if (&User-Name =~ /(a)\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [preprocess] = ok
(29) [chap] = noop
(29) [mschap] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) ntdomain: Checking for prefix before "\"
(29) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(29) ntdomain: No such realm "NULL"
(29) [ntdomain] = noop
(29) eap: Peer sent EAP Response (code 2) ID 3 length 6
(29) eap: Continuing tunnel setup
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /etc/raddb/sites-enabled/default
(29) authenticate {
(29) eap: Expiring EAP session with state 0x2222bfcc2321a606
(29) eap: Finished EAP session with state 0x2222bfcc2321a606
(29) eap: Previous EAP request found for state 0x2222bfcc2321a606, released
from the list
(29) eap: Peer sent packet with method EAP PEAP (25)
(29) eap: Calling submodule eap_peap to process data
(29) eap_peap: Continuing EAP-TLS
(29) eap_peap: Peer ACKed our handshake fragment
(29) eap_peap: [eaptls verify] = request
(29) eap_peap: [eaptls process] = handled
(29) eap: Sending EAP Request (code 1) ID 4 length 1000
(29) eap: EAP session adding &reply:State = 0x2222bfcc2026a606
(29) [eap] = handled
(29) } # authenticate = handled
(29) Using Post-Auth-Type Challenge
(29) # Executing group from file /etc/raddb/sites-enabled/default
(29) Challenge { ... } # empty sub-section is ignored
(29) Sent Access-Challenge Id 11 from xx.xx.xx.xx:1812 to
192.168.14.241:3074 length 0
(29) EAP-Message =
0x010403e81940f380d8c5155b8eb1fb79d0094a95a1908aa3d079dcf2dab14e3c12a2ab5494d1c2430b1e8c6de4b03899f1315c96304f66bb40bd632d817172ece81732a4256ffbf9df90317051de700004e8308204e4308203cca003020102020900d5c6e8bb4ac2077e300d06092a864886f70d01010b
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) State = 0x2222bfcc2026a60628942d36d3525ed7
(29) Finished request
(26) Cleaning up request packet ID 68 with timestamp +16
Waking up in 4.9 seconds.
(30) Received Access-Request Id 12 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 170
(30) User-Name = "oreshkin"
(30) NAS-IP-Address = 192.168.14.241
(30) NAS-Port = 0
(30) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(30) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(30) Framed-MTU = 1400
(30) NAS-Port-Type = Wireless-802.11
(30) Connect-Info = "CONNECT 0Mbps 802.11"
(30) EAP-Message = 0x020400061900
(30) State = 0x2222bfcc2026a60628942d36d3525ed7
(30) Message-Authenticator = 0x8e292c39aebf1d998465743dfbcd6989
(30) session-state: No cached attributes
(30) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /(a)\./) {
(30) if (&User-Name =~ /(a)\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [preprocess] = ok
(30) [chap] = noop
(30) [mschap] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) ntdomain: Checking for prefix before "\"
(30) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(30) ntdomain: No such realm "NULL"
(30) [ntdomain] = noop
(30) eap: Peer sent EAP Response (code 2) ID 4 length 6
(30) eap: Continuing tunnel setup
(30) [eap] = ok
(30) } # authorize = ok
(30) Found Auth-Type = eap
(30) # Executing group from file /etc/raddb/sites-enabled/default
(30) authenticate {
(30) eap: Expiring EAP session with state 0x2222bfcc2026a606
(30) eap: Finished EAP session with state 0x2222bfcc2026a606
(30) eap: Previous EAP request found for state 0x2222bfcc2026a606, released
from the list
(30) eap: Peer sent packet with method EAP PEAP (25)
(30) eap: Calling submodule eap_peap to process data
(30) eap_peap: Continuing EAP-TLS
(30) eap_peap: Peer ACKed our handshake fragment
(30) eap_peap: [eaptls verify] = request
(30) eap_peap: [eaptls process] = handled
(30) eap: Sending EAP Request (code 1) ID 5 length 691
(30) eap: EAP session adding &reply:State = 0x2222bfcc2127a606
(30) [eap] = handled
(30) } # authenticate = handled
(30) Using Post-Auth-Type Challenge
(30) # Executing group from file /etc/raddb/sites-enabled/default
(30) Challenge { ... } # empty sub-section is ignored
(30) Sent Access-Challenge Id 12 from xx.xx.xx.xx:1812 to
192.168.14.241:3074 length 0
(30) EAP-Message =
0x010502b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101007f15d37224ffa7b8db1d8ed23f49758db260c870aeedbcb0b706dfda4b208f
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) State = 0x2222bfcc2127a60628942d36d3525ed7
(30) Finished request
Waking up in 4.9 seconds.
(31) Received Access-Request Id 13 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 300
(31) User-Name = "oreshkin"
(31) NAS-IP-Address = 192.168.14.241
(31) NAS-Port = 0
(31) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(31) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(31) Framed-MTU = 1400
(31) NAS-Port-Type = Wireless-802.11
(31) Connect-Info = "CONNECT 0Mbps 802.11"
(31) EAP-Message =
0x0205008819800000007e1603030046100000424104c0e14c73bf2789c0ac2c6de846eccfec4299866b1828da3ec76f49d47dae95a4fff5cdde5604d0e85e89c920b7c3683117977853940ed4d7395217f042fdd76c14030300010116030300280000000000000000065edd34aad7b3965d58aa1d763c75
(31) State = 0x2222bfcc2127a60628942d36d3525ed7
(31) Message-Authenticator = 0x04dff77641cddb023c91d4edab1e2f78
(31) session-state: No cached attributes
(31) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(31) authorize {
(31) policy filter_username {
(31) if (&User-Name) {
(31) if (&User-Name) -> TRUE
(31) if (&User-Name) {
(31) if (&User-Name =~ / /) {
(31) if (&User-Name =~ / /) -> FALSE
(31) if (&User-Name =~ /@[^@]*@/ ) {
(31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(31) if (&User-Name =~ /\.\./ ) {
(31) if (&User-Name =~ /\.\./ ) -> FALSE
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(31) if (&User-Name =~ /\.$/) {
(31) if (&User-Name =~ /\.$/) -> FALSE
(31) if (&User-Name =~ /(a)\./) {
(31) if (&User-Name =~ /(a)\./) -> FALSE
(31) } # if (&User-Name) = notfound
(31) } # policy filter_username = notfound
(31) [preprocess] = ok
(31) [chap] = noop
(31) [mschap] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(31) suffix: No such realm "NULL"
(31) [suffix] = noop
(31) ntdomain: Checking for prefix before "\"
(31) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(31) ntdomain: No such realm "NULL"
(31) [ntdomain] = noop
(31) eap: Peer sent EAP Response (code 2) ID 5 length 136
(31) eap: Continuing tunnel setup
(31) [eap] = ok
(31) } # authorize = ok
(31) Found Auth-Type = eap
(31) # Executing group from file /etc/raddb/sites-enabled/default
(31) authenticate {
(31) eap: Expiring EAP session with state 0x2222bfcc2127a606
(31) eap: Finished EAP session with state 0x2222bfcc2127a606
(31) eap: Previous EAP request found for state 0x2222bfcc2127a606, released
from the list
(31) eap: Peer sent packet with method EAP PEAP (25)
(31) eap: Calling submodule eap_peap to process data
(31) eap_peap: Continuing EAP-TLS
(31) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(31) eap_peap: Got complete TLS record (126 bytes)
(31) eap_peap: [eaptls verify] = length included
(31) eap_peap: <<< recv TLS 1.2 [length 0046]
(31) eap_peap: TLS_accept: SSLv3 read client key exchange A
(31) eap_peap: TLS_accept: SSLv3 read certificate verify A
(31) eap_peap: <<< recv TLS 1.2 [length 0001]
(31) eap_peap: <<< recv TLS 1.2 [length 0010]
(31) eap_peap: TLS_accept: SSLv3 read finished A
(31) eap_peap: >>> send TLS 1.2 [length 0001]
(31) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(31) eap_peap: >>> send TLS 1.2 [length 0010]
(31) eap_peap: TLS_accept: SSLv3 write finished A
(31) eap_peap: TLS_accept: SSLv3 flush data
(31) eap_peap: (other): SSL negotiation finished successfully
(31) eap_peap: SSL Connection Established
(31) eap_peap: [eaptls process] = handled
(31) eap: Sending EAP Request (code 1) ID 6 length 57
(31) eap: EAP session adding &reply:State = 0x2222bfcc2624a606
(31) [eap] = handled
(31) } # authenticate = handled
(31) Using Post-Auth-Type Challenge
(31) # Executing group from file /etc/raddb/sites-enabled/default
(31) Challenge { ... } # empty sub-section is ignored
(31) Sent Access-Challenge Id 13 from xx.xx.xx.xx:1812 to
192.168.14.241:3074 length 0
(31) EAP-Message =
0x01060039190014030300010116030300281feeee9e22725fa44b48439675c0566117c5e508aa3b8f83d39300efb57a13f459b0ca500d4285ce
(31) Message-Authenticator = 0x00000000000000000000000000000000
(31) State = 0x2222bfcc2624a60628942d36d3525ed7
(31) Finished request
Waking up in 4.9 seconds.
(32) Received Access-Request Id 14 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 170
(32) User-Name = "oreshkin"
(32) NAS-IP-Address = 192.168.14.241
(32) NAS-Port = 0
(32) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(32) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(32) Framed-MTU = 1400
(32) NAS-Port-Type = Wireless-802.11
(32) Connect-Info = "CONNECT 0Mbps 802.11"
(32) EAP-Message = 0x020600061900
(32) State = 0x2222bfcc2624a60628942d36d3525ed7
(32) Message-Authenticator = 0x50d9a449b0125139aa7b9c77879e7e9e
(32) session-state: No cached attributes
(32) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(32) authorize {
(32) policy filter_username {
(32) if (&User-Name) {
(32) if (&User-Name) -> TRUE
(32) if (&User-Name) {
(32) if (&User-Name =~ / /) {
(32) if (&User-Name =~ / /) -> FALSE
(32) if (&User-Name =~ /@[^@]*@/ ) {
(32) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(32) if (&User-Name =~ /\.\./ ) {
(32) if (&User-Name =~ /\.\./ ) -> FALSE
(32) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(32) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(32) if (&User-Name =~ /\.$/) {
(32) if (&User-Name =~ /\.$/) -> FALSE
(32) if (&User-Name =~ /(a)\./) {
(32) if (&User-Name =~ /(a)\./) -> FALSE
(32) } # if (&User-Name) = notfound
(32) } # policy filter_username = notfound
(32) [preprocess] = ok
(32) [chap] = noop
(32) [mschap] = noop
(32) suffix: Checking for suffix after "@"
(32) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(32) suffix: No such realm "NULL"
(32) [suffix] = noop
(32) ntdomain: Checking for prefix before "\"
(32) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(32) ntdomain: No such realm "NULL"
(32) [ntdomain] = noop
(32) eap: Peer sent EAP Response (code 2) ID 6 length 6
(32) eap: Continuing tunnel setup
(32) [eap] = ok
(32) } # authorize = ok
(32) Found Auth-Type = eap
(32) # Executing group from file /etc/raddb/sites-enabled/default
(32) authenticate {
(32) eap: Expiring EAP session with state 0x2222bfcc2624a606
(32) eap: Finished EAP session with state 0x2222bfcc2624a606
(32) eap: Previous EAP request found for state 0x2222bfcc2624a606, released
from the list
(32) eap: Peer sent packet with method EAP PEAP (25)
(32) eap: Calling submodule eap_peap to process data
(32) eap_peap: Continuing EAP-TLS
(32) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(32) eap_peap: [eaptls verify] = success
(32) eap_peap: [eaptls process] = success
(32) eap_peap: Session established. Decoding tunneled attributes
(32) eap_peap: PEAP state TUNNEL ESTABLISHED
(32) eap: Sending EAP Request (code 1) ID 7 length 40
(32) eap: EAP session adding &reply:State = 0x2222bfcc2725a606
(32) [eap] = handled
(32) } # authenticate = handled
(32) Using Post-Auth-Type Challenge
(32) # Executing group from file /etc/raddb/sites-enabled/default
(32) Challenge { ... } # empty sub-section is ignored
(32) Sent Access-Challenge Id 14 from xx.xx.xx.xx:1812 to
192.168.14.241:3074 length 0
(32) EAP-Message =
0x010700281900170303001d1feeee9e22725fa54fe4e60beebfa029a12274227e8b2438d10345a5a5
(32) Message-Authenticator = 0x00000000000000000000000000000000
(32) State = 0x2222bfcc2725a60628942d36d3525ed7
(32) Finished request
Waking up in 4.8 seconds.
