Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2021
- 53 participants
- 59 discussions
Hi FreeRADIUS!
I'm trying to use FreeRADIUS with MSCHAP through a DC server. However, I'm
getting an error like "winbind reply failed!"
I'm running on OpenBSD 6.9.
FreeRADIUS version:
# /usr/local/sbin/radiusd -v | head -1
radiusd: FreeRADIUS Version 3.0.21, for host x86_64-unknown-openbsd6.9,
built on Apr 20 2021 at 05:14:02
#
My configuration is like that;
=============
# cat /etc/samba/smb.conf
[global]
winbind use default domain = no
security = ads
netbios name = myhost
workgroup = MYWORKGROUP
realm = zz.example.com
password server = zz.example.com
==============
I joined the DC server successfully;
# net join -U myadmin
Using short domain name -- XX
Joined 'YY' to dns domain 'zz.example.com'
No DNS domain configured for myhost. Unable to perform DNS Update.
=============
I can make challange based authentication with wbinfo;
# wbinfo -a myuser%mypass
plaintext password authentication failed
Could not authenticate user myuser%mypass with plaintext password
challenge/response password authentication succeeded
#
===============
And also with ntlm_auth;
# ntlm_auth --request-nt-key --username myuser
Password: myuser
NT_STATUS_OK: The operation completed successfully. (0x0)
#
==================
I've created a user named "winbindd_priv" and added this user the
_freeradius group to access winbind privileged socket from FreeRADIUS
# cat /etc/group |grep winbind
winbindd_priv:*:1000:_freeradius
# ls -la /var/run/samba/winbindd*
-rw-r--r-- 1 root winbindd_priv 6 Jun 21 18:39
/var/run/samba/winbindd.pid
/var/run/samba/winbindd:
srwxrwxrwx 1 root winbindd_priv 0 Jun 21 18:38 pipe
#
===================
I couldn't see anything wrong there, I followed the official documentation
properly. I'm getting "winbind reply failed!" error anyway.
The full output from radiusd -X;
======================
(0) Received Access-Request Id 25 from 172.100.0.60:49947 to
172.16.0.100:1812 length 338
(0) User-Name = "mypc-pc\\Administrator"
(0) NAS-Port = 20497
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) Calling-Station-Id = "44a8-42f7-952d"
(0) NAS-Identifier = "S5735_K6_SW1"
(0) NAS-Port-Type = Ethernet
(0) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(0) EAP-Message =
0x02a3001c01626c6774656b2d70635c41646d696e6973747261746f72
(0) Message-Authenticator = 0x2da911933329aa455da04b910df9e08e
(0) Called-Station-Id = "44-67-47-26-F7-90"
(0) NAS-IP-Address = 172.100.0.60
(0) Framed-MTU = 1500
(0) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(0) Huawei-Startup-Stamp = 1589932873
(0) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(0) Huawei-Connect-ID = 45
(0) Huawei-Version = "Huawei S5735"
(0) Huawei-Product-ID = "S5735"
(0) Huawei-User-Mac = "\000\000\000\001"
(0) Huawei-Domain-Name = "default"
(0) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(0) authorize {
(0) update {
(0) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(0) EXPAND --username=%{User-Name}
(0) --> --username=mypc-pc\\Administrator
(0) EXPAND --calledStationID=%{Called-Station-Id}
(0) --> --calledStationID=44-67-47-26-F7-90
(0) EXPAND --callingStationID=%{Calling-Station-Id}
(0) --> --callingStationID=44a8-42f7-952d
(0) EXPAND --connectInfo=%{Connect-Info}
(0) --> --connectInfo=
(0) EXPAND --framedMTU=%{Framed-MTU}
(0) --> --framedMTU=1500
(0) EXPAND --framedProtocol=%{Framed-Protocol}
(0) --> --framedProtocol=PPP
(0) EXPAND --nasIdentifier=%{NAS-Identifier}
(0) --> --nasIdentifier=S5735_K6_SW1
(0) EXPAND --nasIPAddress=%{NAS-IP-Address}
(0) --> --nasIPAddress=172.100.0.60
(0) EXPAND --nasPort=%{NAS-Port}
(0) --> --nasPort=20497
(0) EXPAND --nasPortID=%{NAS-Port-Id}
(0) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(0) EXPAND --nasPortType=%{NAS-Port-Type}
(0) --> --nasPortType=Ethernet
(0) EXPAND --serviceType=%{Service-Type}
(0) --> --serviceType=Framed-User
(0) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(0) --> --tunnelMediumType=
(0) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(0) --> --tunnelPrivateGroupID=
(0) EXPAND --tunnelType=%{Tunnel-Type}
(0) --> --tunnelType=
(0) Program returned code (0) and output 'Reply-Message :=""'