(33) Received Access-Request Id 15 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 208
(33) User-Name = "oreshkin"
(33) NAS-IP-Address = 192.168.14.241
(33) NAS-Port = 0
(33) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(33) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(33) Framed-MTU = 1400
(33) NAS-Port-Type = Wireless-802.11
(33) Connect-Info = "CONNECT 0Mbps 802.11"
(33) EAP-Message =
0x0207002c190017030300210000000000000001c43c8f6fdd9427eb6a99a7d0a165800d6370295331a09e3fbc
(33) State = 0x2222bfcc2725a60628942d36d3525ed7
(33) Message-Authenticator = 0x1d17d29c090616db20f12d470ecee14b
(33) session-state: No cached attributes
(33) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(33) authorize {
(33) policy filter_username {
(33) if (&User-Name) {
(33) if (&User-Name) -> TRUE
(33) if (&User-Name) {
(33) if (&User-Name =~ / /) {
(33) if (&User-Name =~ / /) -> FALSE
(33) if (&User-Name =~ /@[^@]*@/ ) {
(33) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(33) if (&User-Name =~ /\.\./ ) {
(33) if (&User-Name =~ /\.\./ ) -> FALSE
(33) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(33) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(33) if (&User-Name =~ /\.$/) {
(33) if (&User-Name =~ /\.$/) -> FALSE
(33) if (&User-Name =~ /(a)\./) {
(33) if (&User-Name =~ /(a)\./) -> FALSE
(33) } # if (&User-Name) = notfound
(33) } # policy filter_username = notfound
(33) [preprocess] = ok
(33) [chap] = noop
(33) [mschap] = noop
(33) suffix: Checking for suffix after "@"
(33) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(33) suffix: No such realm "NULL"
(33) [suffix] = noop
(33) ntdomain: Checking for prefix before "\"
(33) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(33) ntdomain: No such realm "NULL"
(33) [ntdomain] = noop
(33) eap: Peer sent EAP Response (code 2) ID 7 length 44
(33) eap: Continuing tunnel setup
(33) [eap] = ok
(33) } # authorize = ok
(33) Found Auth-Type = eap
(33) # Executing group from file /etc/raddb/sites-enabled/default
(33) authenticate {
(33) eap: Expiring EAP session with state 0x2222bfcc2725a606
(33) eap: Finished EAP session with state 0x2222bfcc2725a606
(33) eap: Previous EAP request found for state 0x2222bfcc2725a606, released
from the list
(33) eap: Peer sent packet with method EAP PEAP (25)
(33) eap: Calling submodule eap_peap to process data
(33) eap_peap: Continuing EAP-TLS
(33) eap_peap: [eaptls verify] = ok
(33) eap_peap: Done initial handshake
(33) eap_peap: [eaptls process] = ok
(33) eap_peap: Session established. Decoding tunneled attributes
(33) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(33) eap_peap: Identity - oreshkin
(33) eap_peap: Got inner identity 'oreshkin'
(33) eap_peap: Setting default EAP type for tunneled EAP session
(33) eap_peap: Got tunneled request
(33) eap_peap: EAP-Message = 0x0207000d016f726573686b696e
(33) eap_peap: Setting User-Name to oreshkin
(33) eap_peap: Sending tunneled request to inner-tunnel
(33) eap_peap: EAP-Message = 0x0207000d016f726573686b696e
(33) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(33) eap_peap: User-Name = "oreshkin"
(33) eap_peap: NAS-IP-Address = 192.168.14.241
(33) eap_peap: NAS-Port = 0
(33) eap_peap: Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(33) eap_peap: Calling-Station-Id = "30-E3-7A-D5-61-F0"
(33) eap_peap: Framed-MTU = 1400
(33) eap_peap: NAS-Port-Type = Wireless-802.11
(33) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11"
(33) eap_peap: Event-Timestamp = "Jun 1 2020 14:11:07 MSK"
(33) Virtual server inner-tunnel received request
(33) EAP-Message = 0x0207000d016f726573686b696e
(33) FreeRADIUS-Proxied-To = 127.0.0.1
(33) User-Name = "oreshkin"
(33) NAS-IP-Address = 192.168.14.241
(33) NAS-Port = 0
(33) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(33) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(33) Framed-MTU = 1400
(33) NAS-Port-Type = Wireless-802.11
(33) Connect-Info = "CONNECT 0Mbps 802.11"
(33) Event-Timestamp = "Jun 1 2020 14:11:07 MSK"
(33) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(33) server inner-tunnel {
(33) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(33) authorize {
(33) policy filter_username {
(33) if (&User-Name) {
(33) if (&User-Name) -> TRUE
(33) if (&User-Name) {
(33) if (&User-Name =~ / /) {
(33) if (&User-Name =~ / /) -> FALSE
(33) if (&User-Name =~ /@[^@]*@/ ) {
(33) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(33) if (&User-Name =~ /\.\./ ) {
(33) if (&User-Name =~ /\.\./ ) -> FALSE
(33) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(33) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(33) if (&User-Name =~ /\.$/) {
(33) if (&User-Name =~ /\.$/) -> FALSE
(33) if (&User-Name =~ /(a)\./) {
(33) if (&User-Name =~ /(a)\./) -> FALSE
(33) } # if (&User-Name) = notfound
(33) } # policy filter_username = notfound
(33) [chap] = noop
(33) [mschap] = noop
(33) ntdomain: Checking for prefix before "\"
(33) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(33) ntdomain: No such realm "NULL"
(33) [ntdomain] = noop
(33) update control {
(33) &Proxy-To-Realm := LOCAL
(33) } # update control = noop
(33) eap: Peer sent EAP Response (code 2) ID 7 length 13
(33) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(33) [eap] = ok
(33) } # authorize = ok
(33) Found Auth-Type = eap
(33) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(33) authenticate {
(33) eap: Peer sent packet with method EAP Identity (1)
(33) eap: Calling submodule eap_mschapv2 to process data
(33) eap_mschapv2: Issuing Challenge
(33) eap: Sending EAP Request (code 1) ID 8 length 43
(33) eap: EAP session adding &reply:State = 0x1dd632c31dde288d
(33) [eap] = handled
(33) } # authenticate = handled
(33) } # server inner-tunnel
(33) Virtual server sending reply
(33) EAP-Message =
0x0108002b1a0108002610f22807a784c8ac25b4e82eb44c9eb3566672656572
332e302e3133
(33) Message-Authenticator = 0x00000000000000000000000000000000
(33) State = 0x1dd632c31dde288df7cfa5a922a8b8be
(33) eap_peap: Got tunneled reply code 11
(33) eap_peap: EAP-Message =
0x0108002b1a0108002610f22807a784c8ac25b4e82eb44c9eb356667265657261646975732d332e302e3133
(33) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(33) eap_peap: State = 0x1dd632c31dde288df7cfa5a922a8b8be
(33) eap_peap: Got tunneled reply RADIUS code 11
(33) eap_peap: EAP-Message =
0x0108002b1a0108002610f22807a784c8ac25b4e82eb44c9eb356667265657261646975732d332e302e3133
(33) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(33) eap_peap: State = 0x1dd632c31dde288df7cfa5a922a8b8be
(33) eap_peap: Got tunneled Access-Challenge
(33) eap: Sending EAP Request (code 1) ID 8 length 74
(33) eap: EAP session adding &reply:State = 0x2222bfcc242aa606
(33) [eap] = handled
(33) } # authenticate = handled
(33) Using Post-Auth-Type Challenge
(33) # Executing group from file /etc/raddb/sites-enabled/default
(33) Challenge { ... } # empty sub-section is ignored
(33) Sent Access-Challenge Id 15 from xx.xx.xx.xx:1812 to
192.168.14.241:3074 length 0
(33) EAP-Message =
0x0108004a1900170303003f1feeee9e22725fa63f6dd2b2bc40fd535f0bd42e921aa6fd435dca53973ed33bedaf1cae5cad77d02d7d7ecedc5d194cc08380f9e4aba56fed70ec9e057a66
(33) Message-Authenticator = 0x00000000000000000000000000000000
(33) State = 0x2222bfcc242aa60628942d36d3525ed7
(33) Finished request
Waking up in 4.8 seconds.