(0) control::Reply-Message :=
(0) } # update = noop
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = noop
(0) } # policy filter_username = noop
(0) [preprocess] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 163 length 28
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 164 length 22
(0) eap: EAP session adding &reply:State = 0x06df9fcc067b9baa
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 25 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(0) EAP-Message = 0x01a400160410fb53358fd5f5bb176cb25434be27dc38
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x06df9fcc067b9baa43639075ca7d333a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 26 from 172.100.0.60:49947 to
172.16.0.100:1812 length 340
(1) User-Name = "mypc-pc\\Administrator"
(1) NAS-Port = 20497
(1) Service-Type = Framed-User
(1) Framed-Protocol = PPP
(1) Calling-Station-Id = "44a8-42f7-952d"
(1) NAS-Identifier = "S5735_K6_SW1"
(1) NAS-Port-Type = Ethernet
(1) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(1) State = 0x06df9fcc067b9baa43639075ca7d333a
(1) EAP-Message = 0x02a400060319
(1) Message-Authenticator = 0xf104c44a25c93bccb28f9f2e00f4333c
(1) Called-Station-Id = "44-67-47-26-F7-90"
(1) Login-IP-Host = 0.0.0.0
(1) NAS-IP-Address = 172.100.0.60
(1) Framed-MTU = 1500
(1) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(1) Huawei-Startup-Stamp = 1589932873
(1) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(1) Huawei-Connect-ID = 45
(1) Huawei-Version = "Huawei S5735"
(1) Huawei-Product-ID = "S5735"
(1) Huawei-User-Mac = "\000\000\000\001"
(1) Huawei-Domain-Name = "default"
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(1) authorize {
(1) update {
(1) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(1) EXPAND --username=%{User-Name}
(1) --> --username=mypc-pc\\Administrator
(1) EXPAND --calledStationID=%{Called-Station-Id}
(1) --> --calledStationID=44-67-47-26-F7-90
(1) EXPAND --callingStationID=%{Calling-Station-Id}
(1) --> --callingStationID=44a8-42f7-952d
(1) EXPAND --connectInfo=%{Connect-Info}
(1) --> --connectInfo=
(1) EXPAND --framedMTU=%{Framed-MTU}
(1) --> --framedMTU=1500
(1) EXPAND --framedProtocol=%{Framed-Protocol}
(1) --> --framedProtocol=PPP
(1) EXPAND --nasIdentifier=%{NAS-Identifier}
(1) --> --nasIdentifier=S5735_K6_SW1
(1) EXPAND --nasIPAddress=%{NAS-IP-Address}
(1) --> --nasIPAddress=172.100.0.60
(1) EXPAND --nasPort=%{NAS-Port}
(1) --> --nasPort=20497
(1) EXPAND --nasPortID=%{NAS-Port-Id}
(1) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(1) EXPAND --nasPortType=%{NAS-Port-Type}
(1) --> --nasPortType=Ethernet
(1) EXPAND --serviceType=%{Service-Type}
(1) --> --serviceType=Framed-User
(1) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(1) --> --tunnelMediumType=
(1) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(1) --> --tunnelPrivateGroupID=
(1) EXPAND --tunnelType=%{Tunnel-Type}
(1) --> --tunnelType=
(1) Program returned code (0) and output 'Reply-Message :=""'
(1) control::Reply-Message :=
(1) } # update = noop
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = noop
(1) } # policy filter_username = noop
(1) [preprocess] = ok
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 164 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x06df9fcc067b9baa
(1) eap: Finished EAP session with state 0x06df9fcc067b9baa
(1) eap: Previous EAP request found for state 0x06df9fcc067b9baa, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 165 length 6
(1) eap: EAP session adding &reply:State = 0x06df9fcc077a86aa
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 26 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(1) EAP-Message = 0x01a500061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x06df9fcc077a86aa43639075ca7d333a
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 27 from 172.100.0.60:49947 to
172.16.0.100:1812 length 447
(2) User-Name = "mypc-pc\\Administrator"
(2) NAS-Port = 20497
(2) Service-Type = Framed-User
(2) Framed-Protocol = PPP
(2) Calling-Station-Id = "44a8-42f7-952d"
(2) NAS-Identifier = "S5735_K6_SW1"
(2) NAS-Port-Type = Ethernet
(2) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(2) State = 0x06df9fcc077a86aa43639075ca7d333a
(2) EAP-Message =
0x02a5007119800000006716030100620100005e030160d0e32a6722bce31595a5e36c093697851bb230673e9d56c34961448f20d9c300001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
(2) Message-Authenticator = 0x8e36104449de451d2f46716428d8d1d0
(2) Called-Station-Id = "44-67-47-26-F7-90"
(2) Login-IP-Host = 0.0.0.0
(2) NAS-IP-Address = 172.100.0.60
(2) Framed-MTU = 1500
(2) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(2) Huawei-Startup-Stamp = 1589932873
(2) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(2) Huawei-Connect-ID = 45
(2) Huawei-Version = "Huawei S5735"
(2) Huawei-Product-ID = "S5735"
(2) Huawei-User-Mac = "\000\000\000\001"
(2) Huawei-Domain-Name = "default"
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(2) authorize {
(2) update {
(2) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(2) EXPAND --username=%{User-Name}
(2) --> --username=mypc-pc\\Administrator
(2) EXPAND --calledStationID=%{Called-Station-Id}
(2) --> --calledStationID=44-67-47-26-F7-90
(2) EXPAND --callingStationID=%{Calling-Station-Id}
(2) --> --callingStationID=44a8-42f7-952d
(2) EXPAND --connectInfo=%{Connect-Info}
(2) --> --connectInfo=
(2) EXPAND --framedMTU=%{Framed-MTU}
(2) --> --framedMTU=1500
(2) EXPAND --framedProtocol=%{Framed-Protocol}
(2) --> --framedProtocol=PPP
(2) EXPAND --nasIdentifier=%{NAS-Identifier}
(2) --> --nasIdentifier=S5735_K6_SW1
(2) EXPAND --nasIPAddress=%{NAS-IP-Address}
(2) --> --nasIPAddress=172.100.0.60
(2) EXPAND --nasPort=%{NAS-Port}
(2) --> --nasPort=20497
(2) EXPAND --nasPortID=%{NAS-Port-Id}
(2) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(2) EXPAND --nasPortType=%{NAS-Port-Type}
(2) --> --nasPortType=Ethernet
(2) EXPAND --serviceType=%{Service-Type}
(2) --> --serviceType=Framed-User
(2) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(2) --> --tunnelMediumType=
(2) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(2) --> --tunnelPrivateGroupID=
(2) EXPAND --tunnelType=%{Tunnel-Type}
(2) --> --tunnelType=
(2) Program returned code (0) and output 'Reply-Message :=""'
(2) control::Reply-Message :=
(2) } # update = noop
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = noop
(2) } # policy filter_username = noop
(2) [preprocess] = ok
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 165 length 113
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x06df9fcc077a86aa
(2) eap: Finished EAP session with state 0x06df9fcc077a86aa
(2) eap: Previous EAP request found for state 0x06df9fcc077a86aa, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 103 bytes
(2) eap_peap: Got complete TLS record (103 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before accept initialization
(2) eap_peap: <<< recv UNKNOWN TLS VERSION '0304' [length 0062]
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> send TLS 1.0 Handshake [length 0037], ServerHello
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> send TLS 1.0 Handshake [length 08e5], Certificate
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 2687 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 166 length 1004
(2) eap: EAP session adding &reply:State = 0x06df9fcc047986aa
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 27 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(2) EAP-Message =
0x01a603ec19c000000a7f16030100370200003303011069fa543cddfebbc2a59de247700b31bea216c1570e4080444f574e4752440000c01400000bff01000100000b0002010016030108e50b0008e10008de0003e8308203e4308202cca003020102020101300d06092a864886f70d01010b0500308196310b3009060355040613025452310e300c06035504080c05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e5061727461204e6574776f726b733120301e06092a864886f70d0109011611696e666f4070617274612e636f6d2e7472312d302b06035504030c245061727461204e6574776f726b7320436572746966696361746520417574686f72697479301e170d3230303333313131323930385a170d3330303332393131323930385a308182310b3009060355040613025452310e300c06035504080c05495a4d495231173015060355040a0c0e5061727461204e6574776f726b733128302606035504030c1f506172746120
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x06df9fcc047986aa43639075ca7d333a
(2) Finished request
Waking up in 4.7 seconds.