(34) Received Access-Request Id 16 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 262
(34) User-Name = "oreshkin"
(34) NAS-IP-Address = 192.168.14.241
(34) NAS-Port = 0
(34) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(34) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(34) Framed-MTU = 1400
(34) NAS-Port-Type = Wireless-802.11
(34) Connect-Info = "CONNECT 0Mbps 802.11"
(34) EAP-Message =
0x02080062190017030300570000000000000002b1ca594d92465090474574968130029f19a0
05d703bc9c9809769f140e03f21c415269bc636a285507d431f357dce8a215e689e72cd5357a9289d97662c5261f77ff60aed4b95de307f84bf3a5b82f
(34) State = 0x2222bfcc242aa60628942d36d3525ed7
(34) Message-Authenticator = 0xd9b738c8478c4b6c5149525e35e7d34c
(34) session-state: No cached attributes
(34) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(34) authorize {
(34) policy filter_username {
(34) if (&User-Name) {
(34) if (&User-Name) -> TRUE
(34) if (&User-Name) {
(34) if (&User-Name =~ / /) {
(34) if (&User-Name =~ / /) -> FALSE
(34) if (&User-Name =~ /@[^@]*@/ ) {
(34) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(34) if (&User-Name =~ /\.\./ ) {
(34) if (&User-Name =~ /\.\./ ) -> FALSE
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(34) if (&User-Name =~ /\.$/) {
(34) if (&User-Name =~ /\.$/) -> FALSE
(34) if (&User-Name =~ /(a)\./) {
(34) if (&User-Name =~ /(a)\./) -> FALSE
(34) } # if (&User-Name) = notfound
(34) } # policy filter_username = notfound
(34) [preprocess] = ok
(34) [chap] = noop
(34) [mschap] = noop
(34) suffix: Checking for suffix after "@"
(34) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(34) suffix: No such realm "NULL"
(34) [suffix] = noop
(34) ntdomain: Checking for prefix before "\"
(34) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(34) ntdomain: No such realm "NULL"
(34) [ntdomain] = noop
(34) eap: Peer sent EAP Response (code 2) ID 8 length 98
(34) eap: Continuing tunnel setup
(34) [eap] = ok
(34) } # authorize = ok
(34) Found Auth-Type = eap
(34) # Executing group from file /etc/raddb/sites-enabled/default
(34) authenticate {
(34) eap: Expiring EAP session with state 0x1dd632c31dde288d
(34) eap: Finished EAP session with state 0x2222bfcc242aa606
(34) eap: Previous EAP request found for state 0x2222bfcc242aa606, released
from the list
(34) eap: Peer sent packet with method EAP PEAP (25)
(34) eap: Calling submodule eap_peap to process data
(34) eap_peap: Continuing EAP-TLS
(34) eap_peap: [eaptls verify] = ok
(34) eap_peap: Done initial handshake
(34) eap_peap: [eaptls process] = ok
(34) eap_peap: Session established. Decoding tunneled attributes
(34) eap_peap: PEAP state phase2
(34) eap_peap: EAP method MSCHAPv2 (26)
(34) eap_peap: Got tunneled request
(34) eap_peap: EAP-Message =
0x020800431a0208003e314a1eef1aefdbd4954a91ec2d440941c30000000000000000b897a0241bf2a36e9f466fde3363685b3e998796f98ef75e006f726573686b696e
(34) eap_peap: Setting User-Name to oreshkin
(34) eap_peap: Sending tunneled request to inner-tunnel
(34) eap_peap: EAP-Message =
0x020800431a0208003e314a1eef1aefdbd4954a91ec2d440941c30000000000000000b897a0241bf2a36e9f466fde3363685b3e998796f98ef75e006f726573686b696e
(34) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(34) eap_peap: User-Name = "oreshkin"
(34) eap_peap: State = 0x1dd632c31dde288df7cfa5a922a8b8be
(34) eap_peap: NAS-IP-Address = 192.168.14.241
(34) eap_peap: NAS-Port = 0
(34) eap_peap: Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(34) eap_peap: Calling-Station-Id = "30-E3-7A-D5-61-F0"
(34) eap_peap: Framed-MTU = 1400
(34) eap_peap: NAS-Port-Type = Wireless-802.11
(34) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11"
(34) eap_peap: Event-Timestamp = "Jun 1 2020 14:11:07 MSK"
(34) Virtual server inner-tunnel received request
(34) EAP-Message =
0x020800431a0208003e314a1eef1aefdbd4954a91ec2d440941c30000000000000000b897a0241bf2a36e9f466fde3363685b3e998796f98ef75e006f726573686b696e
(34) FreeRADIUS-Proxied-To = 127.0.0.1
(34) User-Name = "oreshkin"
(34) State = 0x1dd632c31dde288df7cfa5a922a8b8be
(34) NAS-IP-Address = 192.168.14.241
(34) NAS-Port = 0
(34) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(34) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(34) Framed-MTU = 1400
(34) NAS-Port-Type = Wireless-802.11
(34) Connect-Info = "CONNECT 0Mbps 802.11"
(34) Event-Timestamp = "Jun 1 2020 14:11:07 MSK"
(34) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(34) server inner-tunnel {
(34) session-state: No cached attributes
(34) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(34) authorize {
(34) policy filter_username {
(34) if (&User-Name) {
(34) if (&User-Name) -> TRUE
(34) if (&User-Name) {
(34) if (&User-Name =~ / /) {
(34) if (&User-Name =~ / /) -> FALSE
(34) if (&User-Name =~ /@[^@]*@/ ) {
(34) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(34) if (&User-Name =~ /\.\./ ) {
(34) if (&User-Name =~ /\.\./ ) -> FALSE
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(34) if (&User-Name =~ /\.$/) {
(34) if (&User-Name =~ /\.$/) -> FALSE
(34) if (&User-Name =~ /(a)\./) {
(34) if (&User-Name =~ /(a)\./) -> FALSE
(34) } # if (&User-Name) = notfound
(34) } # policy filter_username = notfound
(34) [chap] = noop
(34) [mschap] = noop
(34) ntdomain: Checking for prefix before "\"
(34) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(34) ntdomain: No such realm "NULL"
(34) [ntdomain] = noop
(34) update control {
(34) &Proxy-To-Realm := LOCAL
(34) } # update control = noop
(34) eap: Peer sent EAP Response (code 2) ID 8 length 67
(34) eap: No EAP Start, assuming it's an on-going EAP conversation
(34) [eap] = updated
(34) files: users: Matched entry oreshkin at line 728
(34) [files] = ok
(34) [expiration] = noop
(34) [logintime] = noop
(34) pap: WARNING: Auth-Type already set. Not setting to PAP
(34) [pap] = noop
(34) } # authorize = updated
(34) Found Auth-Type = eap
(34) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(34) authenticate {
(34) eap: Expiring EAP session with state 0x1dd632c31dde288d
(34) eap: Finished EAP session with state 0x1dd632c31dde288d
(34) eap: Previous EAP request found for state 0x1dd632c31dde288d, released
from the list
(34) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(34) eap: Calling submodule eap_mschapv2 to process data
(34) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(34) eap_mschapv2: authenticate {
(34) mschap: Found Cleartext-Password, hashing to create NT-Password
(34) mschap: Found Cleartext-Password, hashing to create LM-Password
(34) mschap: Creating challenge hash with username: oreshkin
(34) mschap: Client is using MS-CHAPv2
(34) mschap: Adding MS-CHAPv2 MPPE keys
(34) [mschap] = ok
(34) } # authenticate = ok
(34) MSCHAP Success
(34) eap: Sending EAP Request (code 1) ID 9 length 51
(34) eap: EAP session adding &reply:State = 0x1dd632c31cdf288d
(34) [eap] = handled
(34) } # authenticate = handled
(34) } # server inner-tunnel
(34) Virtual server sending reply
(34) EAP-Message =
0x010900331a0308002e533d30324346323542454231343833353235394443363237323645464245363432323632363538384244
(34) Message-Authenticator = 0x00000000000000000000000000000000
(34) State = 0x1dd632c31cdf288df7cfa5a922a8b8be
(34) eap_peap: Got tunneled reply code 11
(34) eap_peap: EAP-Message =
0x010900331a0308002e533d30324346323542454231343833353235394443363237323645464245363432323632363538384244
(34) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(34) eap_peap: State = 0x1dd632c31cdf288df7cfa5a922a8b8be
(34) eap_peap: Got tunneled reply RADIUS code 11
(34) eap_peap: EAP-Message =
0x010900331a0308002e533d30324346323542454231343833353235394443363237323645464245363432323632363538384244
(34) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(34) eap_peap: State = 0x1dd632c31cdf288df7cfa5a922a8b8be
(34) eap_peap: Got tunneled Access-Challenge
(34) eap: Sending EAP Request (code 1) ID 9 length 82
(34) eap: EAP session adding &reply:State = 0x2222bfcc252ba606
(34) [eap] = handled
(34) } # authenticate = handled
(34) Using Post-Auth-Type Challenge
(34) # Executing group from file /etc/raddb/sites-enabled/default
(34) Challenge { ... } # empty sub-section is ignored
(34) Sent Access-Challenge Id 16 from xx.xx.xx.xx:1812 to
192.168.14.241:3074 length 0
(34) EAP-Message =
0x01090052190017030300471feeee9e22725fa77d4a1988d4cffb328b87a72552c98ea6c33233bfd8b173580ac94dc3bd3b15708f84649e4230151e9ba7ae4d28a897165a23c186ec8169760eaa368f3dc609
(34) Message-Authenticator = 0x00000000000000000000000000000000
(34) State = 0x2222bfcc252ba60628942d36d3525ed7
(34) Finished request
Waking up in 4.8 seconds.
(35) Received Access-Request Id 17 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 201
(35) User-Name = "oreshkin"
(35) NAS-IP-Address = 192.168.14.241
(35) NAS-Port = 0
(35) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(35) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(35) Framed-MTU = 1400
(35) NAS-Port-Type = Wireless-802.11
(35) Connect-Info = "CONNECT 0Mbps 802.11"
(35) EAP-Message =
0x020900251900170303001a000000000000000308f965d693ae358a19765eea02daa8d034d7
(35) State = 0x2222bfcc252ba60628942d36d3525ed7
(35) Message-Authenticator = 0xe0581c5f414c920a96ec2b806d6a78b9
(35) session-state: No cached attributes
(35) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(35) authorize {
(35) policy filter_username {
(35) if (&User-Name) {
(35) if (&User-Name) -> TRUE
(35) if (&User-Name) {
(35) if (&User-Name =~ / /) {
(35) if (&User-Name =~ / /) -> FALSE
(35) if (&User-Name =~ /@[^@]*@/ ) {
(35) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(35) if (&User-Name =~ /\.\./ ) {
(35) if (&User-Name =~ /\.\./ ) -> FALSE
(35) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(35) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(35) if (&User-Name =~ /\.$/) {
(35) if (&User-Name =~ /\.$/) -> FALSE
(35) if (&User-Name =~ /(a)\./) {
(35) if (&User-Name =~ /(a)\./) -> FALSE
(35) } # if (&User-Name) = notfound
(35) } # policy filter_username = notfound
(35) [preprocess] = ok
(35) [chap] = noop
(35) [mschap] = noop
(35) suffix: Checking for suffix after "@"
(35) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(35) suffix: No such realm "NULL"
(35) [suffix] = noop
(35) ntdomain: Checking for prefix before "\"
(35) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(35) ntdomain: No such realm "NULL"
(35) [ntdomain] = noop
(35) eap: Peer sent EAP Response (code 2) ID 9 length 37
(35) eap: Continuing tunnel setup
(35) [eap] = ok
(35) } # authorize = ok
(35) Found Auth-Type = eap
(35) # Executing group from file /etc/raddb/sites-enabled/default
(35) authenticate {
(35) eap: Expiring EAP session with state 0x1dd632c31cdf288d
(35) eap: Finished EAP session with state 0x2222bfcc252ba606
(35) eap: Previous EAP request found for state 0x2222bfcc252ba606, released
from the list
(35) eap: Peer sent packet with method EAP PEAP (25)
(35) eap: Calling submodule eap_peap to process data
(35) eap_peap: Continuing EAP-TLS
(35) eap_peap: [eaptls verify] = ok
(35) eap_peap: Done initial handshake
(35) eap_peap: [eaptls process] = ok
(35) eap_peap: Session established. Decoding tunneled attributes
(35) eap_peap: PEAP state phase2
(35) eap_peap: EAP method MSCHAPv2 (26)
(35) eap_peap: Got tunneled request
(35) eap_peap: EAP-Message = 0x020900061a03
(35) eap_peap: Setting User-Name to oreshkin
(35) eap_peap: Sending tunneled request to inner-tunnel
(35) eap_peap: EAP-Message = 0x020900061a03
(35) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(35) eap_peap: User-Name = "oreshkin"
(35) eap_peap: State = 0x1dd632c31cdf288df7cfa5a922a8b8be
(35) eap_peap: NAS-IP-Address = 192.168.14.241
(35) eap_peap: NAS-Port = 0
(35) eap_peap: Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(35) eap_peap: Calling-Station-Id = "30-E3-7A-D5-61-F0"
(35) eap_peap: Framed-MTU = 1400
(35) eap_peap: NAS-Port-Type = Wireless-802.11
(35) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11"
(35) eap_peap: Event-Timestamp = "Jun 1 2020 14:11:07 MSK"
(35) Virtual server inner-tunnel received request
(35) EAP-Message = 0x020900061a03
(35) FreeRADIUS-Proxied-To = 127.0.0.1
(35) User-Name = "oreshkin"
(35) State = 0x1dd632c31cdf288df7cfa5a922a8b8be
(35) NAS-IP-Address = 192.168.14.241
(35) NAS-Port = 0
(35) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(35) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(35) Framed-MTU = 1400
(35) NAS-Port-Type = Wireless-802.11
(35) Connect-Info = "CONNECT 0Mbps 802.11"
(35) Event-Timestamp = "Jun 1 2020 14:11:07 MSK"
(35) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(35) server inner-tunnel {
(35) session-state: No cached attributes
(35) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(35) authorize {
(35) policy filter_username {
(35) if (&User-Name) {
(35) if (&User-Name) -> TRUE
(35) if (&User-Name) {
(35) if (&User-Name =~ / /) {
(35) if (&User-Name =~ / /) -> FALSE
(35) if (&User-Name =~ /@[^@]*@/ ) {
(35) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(35) if (&User-Name =~ /\.\./ ) {
(35) if (&User-Name =~ /\.\./ ) -> FALSE
(35) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(35) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(35) if (&User-Name =~ /\.$/) {
(35) if (&User-Name =~ /\.$/) -> FALSE
(35) if (&User-Name =~ /(a)\./) {
(35) if (&User-Name =~ /(a)\./) -> FALSE
(35) } # if (&User-Name) = notfound
(35) } # policy filter_username = notfound
(35) [chap] = noop
(35) [mschap] = noop
(35) ntdomain: Checking for prefix before "\"
(35) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(35) ntdomain: No such realm "NULL"
(35) [ntdomain] = noop
(35) update control {
(35) &Proxy-To-Realm := LOCAL
(35) } # update control = noop
(35) eap: Peer sent EAP Response (code 2) ID 9 length 6
(35) eap: No EAP Start, assuming it's an on-going EAP conversation
(35) [eap] = updated
(35) files: users: Matched entry oreshkin at line 728
(35) [files] = ok
(35) [expiration] = noop
(35) [logintime] = noop
(35) pap: WARNING: Auth-Type already set. Not setting to PAP
(35) [pap] = noop
(35) } # authorize = updated
(35) Found Auth-Type = eap
(35) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(35) authenticate {
(35) eap: Expiring EAP session with state 0x1dd632c31cdf288d
(35) eap: Finished EAP session with state 0x1dd632c31cdf288d
(35) eap: Previous EAP request found for state 0x1dd632c31cdf288d, released
from the list
(35) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(35) eap: Calling submodule eap_mschapv2 to process data
(35) eap: Sending EAP Success (code 3) ID 9 length 4
(35) eap: Freeing handler
(35) [eap] = ok
(35) } # authenticate = ok
(35) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(35) post-auth {
(35) if (0) {
(35) if (0) -> FALSE
(35) } # post-auth = noop
(35) Login OK: [oreshkin] (from client 3com9150 port 0 cli
30-E3-7A-D5-61-F0 via TLS tunnel)
(35) } # server inner-tunnel
(35) Virtual server sending reply
(35) MS-MPPE-Encryption-Policy = Encryption-Required
(35) MS-MPPE-Encryption-Types = 4
(35) MS-MPPE-Send-Key = 0x5da4080dbf52477047d2baf22acf65af
(35) MS-MPPE-Recv-Key = 0x1b90fde298c73fa9e0de2b19567540cd
(35) EAP-Message = 0x03090004
(35) Message-Authenticator = 0x00000000000000000000000000000000
(35) User-Name = "oreshkin"
(35) eap_peap: Got tunneled reply code 2
(35) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(35) eap_peap: MS-MPPE-Encryption-Types = 4
(35) eap_peap: MS-MPPE-Send-Key = 0x5da4080dbf52477047d2baf22acf65af
(35) eap_peap: MS-MPPE-Recv-Key = 0x1b90fde298c73fa9e0de2b19567540cd
(35) eap_peap: EAP-Message = 0x03090004
(35) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(35) eap_peap: User-Name = "oreshkin"
(35) eap_peap: Got tunneled reply RADIUS code 2
(35) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(35) eap_peap: MS-MPPE-Encryption-Types = 4
(35) eap_peap: MS-MPPE-Send-Key = 0x5da4080dbf52477047d2baf22acf65af
(35) eap_peap: MS-MPPE-Recv-Key = 0x1b90fde298c73fa9e0de2b19567540cd
(35) eap_peap: EAP-Message = 0x03090004
(35) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(35) eap_peap: User-Name = "oreshkin"
(35) eap_peap: Tunneled authentication was successful
(35) eap_peap: SUCCESS
(35) eap: Sending EAP Request (code 1) ID 10 length 46
(35) eap: EAP session adding &reply:State = 0x2222bfcc2a28a606
(35) [eap] = handled
(35) } # authenticate = handled
(35) Using Post-Auth-Type Challenge
(35) # Executing group from file /etc/raddb/sites-enabled/default
(35) Challenge { ... } # empty sub-section is ignored
(35) Sent Access-Challenge Id 17 from xx.xx.xx.xx:1812 to
192.168.14.241:3074 length 0
(35) EAP-Message =
0x010a002e190017030300231feeee9e22725fa86e26961d4d9425cb3d5690d742a77469436f5b5507676f8ac34619
(35) Message-Authenticator = 0x00000000000000000000000000000000
(35) State = 0x2222bfcc2a28a60628942d36d3525ed7
(35) Finished request
Waking up in 4.8 seconds.
(36) Received Access-Request Id 18 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 210
(36) User-Name = "oreshkin"
(36) NAS-IP-Address = 192.168.14.241
(36) NAS-Port = 0
(36) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(36) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(36) Framed-MTU = 1400
(36) NAS-Port-Type = Wireless-802.11
(36) Connect-Info = "CONNECT 0Mbps 802.11"
(36) EAP-Message =
0x020a002e1900170303002300000000000000040814eaddad977aba9b9a202a970c8539f80a70f481e31acc4b18a6
(36) State = 0x2222bfcc2a28a60628942d36d3525ed7
(36) Message-Authenticator = 0x426d48103bec1433b0a2ded9016bc666
(36) session-state: No cached attributes
(36) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(36) authorize {
(36) policy filter_username {
(36) if (&User-Name) {
(36) if (&User-Name) -> TRUE
(36) if (&User-Name) {
(36) if (&User-Name =~ / /) {
(36) if (&User-Name =~ / /) -> FALSE
(36) if (&User-Name =~ /@[^@]*@/ ) {
(36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(36) if (&User-Name =~ /\.\./ ) {
(36) if (&User-Name =~ /\.\./ ) -> FALSE
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(36) if (&User-Name =~ /\.$/) {
(36) if (&User-Name =~ /\.$/) -> FALSE
(36) if (&User-Name =~ /(a)\./) {
(36) if (&User-Name =~ /(a)\./) -> FALSE
(36) } # if (&User-Name) = notfound
(36) } # policy filter_username = notfound
(36) [preprocess] = ok
(36) [chap] = noop
(36) [mschap] = noop
(36) suffix: Checking for suffix after "@"
(36) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(36) suffix: No such realm "NULL"
(36) [suffix] = noop
(36) ntdomain: Checking for prefix before "\"
(36) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(36) ntdomain: No such realm "NULL"
(36) [ntdomain] = noop
(36) eap: Peer sent EAP Response (code 2) ID 10 length 46
(36) eap: Continuing tunnel setup
(36) [eap] = ok
(36) } # authorize = ok
(36) Found Auth-Type = eap
(36) # Executing group from file /etc/raddb/sites-enabled/default
(36) authenticate {
(36) eap: Expiring EAP session with state 0x2222bfcc2a28a606
(36) eap: Finished EAP session with state 0x2222bfcc2a28a606
(36) eap: Previous EAP request found for state 0x2222bfcc2a28a606, released
from the list
(36) eap: Peer sent packet with method EAP PEAP (25)
(36) eap: Calling submodule eap_peap to process data
(36) eap_peap: Continuing EAP-TLS
(36) eap_peap: [eaptls verify] = ok
(36) eap_peap: Done initial handshake
(36) eap_peap: [eaptls process] = ok
(36) eap_peap: Session established. Decoding tunneled attributes
(36) eap_peap: PEAP state send tlv success
(36) eap_peap: Received EAP-TLV response
(36) eap_peap: Success
(36) eap: Sending EAP Success (code 3) ID 10 length 4
(36) eap: Freeing handler
(36) [eap] = ok
(36) } # authenticate = ok
(36) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(36) post-auth {
(36) update {
(36) No attributes updated
(36) } # update = noop
(36) [exec] = noop
(36) policy remove_reply_message_if_eap {
(36) if (&reply:EAP-Message && &reply:Reply-Message) {
(36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(36) else {
(36) [noop] = noop
(36) } # else = noop
(36) } # policy remove_reply_message_if_eap = noop
(36) } # post-auth = noop
(36) Login OK: [oreshkin] (from client 3com9150 port 0 cli
30-E3-7A-D5-61-F0)
(36) Sent Access-Accept Id 18 from xx.xx.xx.xx:1812 to 192.168.14.241:3074
length 0
(36) MS-MPPE-Recv-Key =
0x9dff8ef64bae409f37046dbfa31ac19b59eef04d273cf316c153c61440c1e5a0
(36) MS-MPPE-Send-Key =
0x1ba4f3026a65b2b07900c7c9864c64fbff479b43710b12a2045e764f16a80bc5
(36) EAP-Message = 0x030a0004
(36) Message-Authenticator = 0x00000000000000000000000000000000
(36) User-Name = "oreshkin"
(36) Finished request
Waking up in 4.8 seconds.
(27) Cleaning up request packet ID 9 with timestamp +21
(28) Cleaning up request packet ID 10 with timestamp +21
(29) Cleaning up request packet ID 11 with timestamp +21
(30) Cleaning up request packet ID 12 with timestamp +21
(31) Cleaning up request packet ID 13 with timestamp +21
(32) Cleaning up request packet ID 14 with timestamp +21
(33) Cleaning up request packet ID 15 with timestamp +21
(34) Cleaning up request packet ID 16 with timestamp +21
(35) Cleaning up request packet ID 17 with timestamp +21
(36) Cleaning up request packet ID 18 with timestamp +21
Ready to process requests
....