(3) Received Access-Request Id 28 from 172.100.0.60:49947 to
172.16.0.100:1812 length 340
(3) User-Name = "mypc-pc\\Administrator"
(3) NAS-Port = 20497
(3) Service-Type = Framed-User
(3) Framed-Protocol = PPP
(3) Calling-Station-Id = "44a8-42f7-952d"
(3) NAS-Identifier = "S5735_K6_SW1"
(3) NAS-Port-Type = Ethernet
(3) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(3) State = 0x06df9fcc047986aa43639075ca7d333a
(3) EAP-Message = 0x02a600061900
(3) Message-Authenticator = 0xcc4d6c36e5459879cc826325ec4d747a
(3) Called-Station-Id = "44-67-47-26-F7-90"
(3) Login-IP-Host = 0.0.0.0
(3) NAS-IP-Address = 172.100.0.60
(3) Framed-MTU = 1500
(3) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(3) Huawei-Startup-Stamp = 1589932873
(3) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(3) Huawei-Connect-ID = 45
(3) Huawei-Version = "Huawei S5735"
(3) Huawei-Product-ID = "S5735"
(3) Huawei-User-Mac = "\000\000\000\001"
(3) Huawei-Domain-Name = "default"
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(3) authorize {
(3) update {
(3) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(3) EXPAND --username=%{User-Name}
(3) --> --username=mypc-pc\\Administrator
(3) EXPAND --calledStationID=%{Called-Station-Id}
(3) --> --calledStationID=44-67-47-26-F7-90
(3) EXPAND --callingStationID=%{Calling-Station-Id}
(3) --> --callingStationID=44a8-42f7-952d
(3) EXPAND --connectInfo=%{Connect-Info}
(3) --> --connectInfo=
(3) EXPAND --framedMTU=%{Framed-MTU}
(3) --> --framedMTU=1500
(3) EXPAND --framedProtocol=%{Framed-Protocol}
(3) --> --framedProtocol=PPP
(3) EXPAND --nasIdentifier=%{NAS-Identifier}
(3) --> --nasIdentifier=S5735_K6_SW1
(3) EXPAND --nasIPAddress=%{NAS-IP-Address}
(3) --> --nasIPAddress=172.100.0.60
(3) EXPAND --nasPort=%{NAS-Port}
(3) --> --nasPort=20497
(3) EXPAND --nasPortID=%{NAS-Port-Id}
(3) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(3) EXPAND --nasPortType=%{NAS-Port-Type}
(3) --> --nasPortType=Ethernet
(3) EXPAND --serviceType=%{Service-Type}
(3) --> --serviceType=Framed-User
(3) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(3) --> --tunnelMediumType=
(3) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(3) --> --tunnelPrivateGroupID=
(3) EXPAND --tunnelType=%{Tunnel-Type}
(3) --> --tunnelType=
(3) Program returned code (0) and output 'Reply-Message :=""'
(3) control::Reply-Message :=
(3) } # update = noop
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = noop
(3) } # policy filter_username = noop
(3) [preprocess] = ok
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 166 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x06df9fcc047986aa
(3) eap: Finished EAP session with state 0x06df9fcc047986aa
(3) eap: Previous EAP request found for state 0x06df9fcc047986aa, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 167 length 1000
(3) eap: EAP session adding &reply:State = 0x06df9fcc057886aa
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 28 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(3) EAP-Message =
0x01a703e81940a73b4534fb54764797d56b51f469ff2e5a5feaf506057dbdfd6af543dfe986febe19c807b89244404cb9503c4a449efd5e8a9e68f31f0fa9b20107d112dde99fabadb55f609fefb8f0cfb09e1bb696330c0004f0308204ec308203d4a0030201020209008917e4729c9d3b3d300d06092a864886f70d01010b0500308196310b3009060355040613025452310e300c06035504080c05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e5061727461204e6574776f726b733120301e06092a864886f70d0109011611696e666f4070617274612e636f6d2e7472312d302b06035504030c245061727461204e6574776f726b7320436572746966696361746520417574686f72697479301e170d3230303333313131323930385a170d3330303332393131323930385a308196310b3009060355040613025452310e300c06035504080c05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e506172