(56) Received Access-Request Id 78 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 186
(56) User-Name = "oreshkin"
(56) Framed-MTU = 1450
(56) EAP-Message = 0x0201000d016f726573686b696e
(56) Message-Authenticator = 0x7cbcab08900176179f29dcfba6367524
(56) NAS-IP-Address = 192.168.14.247
(56) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(56) NAS-Port = 16912385
(56) NAS-Port-Type = Wireless-802.11
(56) Service-Type = Framed-User
(56) Framed-Protocol = PPP
(56) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(56) Framed-IP-Address = 10.2.0.118
(56) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(56) authorize {
(56) policy filter_username {
(56) if (&User-Name) {
(56) if (&User-Name) -> TRUE
(56) if (&User-Name) {
(56) if (&User-Name =~ / /) {
(56) if (&User-Name =~ / /) -> FALSE
(56) if (&User-Name =~ /@[^@]*@/ ) {
(56) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(56) if (&User-Name =~ /\.\./ ) {
(56) if (&User-Name =~ /\.\./ ) -> FALSE
(56) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(56) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(56) if (&User-Name =~ /\.$/) {
(56) if (&User-Name =~ /\.$/) -> FALSE
(56) if (&User-Name =~ /(a)\./) {
(56) if (&User-Name =~ /(a)\./) -> FALSE
(56) } # if (&User-Name) = notfound
(56) } # policy filter_username = notfound
(56) [preprocess] = ok
(56) [chap] = noop
(56) [mschap] = noop
(56) suffix: Checking for suffix after "@"
(56) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(56) suffix: No such realm "NULL"
(56) [suffix] = noop
(56) ntdomain: Checking for prefix before "\"
(56) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(56) ntdomain: No such realm "NULL"
(56) [ntdomain] = noop
(56) eap: Peer sent EAP Response (code 2) ID 1 length 13
(56) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(56) [eap] = ok
(56) } # authorize = ok
(56) Found Auth-Type = eap
(56) # Executing group from file /etc/raddb/sites-enabled/default
(56) authenticate {
(56) eap: Peer sent packet with method EAP Identity (1)
(56) eap: Calling submodule eap_peap to process data
(56) eap_peap: Initiating new EAP-TLS session
(56) eap_peap: [eaptls start] = request
(56) eap: Sending EAP Request (code 1) ID 2 length 6
(56) eap: EAP session adding &reply:State = 0x3d1519743d1700a3
(56) [eap] = handled
(56) } # authenticate = handled
(56) Using Post-Auth-Type Challenge
(56) # Executing group from file /etc/raddb/sites-enabled/default
(56) Challenge { ... } # empty sub-section is ignored
(56) Sent Access-Challenge Id 78 from xx.xx.xx.xx:1812 to
192.168.14.247:1024 length 0
(56) EAP-Message = 0x010200061920
(56) Message-Authenticator = 0x00000000000000000000000000000000
(56) State = 0x3d1519743d1700a3e8b8cc523e8178d3
(56) Finished request
Waking up in 4.9 seconds.
(57) Received Access-Request Id 79 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 357
(57) User-Name = "oreshkin"
(57) Framed-MTU = 1450
(57) EAP-Message =
0x020200a619800000009c16030300970100009303035ed4e326024575b5f7657d7682eaede311614a375a55cd2f5f103f6234f22c1600002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d
(57) Message-Authenticator = 0x06f6d74039679bf38f0cd855bfd2e083
(57) NAS-IP-Address = 192.168.14.247
(57) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(57) NAS-Port = 16912385
(57) NAS-Port-Type = Wireless-802.11
(57) Service-Type = Framed-User
(57) Framed-Protocol = PPP
(57) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(57) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(57) Framed-IP-Address = 10.2.0.118
(57) State = 0x3d1519743d1700a3e8b8cc523e8178d3
(57) session-state: No cached attributes
(57) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(57) authorize {
(57) policy filter_username {
(57) if (&User-Name) {
(57) if (&User-Name) -> TRUE
(57) if (&User-Name) {
(57) if (&User-Name =~ / /) {
(57) if (&User-Name =~ / /) -> FALSE
(57) if (&User-Name =~ /@[^@]*@/ ) {
(57) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(57) if (&User-Name =~ /\.\./ ) {
(57) if (&User-Name =~ /\.\./ ) -> FALSE
(57) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(57) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(57) if (&User-Name =~ /\.$/) {
(57) if (&User-Name =~ /\.$/) -> FALSE
(57) if (&User-Name =~ /(a)\./) {
(57) if (&User-Name =~ /(a)\./) -> FALSE
(57) } # if (&User-Name) = notfound
(57) } # policy filter_username = notfound
(57) [preprocess] = ok
(57) [chap] = noop
(57) [mschap] = noop
(57) suffix: Checking for suffix after "@"
(57) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(57) suffix: No such realm "NULL"
(57) [suffix] = noop
(57) ntdomain: Checking for prefix before "\"
(57) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(57) ntdomain: No such realm "NULL"
(57) [ntdomain] = noop
(57) eap: Peer sent EAP Response (code 2) ID 2 length 166
(57) eap: Continuing tunnel setup
(57) [eap] = ok
(57) } # authorize = ok
(57) Found Auth-Type = eap
(57) # Executing group from file /etc/raddb/sites-enabled/default
(57) authenticate {
(57) eap: Expiring EAP session with state 0x3d1519743d1700a3
(57) eap: Finished EAP session with state 0x3d1519743d1700a3
(57) eap: Previous EAP request found for state 0x3d1519743d1700a3, released
from the list
(57) eap: Peer sent packet with method EAP PEAP (25)
(57) eap: Calling submodule eap_peap to process data
(57) eap_peap: Continuing EAP-TLS
(57) eap_peap: Peer indicated complete TLS record size will be 156 bytes
(57) eap_peap: Got complete TLS record (156 bytes)
(57) eap_peap: [eaptls verify] = length included
(57) eap_peap: (other): before/accept initialization
(57) eap_peap: TLS_accept: before/accept initialization
(57) eap_peap: <<< recv TLS 1.2 [length 0097]
(57) eap_peap: TLS_accept: SSLv3 read client hello A
(57) eap_peap: >>> send TLS 1.2 [length 0039]
(57) eap_peap: TLS_accept: SSLv3 write server hello A
(57) eap_peap: >>> send TLS 1.2 [length 08d3]
(57) eap_peap: TLS_accept: SSLv3 write certificate A
(57) eap_peap: >>> send TLS 1.2 [length 014d]
(57) eap_peap: TLS_accept: SSLv3 write key exchange A
(57) eap_peap: >>> send TLS 1.2 [length 0004]
(57) eap_peap: TLS_accept: SSLv3 write server done A
(57) eap_peap: TLS_accept: SSLv3 flush data
(57) eap_peap: TLS_accept: SSLv3 read client certificate A
(57) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(57) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(57) eap_peap: In SSL Handshake Phase
(57) eap_peap: In SSL Accept mode
(57) eap_peap: [eaptls process] = handled
(57) eap: Sending EAP Request (code 1) ID 3 length 1004
(57) eap: EAP session adding &reply:State = 0x3d1519743c1600a3
(57) [eap] = handled
(57) } # authenticate = handled
(57) Using Post-Auth-Type Challenge
(57) # Executing group from file /etc/raddb/sites-enabled/default
(57) Challenge { ... } # empty sub-section is ignored
(57) Sent Access-Challenge Id 79 from xx.xx.xx.xx:1812 to
192.168.14.247:1024 length 0
(57) EAP-Message =
0x010303ec19c000000a7116030300390200003503035beaa86e445904d46f99b80f745ada22ce0d26c0dede6119489cfe4452d2b0a300c03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030
(57) Message-Authenticator = 0x00000000000000000000000000000000
(57) State = 0x3d1519743c1600a3e8b8cc523e8178d3
(57) Finished request
Waking up in 4.9 seconds.
(58) Received Access-Request Id 80 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 197
(58) User-Name = "oreshkin"
(58) Framed-MTU = 1450
(58) EAP-Message = 0x020300061900
(58) Message-Authenticator = 0x6145821a369fb8f2866dc4715978b0b2
(58) NAS-IP-Address = 192.168.14.247
(58) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(58) NAS-Port = 16912385
(58) NAS-Port-Type = Wireless-802.11
(58) Service-Type = Framed-User
(58) Framed-Protocol = PPP
(58) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(58) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(58) Framed-IP-Address = 10.2.0.118
(58) State = 0x3d1519743c1600a3e8b8cc523e8178d3
(58) session-state: No cached attributes
(58) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(58) authorize {
(58) policy filter_username {
(58) if (&User-Name) {
(58) if (&User-Name) -> TRUE
(58) if (&User-Name) {
(58) if (&User-Name =~ / /) {
(58) if (&User-Name =~ / /) -> FALSE
(58) if (&User-Name =~ /@[^@]*@/ ) {
(58) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(58) if (&User-Name =~ /\.\./ ) {
(58) if (&User-Name =~ /\.\./ ) -> FALSE
(58) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(58) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(58) if (&User-Name =~ /\.$/) {
(58) if (&User-Name =~ /\.$/) -> FALSE
(58) if (&User-Name =~ /(a)\./) {
(58) if (&User-Name =~ /(a)\./) -> FALSE
(58) } # if (&User-Name) = notfound
(58) } # policy filter_username = notfound
(58) [preprocess] = ok
(58) [chap] = noop
(58) [mschap] = noop
(58) suffix: Checking for suffix after "@"
(58) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(58) suffix: No such realm "NULL"
(58) [suffix] = noop
(58) ntdomain: Checking for prefix before "\"
(58) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(58) ntdomain: No such realm "NULL"
(58) [ntdomain] = noop
(58) eap: Peer sent EAP Response (code 2) ID 3 length 6
(58) eap: Continuing tunnel setup
(58) [eap] = ok
(58) } # authorize = ok
(58) Found Auth-Type = eap
(58) # Executing group from file /etc/raddb/sites-enabled/default
(58) authenticate {
(58) eap: Expiring EAP session with state 0x3d1519743c1600a3
(58) eap: Finished EAP session with state 0x3d1519743c1600a3
(58) eap: Previous EAP request found for state 0x3d1519743c1600a3, released
from the list
(58) eap: Peer sent packet with method EAP PEAP (25)
(58) eap: Calling submodule eap_peap to process data
(58) eap_peap: Continuing EAP-TLS
(58) eap_peap: Peer ACKed our handshake fragment
(58) eap_peap: [eaptls verify] = request
(58) eap_peap: [eaptls process] = handled
(58) eap: Sending EAP Request (code 1) ID 4 length 1000
(58) eap: EAP session adding &reply:State = 0x3d1519743f1100a3
(58) [eap] = handled
(58) } # authenticate = handled
(58) Using Post-Auth-Type Challenge
(58) # Executing group from file /etc/raddb/sites-enabled/default
(58) Challenge { ... } # empty sub-section is ignored
(58) Sent Access-Challenge Id 80 from xx.xx.xx.xx:1812 to
192.168.14.247:1024 length 0
(58) EAP-Message =
0x010403e81940f380d8c5155b8eb1fb79d0094a95a1908aa3d079dcf2dab14e3c12a2ab5494
d1c2430b1e8c6de4b03899f1315c96304f66bb40bd632d817172ece81732a4256ffbf9df90317051de700004e8308204e4308203cca003020102020900d5c6e8bb4ac2077e300d06092a864886f70d01010b
(58) Message-Authenticator = 0x00000000000000000000000000000000
(58) State = 0x3d1519743f1100a3e8b8cc523e8178d3
(58) Finished request
Waking up in 4.9 seconds.