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x06df9fcc057886aa43639075ca7d333a
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 29 from 172.100.0.60:49947 to
172.16.0.100:1812 length 340
(4) User-Name = "mypc-pc\\Administrator"
(4) NAS-Port = 20497
(4) Service-Type = Framed-User
(4) Framed-Protocol = PPP
(4) Calling-Station-Id = "44a8-42f7-952d"
(4) NAS-Identifier = "S5735_K6_SW1"
(4) NAS-Port-Type = Ethernet
(4) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(4) State = 0x06df9fcc057886aa43639075ca7d333a
(4) EAP-Message = 0x02a700061900
(4) Message-Authenticator = 0x345bff17c216eb76264d2dd1836dced4
(4) Called-Station-Id = "44-67-47-26-F7-90"
(4) Login-IP-Host = 0.0.0.0
(4) NAS-IP-Address = 172.100.0.60
(4) Framed-MTU = 1500
(4) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(4) Huawei-Startup-Stamp = 1589932873
(4) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(4) Huawei-Connect-ID = 45
(4) Huawei-Version = "Huawei S5735"
(4) Huawei-Product-ID = "S5735"
(4) Huawei-User-Mac = "\000\000\000\001"
(4) Huawei-Domain-Name = "default"
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(4) authorize {
(4) update {
(4) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(4) EXPAND --username=%{User-Name}
(4) --> --username=mypc-pc\\Administrator
(4) EXPAND --calledStationID=%{Called-Station-Id}
(4) --> --calledStationID=44-67-47-26-F7-90
(4) EXPAND --callingStationID=%{Calling-Station-Id}
(4) --> --callingStationID=44a8-42f7-952d
(4) EXPAND --connectInfo=%{Connect-Info}
(4) --> --connectInfo=
(4) EXPAND --framedMTU=%{Framed-MTU}
(4) --> --framedMTU=1500
(4) EXPAND --framedProtocol=%{Framed-Protocol}
(4) --> --framedProtocol=PPP
(4) EXPAND --nasIdentifier=%{NAS-Identifier}
(4) --> --nasIdentifier=S5735_K6_SW1
(4) EXPAND --nasIPAddress=%{NAS-IP-Address}
(4) --> --nasIPAddress=172.100.0.60
(4) EXPAND --nasPort=%{NAS-Port}
(4) --> --nasPort=20497
(4) EXPAND --nasPortID=%{NAS-Port-Id}
(4) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(4) EXPAND --nasPortType=%{NAS-Port-Type}
(4) --> --nasPortType=Ethernet
(4) EXPAND --serviceType=%{Service-Type}
(4) --> --serviceType=Framed-User
(4) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(4) --> --tunnelMediumType=
(4) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(4) --> --tunnelPrivateGroupID=
(4) EXPAND --tunnelType=%{Tunnel-Type}
(4) --> --tunnelType=
(4) Program returned code (0) and output 'Reply-Message :=""'
(4) control::Reply-Message :=
(4) } # update = noop
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = noop
(4) } # policy filter_username = noop
(4) [preprocess] = ok
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 167 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x06df9fcc057886aa
(4) eap: Finished EAP session with state 0x06df9fcc057886aa
(4) eap: Previous EAP request found for state 0x06df9fcc057886aa, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 168 length 705
(4) eap: EAP session adding &reply:State = 0x06df9fcc027786aa
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 29 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(4) EAP-Message =
0x01a802c11900e4729c9d3b3d300f0603551d130101ff040530030101ff30350603551d1f042e302c302aa028a0268624687474703a2f2f7777772e70617274612e636f6d2e74722f70617274615f63612e63726c300d06092a864886f70d01010b0500038201010002a7a685fd8c45441aa4e88edd20fe072c2d6dc2fdf1a70bdfbb4e4d6e447ef63fb83535d1eb1a9b7eb0d8fc177cbe833bcd8ca72116ebd550b12ab279f5298beb6a8f7e58f38e9943d51a2b9a415f0f7b6cb3e284f54c181f57eea3ec231ccea3f982602d46374234e262a8a570981656b6e991155da7983b5edddd89239eec5c82cbc176541e5e32f2e1fcf783f162fbd7de96dbaadafd0e8f56d5f72f4de5ac1254656c6ba349ed7ae5202dfd20b3dc5e576bbba43c2f10d1b66b764038601b2e23a27a7a3b4b13e4d58343df004dbd21908c71c0d563f18eec86d5a74bf7b192d4da4ffa036e754623748cdfe9ee000c02a3ee75574fa594e9055132d03e160301014b0c0001470300174104a0
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x06df9fcc027786aa43639075ca7d333a
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 30 from 172.100.0.60:49947 to
172.16.0.100:1812 length 478
(5) User-Name = "mypc-pc\\Administrator"
(5) NAS-Port = 20497
(5) Service-Type = Framed-User
(5) Framed-Protocol = PPP
(5) Calling-Station-Id = "44a8-42f7-952d"
(5) NAS-Identifier = "S5735_K6_SW1"
(5) NAS-Port-Type = Ethernet
(5) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(5) State = 0x06df9fcc027786aa43639075ca7d333a
(5) EAP-Message =
0x02a800901980000000861603010046100000424104c7b577ecf031abd558556c730dea6a62961ef24e63b87df106b9981a6899f04e68a480a2b306f8f199787ac538d19bc572f82e277133f9ebbdbd8b3b4d17866e14030100010116030100301e14570b074715b54215c474e30f4ab9f9bfadb1590f0331598daef254ac64514ddef71c035306cdc1fea1cbdd58dcce
(5) Message-Authenticator = 0x68db217c9425678c6ba8dba10a9679e9
(5) Called-Station-Id = "44-67-47-26-F7-90"
(5) Login-IP-Host = 0.0.0.0
(5) NAS-IP-Address = 172.100.0.60
(5) Framed-MTU = 1500
(5) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(5) Huawei-Startup-Stamp = 1589932873
(5) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(5) Huawei-Connect-ID = 45
(5) Huawei-Version = "Huawei S5735"
(5) Huawei-Product-ID = "S5735"
(5) Huawei-User-Mac = "\000\000\000\001"
(5) Huawei-Domain-Name = "default"
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(5) authorize {
(5) update {
(5) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(5) EXPAND --username=%{User-Name}
(5) --> --username=mypc-pc\\Administrator
(5) EXPAND --calledStationID=%{Called-Station-Id}
(5) --> --calledStationID=44-67-47-26-F7-90
(5) EXPAND --callingStationID=%{Calling-Station-Id}
(5) --> --callingStationID=44a8-42f7-952d
(5) EXPAND --connectInfo=%{Connect-Info}
(5) --> --connectInfo=
(5) EXPAND --framedMTU=%{Framed-MTU}
(5) --> --framedMTU=1500
(5) EXPAND --framedProtocol=%{Framed-Protocol}
(5) --> --framedProtocol=PPP
(5) EXPAND --nasIdentifier=%{NAS-Identifier}
(5) --> --nasIdentifier=S5735_K6_SW1
(5) EXPAND --nasIPAddress=%{NAS-IP-Address}
(5) --> --nasIPAddress=172.100.0.60
(5) EXPAND --nasPort=%{NAS-Port}
(5) --> --nasPort=20497
(5) EXPAND --nasPortID=%{NAS-Port-Id}
(5) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(5) EXPAND --nasPortType=%{NAS-Port-Type}
(5) --> --nasPortType=Ethernet
(5) EXPAND --serviceType=%{Service-Type}
(5) --> --serviceType=Framed-User
(5) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(5) --> --tunnelMediumType=
(5) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(5) --> --tunnelPrivateGroupID=
(5) EXPAND --tunnelType=%{Tunnel-Type}
(5) --> --tunnelType=
(5) Program returned code (0) and output 'Reply-Message :=""'
(5) control::Reply-Message :=
(5) } # update = noop
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = noop
(5) } # policy filter_username = noop
(5) [preprocess] = ok
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 168 length 144
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x06df9fcc027786aa
(5) eap: Finished EAP session with state 0x06df9fcc027786aa
(5) eap: Previous EAP request found for state 0x06df9fcc027786aa, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(5) eap_peap: Got complete TLS record (134 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: TLS - Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(5) eap_peap: TLS-Session-Version = "TLS 1.0"
(5) eap_peap: TLS - got 59 bytes of data
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 169 length 65
(5) eap: EAP session adding &reply:State = 0x06df9fcc037686aa
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(5) TLS-Session-Version = "TLS 1.0"
(5) Sent Access-Challenge Id 30 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(5) EAP-Message =