(59) Received Access-Request Id 81 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 197
(59) User-Name = "oreshkin"
(59) Framed-MTU = 1450
(59) EAP-Message = 0x020400061900
(59) Message-Authenticator = 0x2ce77fed67c4ae1581b0d25e1445d267
(59) NAS-IP-Address = 192.168.14.247
(59) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(59) NAS-Port = 16912385
(59) NAS-Port-Type = Wireless-802.11
(59) Service-Type = Framed-User
(59) Framed-Protocol = PPP
(59) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(59) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(59) Framed-IP-Address = 10.2.0.118
(59) State = 0x3d1519743f1100a3e8b8cc523e8178d3
(59) session-state: No cached attributes
(59) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(59) authorize {
(59) policy filter_username {
(59) if (&User-Name) {
(59) if (&User-Name) -> TRUE
(59) if (&User-Name) {
(59) if (&User-Name =~ / /) {
(59) if (&User-Name =~ / /) -> FALSE
(59) if (&User-Name =~ /@[^@]*@/ ) {
(59) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(59) if (&User-Name =~ /\.\./ ) {
(59) if (&User-Name =~ /\.\./ ) -> FALSE
(59) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(59) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(59) if (&User-Name =~ /\.$/) {
(59) if (&User-Name =~ /\.$/) -> FALSE
(59) if (&User-Name =~ /(a)\./) {
(59) if (&User-Name =~ /(a)\./) -> FALSE
(59) } # if (&User-Name) = notfound
(59) } # policy filter_username = notfound
(59) [preprocess] = ok
(59) [chap] = noop
(59) [mschap] = noop
(59) suffix: Checking for suffix after "@"
(59) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(59) suffix: No such realm "NULL"
(59) [suffix] = noop
(59) ntdomain: Checking for prefix before "\"
(59) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(59) ntdomain: No such realm "NULL"
(59) [ntdomain] = noop
(59) eap: Peer sent EAP Response (code 2) ID 4 length 6
(59) eap: Continuing tunnel setup
(59) [eap] = ok
(59) } # authorize = ok
(59) Found Auth-Type = eap
(59) # Executing group from file /etc/raddb/sites-enabled/default
(59) authenticate {
(59) eap: Expiring EAP session with state 0x3d1519743f1100a3
(59) eap: Finished EAP session with state 0x3d1519743f1100a3
(59) eap: Previous EAP request found for state 0x3d1519743f1100a3, released
from the list
(59) eap: Peer sent packet with method EAP PEAP (25)
(59) eap: Calling submodule eap_peap to process data
(59) eap_peap: Continuing EAP-TLS
(59) eap_peap: Peer ACKed our handshake fragment
(59) eap_peap: [eaptls verify] = request
(59) eap_peap: [eaptls process] = handled
(59) eap: Sending EAP Request (code 1) ID 5 length 691
(59) eap: EAP session adding &reply:State = 0x3d1519743e1000a3
(59) [eap] = handled
(59) } # authenticate = handled
(59) Using Post-Auth-Type Challenge
(59) # Executing group from file /etc/raddb/sites-enabled/default
(59) Challenge { ... } # empty sub-section is ignored
(59) Sent Access-Challenge Id 81 from xx.xx.xx.xx:1812 to
192.168.14.247:1024 length 0
(59) EAP-Message =
0x010502b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101007f15d37224ffa7b8db1d8ed23f49758db260c870aeedbcb0b706dfda4b208f
(59) Message-Authenticator = 0x00000000000000000000000000000000
(59) State = 0x3d1519743e1000a3e8b8cc523e8178d3
(59) Finished request
Waking up in 4.9 seconds.
(60) Received Access-Request Id 82 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 327
(60) User-Name = "oreshkin"
(60) Framed-MTU = 1450
(60) EAP-Message =
0x0205008819800000007e1603030046100000424104f08ac61e32eea24000efa0a488eda5adc7a1ea9bcf5a8b6230b50ae0a1280df31ed3140efaaf33b2839bf5d30ed4f38c9241b5e4e5aa178bdff8b6f55019213b1403030001011603030028000000000000000097acd41c9881c9945775f7d91abaac
(60) Message-Authenticator = 0x98d42f4e131a1c1bc42ef74aca121de5
(60) NAS-IP-Address = 192.168.14.247
(60) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(60) NAS-Port = 16912385
(60) NAS-Port-Type = Wireless-802.11
(60) Service-Type = Framed-User
(60) Framed-Protocol = PPP
(60) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(60) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(60) Framed-IP-Address = 10.2.0.118
(60) State = 0x3d1519743e1000a3e8b8cc523e8178d3
(60) session-state: No cached attributes
(60) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(60) authorize {
(60) policy filter_username {
(60) if (&User-Name) {
(60) if (&User-Name) -> TRUE
(60) if (&User-Name) {
(60) if (&User-Name =~ / /) {
(60) if (&User-Name =~ / /) -> FALSE
(60) if (&User-Name =~ /@[^@]*@/ ) {
(60) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(60) if (&User-Name =~ /\.\./ ) {
(60) if (&User-Name =~ /\.\./ ) -> FALSE
(60) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(60) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(60) if (&User-Name =~ /\.$/) {
(60) if (&User-Name =~ /\.$/) -> FALSE
(60) if (&User-Name =~ /(a)\./) {
(60) if (&User-Name =~ /(a)\./) -> FALSE
(60) } # if (&User-Name) = notfound
(60) } # policy filter_username = notfound
(60) [preprocess] = ok
(60) [chap] = noop
(60) [mschap] = noop
(60) suffix: Checking for suffix after "@"
(60) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(60) suffix: No such realm "NULL"
(60) [suffix] = noop
(60) ntdomain: Checking for prefix before "\"
(60) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(60) ntdomain: No such realm "NULL"
(60) [ntdomain] = noop
(60) eap: Peer sent EAP Response (code 2) ID 5 length 136
(60) eap: Continuing tunnel setup
(60) [eap] = ok
(60) } # authorize = ok(61) Framed-IP-Address = 10.2.0.118
(61) State = 0x3d151974391300a3e8b8cc523e8178d3
(61) session-state: No cached attributes
(61) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(61) authorize {
(61) policy filter_username {
(61) if (&User-Name) {
(61) if (&User-Name) -> TRUE
(61) if (&User-Name) {
(61) if (&User-Name =~ / /) {
(61) if (&User-Name =~ / /) -> FALSE
(61) if (&User-Name =~ /@[^@]*@/ ) {
(61) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(61) if (&User-Name =~ /\.\./ ) {
(61) if (&User-Name =~ /\.\./ ) -> FALSE
(61) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(61) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(61) if (&User-Name =~ /\.$/) {
(61) if (&User-Name =~ /\.$/) -> FALSE
(61) if (&User-Name =~ /(a)\./) {
(61) if (&User-Name =~ /(a)\./) -> FALSE
(61) } # if (&User-Name) = notfound
(61) } # policy filter_username = notfound
(61) [preprocess] = ok
(61) [chap] = noop
(61) [mschap] = noop
(61) suffix: Checking for suffix after "@"
(61) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(61) suffix: No such realm "NULL"
(61) [suffix] = noop
(61) ntdomain: Checking for prefix before "\"
(61) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(61) ntdomain: No such realm "NULL"
(61) [ntdomain] = noop
(61) eap: Peer sent EAP Response (code 2) ID 6 length 6
(61) eap: Continuing tunnel setup
(61) [eap] = ok
(61) } # authorize = ok
(60) Found Auth-Type = eap
(60) # Executing group from file /etc/raddb/sites-enabled/default
(60) authenticate {
(60) eap: Expiring EAP session with state 0x3d1519743e1000a3
(60) eap: Finished EAP session with state 0x3d1519743e1000a3
(60) eap: Previous EAP request found for state 0x3d1519743e1000a3, released
from the list
(60) eap: Peer sent packet with method EAP PEAP (25)
(60) eap: Calling submodule eap_peap to process data
(60) eap_peap: Continuing EAP-TLS
(60) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(60) eap_peap: Got complete TLS record (126 bytes)
(60) eap_peap: [eaptls verify] = length included
(60) eap_peap: <<< recv TLS 1.2 [length 0046]
(60) eap_peap: TLS_accept: SSLv3 read client key exchange A
(60) eap_peap: TLS_accept: SSLv3 read certificate verify A
(60) eap_peap: <<< recv TLS 1.2 [length 0001]
(60) eap_peap: <<< recv TLS 1.2 [length 0010]
(60) eap_peap: TLS_accept: SSLv3 read finished A
(60) eap_peap: >>> send TLS 1.2 [length 0001]
(60) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(60) eap_peap: >>> send TLS 1.2 [length 0010]
(60) eap_peap: TLS_accept: SSLv3 write finished A
(60) eap_peap: TLS_accept: SSLv3 flush data
(60) eap_peap: (other): SSL negotiation finished successfully
(60) eap_peap: SSL Connection Established
(60) eap_peap: [eaptls process] = handled
(60) eap: Sending EAP Request (code 1) ID 6 length 57
(60) eap: EAP session adding &reply:State = 0x3d151974391300a3
(60) [eap] = handled
(60) } # authenticate = handled
(60) Using Post-Auth-Type Challenge
(60) # Executing group from file /etc/raddb/sites-enabled/default
(60) Challenge { ... } # empty sub-section is ignored
(60) Sent Access-Challenge Id 82 from xx.xx.xx.xx:1812 to
192.168.14.247:1024 length 0
(60) EAP-Message =
0x0106003919001403030001011603030028997adf21b5a322da8b0b5a4e195459ed1f8b4525aa8656aa97533d11756d8b0d0f19c2ed93803940
(60) Message-Authenticator = 0x00000000000000000000000000000000
(60) State = 0x3d151974391300a3e8b8cc523e8178d3
(60) Finished request
Waking up in 4.9 seconds.
(61) Received Access-Request Id 83 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 197
(61) User-Name = "oreshkin"
(61) Framed-MTU = 1450
(61) EAP-Message = 0x020600061900
(61) Message-Authenticator = 0x612a19c5fed77f1693fcdbc3857b8f68
(61) NAS-IP-Address = 192.168.14.247
(61) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(61) NAS-Port = 16912385
(61) NAS-Port-Type = Wireless-802.11
(61) Service-Type = Framed-User
(61) Framed-Protocol = PPP
(61) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(61) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(61) Framed-IP-Address = 10.2.0.118
(61) State = 0x3d151974391300a3e8b8cc523e8178d3
(61) session-state: No cached attributes
(61) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(61) authorize {
(61) policy filter_username {
(61) if (&User-Name) {
(61) if (&User-Name) -> TRUE
(61) if (&User-Name) {
(61) if (&User-Name =~ / /) {
(61) if (&User-Name =~ / /) -> FALSE
(61) if (&User-Name =~ /@[^@]*@/ ) {
(61) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(61) if (&User-Name =~ /\.\./ ) {
(61) if (&User-Name =~ /\.\./ ) -> FALSE
(61) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(61) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(61) if (&User-Name =~ /\.$/) {
(61) if (&User-Name =~ /\.$/) -> FALSE
(61) if (&User-Name =~ /(a)\./) {
(61) if (&User-Name =~ /(a)\./) -> FALSE
(61) } # if (&User-Name) = notfound
(61) } # policy filter_username = notfound
(61) [preprocess] = ok
(61) [chap] = noop
(61) [mschap] = noop
(61) suffix: Checking for suffix after "@"
(61) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(61) suffix: No such realm "NULL"
(61) [suffix] = noop
(61) ntdomain: Checking for prefix before "\"
(61) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(61) ntdomain: No such realm "NULL"
(61) [ntdomain] = noop
(61) eap: Peer sent EAP Response (code 2) ID 6 length 6
(61) eap: Continuing tunnel setup
(61) [eap] = ok
(61) } # authorize = ok
(61) Found Auth-Type = eap
(61) # Executing group from file /etc/raddb/sites-enabled/default
(61) authenticate {
(61) eap: Expiring EAP session with state 0x3d151974391300a3
(61) eap: Finished EAP session with state 0x3d151974391300a3
(61) eap: Previous EAP request found for state 0x3d151974391300a3, released
from the list
(61) eap: Peer sent packet with method EAP PEAP (25)
(61) eap: Calling submodule eap_peap to process data
(61) eap_peap: Continuing EAP-TLS
(61) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(61) eap_peap: [eaptls verify] = success
(61) eap_peap: [eaptls process] = success
(61) eap_peap: Session established. Decoding tunneled attributes
(61) eap_peap: PEAP state TUNNEL ESTABLISHED
(61) eap: Sending EAP Request (code 1) ID 7 length 40
(61) eap: EAP session adding &reply:State = 0x3d151974381200a3
(61) [eap] = handled
(61) } # authenticate = handled
(61) Using Post-Auth-Type Challenge
(61) # Executing group from file /etc/raddb/sites-enabled/default
(61) Challenge { ... } # empty sub-section is ignored
(61) Sent Access-Challenge Id 83 from xx.xx.xx.xx:1812 to
192.168.14.247:1024 length 0
(61) EAP-Message =
0x010700281900170303001d997adf21b5a322dbf91229eb191f00a968b5fb9dc729dca9f16bd2443c
(61) Message-Authenticator = 0x00000000000000000000000000000000
(61) State = 0x3d151974381200a3e8b8cc523e8178d3
(61) Finished request
Waking up in 4.9 seconds.
(62) Received Access-Request Id 84 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 235
(62) User-Name = "oreshkin"
(62) Framed-MTU = 1450
(62) EAP-Message =
0x0207002c190017030300210000000000000001d8f82029d559c295475829493afb7b9212a45f69dd31bfa7c0
(62) Message-Authenticator = 0xe5a810e7709c0829d8273b774dec8860
(62) NAS-IP-Address = 192.168.14.247
(62) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(62) NAS-Port = 16912385
(62) NAS-Port-Type = Wi(62) Service-Type = Framed-User
(62) Framed-Protocol = PPP
(62) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(62) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(62) Framed-IP-Address = 10.2.0.118
(62) State = 0x3d151974381200a3e8b8cc523e8178d3
(62) session-state: No cached attributes
(62) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(62) authorize {
(62) policy filter_username {
(62) if (&User-Name) {
(62) if (&User-Name) -> TRUE
(62) if (&User-Name) {
(62) if (&User-Name =~ / /) {
(62) if (&User-Name =~ / /) -> FALSE
(62) if (&User-Name =~ /@[^@]*@/ ) {
(62) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(62) if (&User-Name =~ /\.\./ ) {
(62) if (&User-Name =~ /\.\./ ) -> FALSE
(62) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(62) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(62) if (&User-Name =~ /\.$/) {
(62) if (&User-Name =~ /\.$/) -> FALSE
(62) if (&User-Name =~ /(a)\./) {
(62) if (&User-Name =~ /(a)\./) -> FALSE
(62) } # if (&User-Name) = notfound
(62) } # policy filter_username = notfound
(62) [preprocess] = ok
(62) [chap] = noop
(62) [mschap] = noop
(62) suffix: Checking for suffix after "@"
(62) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(62) suffix: No such realm "NULL"
(62) [suffix] = noop
(62) ntdomain: Checking for prefix before "\"
(62) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(62) ntdomain: No such realm "NULL"
(62) [ntdomain] = noop
(62) eap: Peer sent EAP Response (code 2) ID 7 length 44
(62) eap: Continuing tunnel setup
(62) [eap] = ok
(62) } # authorize = ok
(62) Found Auth-Type = eap
(62) # Executing group from file /etc/raddb/sites-enabled/default
(62) authenticate {
(62) eap: Expiring EAP session with state 0x3d151974381200a3
(62) eap: Finished EAP session with state 0x3d151974381200a3
(62) eap: Previous EAP request found for state 0x3d151974381200a3, released
from the list
(62) eap: Peer sent packet with method EAP PEAP (25)
(62) eap: Calling submodule eap_peap to process data
(62) eap_peap: Continuing EAP-TLS
(62) eap_peap: [eaptls verify] = ok
(62) eap_peap: Done initial handshake
(62) eap_peap: [eaptls process] = ok
(62) eap_peap: Session established. Decoding tunneled attributes
(62) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(62) eap_peap: Identity - oreshkin
(62) eap_peap: Got inner identity 'oreshkin'
(62) eap_peap: Setting default EAP type for tunneled EAP session
(62) eap_peap: Got tunneled request
(62) eap_peap: EAP-Message = 0x0207000d016f726573686b696e
(62) eap_peap: Setting User-Name to oreshkin
(62) eap_peap: Sending tunneled request to inner-tunnel
(62) eap_peap: EAP-Message = 0x0207000d016f726573686b696e
(62) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(62) eap_peap: User-Name = "oreshkin"
(62) eap_peap: Framed-MTU = 1450
(62) eap_peap: NAS-IP-Address = 192.168.14.247
(62) eap_peap: NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(62) eap_peap: NAS-Port = 16912385
(62) eap_peap: NAS-Port-Type = Wireless-802.11
(62) eap_peap: Service-Type = Framed-User
(62) eap_peap: Framed-Protocol = PPP
(62) eap_peap: Calling-Station-Id = "30-E3-7A-D5-61-F0"
(62) eap_peap: Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(62) eap_peap: Framed-IP-Address = 10.2.0.118
....
(72) eap: Expiring EAP session with state 0x34bd73d634b56993
(72) eap: Finished EAP session with state 0x34bd73d634b56993
(72) eap: Previous EAP request found for state 0x34bd73d634b56993, released
from the list
(72) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(72) eap: Calling submodule eap_mschapv2 to process data
(72) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(72) eap_mschapv2: authenticate {
(72) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(72) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(72) mschap: Creating challenge hash with username: oreshkin
(72) mschap: Client is using MS-CHAPv2
(72) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication
(72) mschap: ERROR: MS-CHAP2-Response is incorrect
(72) [mschap] = reject
(72) } # authenticate = reject
(72) eap: Sending EAP Failure (code 4) ID 8 length 4
(72) eap: Freeing handler
(72) [eap] = reject
(72) } # authenticate = reject
(72) Failed to authenticate the user
(72) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform
authentication): [ores
hkin] (from client 3com9552 port 16912385 cli 30-E3-7A-D5-61-F0 via TLS
tunnel)
(72) Using Post-Auth-Type Reject
(72) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(72) Post-Auth-Type REJECT {
(72) update outer.session-state {
(72) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: FAILED: No NT
/LM-Password. Cannot perform authentication'
(72) } # update outer.session-state = noop
(72) } # Post-Auth-Type REJECT = noop
(72) } # server inner-tunnel
(72) Virtual server sending reply
(72) Framed-Protocol = PPP
(72) Framed-Compression = Van-Jacobson-TCP-IP
(72) MS-CHAP-Error = "\010E=691 R=1 C=2aadf661100584402f8bb93462af5d53
V=3 M=Authentication failed"
(72) EAP-Message = 0x04080004
(72) Message-Authenticator = 0x00000000000000000000000000000000
(72) eap_peap: Got tunneled reply code 3
(72) eap_peap: Framed-Protocol = PPP
(72) eap_peap: Framed-Compression = Van-Jacobson-TCP-IP
(72) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=2aadf661100584402f8bb93462af5d53 V=3 M=Authentication failed"
(72) eap_peap: EAP-Message = 0x04080004
(72) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(72) eap_peap: Got tunneled reply RADIUS code 3
(72) eap_peap: Framed-Protocol = PPP
(72) eap_peap: Framed-Compression = Van-Jacobson-TCP-IP
(72) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=2aadf661100584402f8bb93462af5d53 V=3 M=Authentication failed"
(72) eap_peap: EAP-Message = 0x04080004
(72) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(72) eap_peap: Tunneled authentication was rejected
(72) eap_peap: FAILURE
(72) eap: Sending EAP Request (code 1) ID 9 length 46
(72) eap: EAP session adding &reply:State = 0xe46f1db3e366046e
(72) [eap] = handled
(72) } # authenticate = handled
(72) Using Post-Auth-Type Challenge
(72) # Executing group from file /etc/raddb/sites-enabled/default
(72) Challenge { ... } # empty sub-section is ignored
(72) session-state: Saving cached attributes
(72) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.
Cannot perform authentication"
(72) Sent Access-Challenge Id 94 from xx.xx.xx.xx:1812 to
192.168.14.247:1024 length 0
(72) EAP-Message =
0x0109002e190017030300232f1c04ca542acfe094941bb20f03a5498700ed1375fd28eec62833f28ad725fdd3f9f5
(72) Message-Authenticator = 0x00000000000000000000000000000000
(72) State = 0xe46f1db3e366046e2153a66971fb5083
(72) Finished request
(73) Received Access-Request Id 95 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 237
(73) User-Name = "oreshkin"
(73) Framed-MTU = 1450
(73) EAP-Message =
0x0209002e190017030300230000000000000003f7e3c43cc90506a28d17008623f68c26d168402c735168f2b37c1e
(73) Message-Authenticator = 0x8c9a4128ba7bd82bf5fc6ac461bd3560
(73) NAS-IP-Address = 192.168.14.247
(73) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(73) NAS-Port = 16912385
(73) NAS-Port-Type = Wireless-802.11
(73) Service-Type = Framed-User
(73) Framed-Protocol = PPP
(73) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(73) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(73) Framed-IP-Address = 10.2.0.118
(73) State = 0xe46f1db3e366046e2153a66971fb5083
(73) Restoring &session-state
(73) &session-state:Module-Failure-Message := "mschap: FAILED: No
NT/LM-Password. Cannot perform authentication"
(73) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(73) authorize {
(73) policy filter_username {
(73) if (&User-Name) {
(73) if (&User-Name) -> TRUE
(73) if (&User-Name) {
(73) if (&User-Name =~ / /) {
(73) if (&User-Name =~ / /) -> FALSE
(73) if (&User-Name =~ /@[^@]*@/ ) {
(73) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(73) if (&User-Name =~ /\.\./ ) {
(73) if (&User-Name =~ /\.\./ ) -> FALSE
(73) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(73) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(73) if (&User-Name =~ /\.$/) {
(73) if (&User-Name =~ /\.$/) -> FALSE
(73) if (&User-Name =~ /(a)\./) {
(73) if (&User-Name =~ /(a)\./) -> FALSE
(73) } # if (&User-Name) = notfound
(73) } # policy filter_username = notfound
(73) [preprocess] = ok
(73) [chap] = noop
(73) [mschap] = noop
(73) suffix: Checking for suffix after "@"
(73) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(73) suffix: No such realm "NULL"
(73) [suffix] = noop
(73) ntdomain: Checking for prefix before "\"
(73) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(73) ntdomain: No such realm "NULL"
(73) [ntdomain] = noop
(73) eap: Peer sent EAP Response (code 2) ID 9 length 46
(73) eap: Continuing tunnel setup
(73) [eap] = ok
(73) } # authorize = ok
(73) Found Auth-Type = eap
(73) # Executing group from file /etc/raddb/sites-enabled/default
(73) authenticate {
(73) eap: Expiring EAP session with state 0xe46f1db3e366046e
(73) eap: Finished EAP session with state 0xe46f1db3e366046e
(73) eap: Previous EAP request found for state 0xe46f1db3e366046e, released
from the list
(73) eap: Peer sent packet with method EAP PEAP (25)
(73) eap: Calling submodule eap_peap to process data
(73) eap_peap: Continuing EAP-TLS
(73) eap_peap: [eaptls verify] = ok
(73) eap_peap: Done initial handshake
(73) eap_peap: [eaptls process] = ok
(73) eap_peap: Session established. Decoding tunneled attributes
(73) eap_peap: PEAP state send tlv failure
(73) eap_peap: Received EAP-TLV response
(73) eap_peap: ERROR: The users session was previously rejected:
returning reject (again.)
(73) eap_peap: This means you need to read the PREVIOUS messages in the
debug output
(73) eap_peap: to find out the reason why the user was rejected
(73) eap_peap: Look for "reject" or "fail". Those earlier messages will
tell you
(73) eap_peap: what went wrong, and how to fix the problem
(73) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(73) eap: Sending EAP Failure (code 4) ID 9 length 4
(73) eap: Failed in EAP select
(73) [eap] = invalid
(73) } # authenticate = invalid
(73) Failed to authenticate the user
(73) Login incorrect (eap_peap: The users session was previously rejected:
returning reject (again.)): [oreshkin] (from client 3com9552 port 16912385
cli 30-E3-7A-D5-61-F0)
(73) Using Post-Auth-Type Reject
(73) # Executing group from file /etc/raddb/sites-enabled/default
(73) Post-Auth-Type REJECT {
(73) attr_filter.access_reject: EXPAND %{User-Name}
(73) attr_filter.access_reject: --> oreshkin
(73) attr_filter.access_reject: Matched entry DEFAULT at line 11
(73) [attr_filter.access_reject] = updated
(73) [eap] = noop
(73) policy remove_reply_message_if_eap {
(73) if (&reply:EAP-Message && &reply:Reply-Message) {
(73) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(73) else {
(73) [noop] = noop
(73) } # else = noop
(73) } # policy remove_reply_message_if_eap = noop
(73) } # Post-Auth-Type REJECT = updated
(73) Delaying response for 1.000000 seconds
(61) Cleaning up request packet ID 83 with timestamp +239
(62) Cleaning up request packet ID 84 with timestamp +239
(63) Cleaning up request packet ID 85 with timestamp +239
(64) Cleaning up request packet ID 86 with timestamp +239
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
.....
2
3
Can't append attributes to the Access-Accept relayed from the proxy home-server to the clients
by Difan Zhao 02 Jun '20
by Difan Zhao 02 Jun '20
02 Jun '20
Hi Freeradius gurus,
I am setting up a freeradius (ver 3.0.16) server on a ubundu 18.04 box and I will use it to authenticate admin access to the networking devices for the mgmt purpose. It doesn't store user passwords locally. It will proxy the authentication requests to a Windows NPS (also running the radius service) that has access to the Windows AD for the user credentials. The idea is that, this freeradius server would append the VSAs for users upon successful authentication to give them the adequate access on the switches, routers, firewalls, ...etc
So I am able to proxy the authentication request to the NPS and I am getting Access-accept back. I am able to get the proper access to my firewall by sending the VSAs but only if I use local accounts. However, I just can't combine them together.
Here is my authorize file
dzhao Proxy-To-Realm := 'pason.com'
Fortinet-Group-Name := 'RW'
Here is my proxy.conf
home_server CorpIT_NPS {
type = auth
ipaddr = it-00-nps-pro2
port = 1812
secret = xxx
response_window = 60
zombie_period = 120
}
home_server_pool CorpIT_NPS_pool {
type = fail-over
home_server = CorpIT_NPS
}
realm pason.com {
auth_pool = CorpIT_NPS_pool
}
Here is my -X output. The NPS does MFA so the response is a little slow because I need to click on "approve" on the phone app. I don't see the Access-Accept packet to the client has the Fortinet VSA of "RW" included...
Ready to process requests
(0) Received Access-Request Id 42 from 172.16.0.99:1114 to 10.92.3.75:1812 length 104
(0) NAS-Identifier = "FGT60D4613054197"
(0) User-Name = "dzhao"
(0) User-Password = "Xxx"
(0) NAS-Port-Type = Virtual
(0) Acct-Session-Id = "6ddb75a0"
(0) Connect-Info = "admin-login"
(0) Fortinet-Vdom-Name = "root"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "dzhao", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry dzhao at line 1
(0) [files] = ok
(0) sql: EXPAND %{User-Name}
(0) sql: --> dzhao
(0) sql: SQL-User-Name set to 'dzhao'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dzhao' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dzhao' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'dzhao' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'dzhao' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.1.44-MariaDB-0ubuntu0.18.04.1, protocol version 10
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = ok
(0) Starting proxy to home server 10.92.3.105 port 1812
(0) Proxying request to home server 10.92.3.105 port 1812 timeout 30.000000
(0) Sent Access-Request Id 10 from 0.0.0.0:53464 to 10.92.3.105:1812 length 138
(0) NAS-Identifier = "FGT60D4613054197"
(0) User-Name = "dzhao"
(0) User-Password = "Xxx"
(0) NAS-Port-Type = Virtual
(0) Acct-Session-Id = "6ddb75a0"
(0) Connect-Info = "admin-login"
(0) Fortinet-Vdom-Name = "root"
(0) Event-Timestamp = "Jun 1 2020 12:16:22 MDT"
(0) NAS-IP-Address = 172.16.0.99
(0) Message-Authenticator := 0x00
(0) Proxy-State = 0x3432
Waking up in 0.3 seconds.
(0) Expecting proxy response no later than 29.667310 seconds from now
Waking up in 29.6 seconds.
(0) Sending duplicate proxied request to home server 10.92.3.105 port 1812 - ID: 10
(0) Sent Access-Request Id 10 from 0.0.0.0:53464 to 10.92.3.105:1812 length 138
(0) NAS-Identifier = "FGT60D4613054197"
(0) User-Name = "dzhao"
(0) User-Password = "Xxx"
(0) NAS-Port-Type = Virtual
(0) Acct-Session-Id = "6ddb75a0"
(0) Connect-Info = "admin-login"
(0) Fortinet-Vdom-Name = "root"
(0) Event-Timestamp = "Jun 1 2020 12:16:22 MDT"
(0) NAS-IP-Address = 172.16.0.99
(0) Message-Authenticator := 0x00
(0) Proxy-State = 0x3432
Waking up in 25.0 seconds.
(0) Marking home server 10.92.3.105 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 10 from 10.92.3.105:1812 to 10.92.3.75:53464 length 82
(0) Proxy-State = 0x3432
(0) Framed-Protocol = PPP
(0) Service-Type = Framed-User
(0) Class = 0x94be085900000137000102000a5c03690000000031a22bda391cd93d01d635f7b722a976000000000000000d
(0) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(0) post-proxy {
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> dzhao
(0) sql: SQL-User-Name set to 'dzhao'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dzhao', 'Xxx', 'Access-Accept', '2020-06-01 12:16:22')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dzhao', 'Xxx', 'Access-Accept', '2020-06-01 12:16:22')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.1.44-MariaDB-0ubuntu0.18.04.1, protocol version 10
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Login OK: [dzhao] (from client FGT60D4613054197 port 0)
(0) Sent Access-Accept Id 42 from 10.92.3.75:1812 to 172.16.0.99:1114 length 0
(0) Framed-Protocol = PPP
(0) Service-Type = Framed-User
(0) Class = 0x94be085900000137000102000a5c03690000000031a22bda391cd93d01d635f7b722a976000000000000000d
(0) Finished request
Waking up in 4.9 seconds.
(0) Waiting for more responses from the home server
Waking up in 0.3 seconds.
(0) Waiting for more responses from the home server
Waking up in 0.4 seconds.
(0) Waiting for more responses from the home server
Waking up in 0.7 seconds.
(0) Waiting for more responses from the home server
Waking up in 1.1 seconds.
(0) Waiting for more responses from the home server
Waking up in 1.6 seconds.
(0) Waiting for more responses from the home server
Waking up in 2.5 seconds.
(0) Waiting for more responses from the home server
Waking up in 3.7 seconds.
(0) Waiting for more responses from the home server
Waking up in 5.6 seconds.
(0) Waiting for more responses from the home server
Waking up in 8.5 seconds.
(0) Cleaning up request packet ID 42 with timestamp +7
Ready to process requests
I also tried to play with the ./mods-config/attr_filter/post-proxy file but it doesn't work for me either. Here is my post-proxy config
dzhao
Fortinet-Group-Name := 'RW'
Please help!
Thanks,
Difan
2
4
AFAIK, when I authenticate my users via ntlm_auth (samba AD bnind, etc...,
not the LDAP module, as suggested by the docu), account names in SAM are
used instead of UPN (please, correct me if I'm wrong)
Is it possible to use UPN instead?
What drawbacks can we have if we do this?
Thanks
2
4
Hi,
in eap.conf, it says:
# You can make PEAP require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
What does it mean in the control items for a request? On which file? Can someone please help?
Thanks a lot.
Jim
2
1
Hi,
I'm new to FreeRadius. I've built a test server with freeradius 3.0.13, mariadb 10.1.45, and daloradius 1.1-3 beta on CentOS 7.
We are just starting into radius authentication. We just want it for logging into routers and switches for administration work. What I need is to define multiple groups of devices - in huntgroups. And multiple groups of users. There may be a base group of users that should be allowed to any huntgroup. But mostly, one user group is to be specific to one hunt group.
I'm following the how-to for SQL-Huntgroups. https://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO
MariaDB [radius]> select * from radhuntgroup;
+----+-----------------+----------------------+--------------+
| id | groupname | nasipaddress | nasportid |
+----+----------------+-----------------------+--------------+
| 1 | group1 | 10.161.161.0/24 | 0 |
| 2 | group2 | 10.139.63.0/24 | 0 |
+----+---------------+------------------------+-------------+
MariaDB [radius]> select * from radusergroup;
+---------------+-----------------+-----------+
| username | groupname | priority |
+---------------+-----------------+-----------+
| paul | usergroup1 | 0 |
| ptr | usergroup2 | 0 |
+---------------+-----------------+-----------+
MariaDB [radius]> select * from radgroupcheck;
+----+--------------------------------------+-------------------+-----+-----------+
| id | groupname | attribute | op | value |
+----+--------------------------------------+-------------------+-----+-----------+
| 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject |
| 2 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject |
| 3 | usergroup1 | Huntgroup-Name | == | group1 |
| 4 | usergroup2 | Huntgroup-Name | == | group2 |
+----+--------------------------------------+-------------------+-----+-----------+
However, both users can connect to either huntgroup.
I must be missing something here. My impression is that this would be all that's needed. Maybe there is a configuration variable I missed?
I also tried the update request to allow users groups/profiles to access a different has but if I edit sites-enables/defaults, I get an error trying to start radius.
update request {
Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress=='%{NAS-IP-Address}'}"
# only allow usergroup1 to group1
if (SQL-Group == "usergroup1") {
if (Huntgroup-Name != "group1") {
reject
}
}
}
/etc/raddb/sites-enabled/default[307]: Entry is not in "attribute = value" format
That's simplified but pretty much straight out of the how-to.
I'm not stuck on the idea of daloradius or even SQL. But the user space will be managing, and they want a web admin. I could write my own simple one, as all we need to manage is users and huntgroups.
Any ideas here?
Thanks,
Paul.
Paul Root
Lead Operations Engineer - IT Managed Services
390 Commerce Dr
Woodbury, Mn 55125
651-312-5207 paul.root(a)centurylink.com
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
2
2