0x01a90041190014030100010116030100302fe125fbf82aa49c3614c980adbe6cec3d9fcfee716e1ad42f33b3e8d99e997248e974d389d973a61f8d6f2facc5e492
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x06df9fcc037686aa43639075ca7d333a
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 31 from 172.100.0.60:49947 to
172.16.0.100:1812 length 340
(6) User-Name = "mypc-pc\\Administrator"
(6) NAS-Port = 20497
(6) Service-Type = Framed-User
(6) Framed-Protocol = PPP
(6) Calling-Station-Id = "44a8-42f7-952d"
(6) NAS-Identifier = "S5735_K6_SW1"
(6) NAS-Port-Type = Ethernet
(6) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(6) State = 0x06df9fcc037686aa43639075ca7d333a
(6) EAP-Message = 0x02a900061900
(6) Message-Authenticator = 0x6eae2e14353af6bdf3490d21f430dfbe
(6) Called-Station-Id = "44-67-47-26-F7-90"
(6) Login-IP-Host = 0.0.0.0
(6) NAS-IP-Address = 172.100.0.60
(6) Framed-MTU = 1500
(6) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(6) Huawei-Startup-Stamp = 1589932873
(6) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(6) Huawei-Connect-ID = 45
(6) Huawei-Version = "Huawei S5735"
(6) Huawei-Product-ID = "S5735"
(6) Huawei-User-Mac = "\000\000\000\001"
(6) Huawei-Domain-Name = "default"
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(6) &session-state:TLS-Session-Version = "TLS 1.0"
(6) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(6) authorize {
(6) update {
(6) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(6) EXPAND --username=%{User-Name}
(6) --> --username=mypc-pc\\Administrator
(6) EXPAND --calledStationID=%{Called-Station-Id}
(6) --> --calledStationID=44-67-47-26-F7-90
(6) EXPAND --callingStationID=%{Calling-Station-Id}
(6) --> --callingStationID=44a8-42f7-952d
(6) EXPAND --connectInfo=%{Connect-Info}
(6) --> --connectInfo=
(6) EXPAND --framedMTU=%{Framed-MTU}
(6) --> --framedMTU=1500
(6) EXPAND --framedProtocol=%{Framed-Protocol}
(6) --> --framedProtocol=PPP
(6) EXPAND --nasIdentifier=%{NAS-Identifier}
(6) --> --nasIdentifier=S5735_K6_SW1
(6) EXPAND --nasIPAddress=%{NAS-IP-Address}
(6) --> --nasIPAddress=172.100.0.60
(6) EXPAND --nasPort=%{NAS-Port}
(6) --> --nasPort=20497
(6) EXPAND --nasPortID=%{NAS-Port-Id}
(6) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(6) EXPAND --nasPortType=%{NAS-Port-Type}
(6) --> --nasPortType=Ethernet
(6) EXPAND --serviceType=%{Service-Type}
(6) --> --serviceType=Framed-User
(6) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(6) --> --tunnelMediumType=
(6) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(6) --> --tunnelPrivateGroupID=
(6) EXPAND --tunnelType=%{Tunnel-Type}
(6) --> --tunnelType=
(6) Program returned code (0) and output 'Reply-Message :=""'
(6) control::Reply-Message :=
(6) } # update = noop
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = noop
(6) } # policy filter_username = noop
(6) [preprocess] = ok
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 169 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x06df9fcc037686aa
(6) eap: Finished EAP session with state 0x06df9fcc037686aa
(6) eap: Previous EAP request found for state 0x06df9fcc037686aa, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 170 length 43
(6) eap: EAP session adding &reply:State = 0x06df9fcc007586aa
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(6) session-state: Saving cached attributes
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(6) TLS-Session-Version = "TLS 1.0"
(6) Sent Access-Challenge Id 31 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(6) EAP-Message =
0x01aa002b1900170301002039839b1c2d3257209fb27a7353e9e75e31a406708676f7c33e1183170f61d947
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x06df9fcc007586aa43639075ca7d333a
(6) Finished request
Waking up in 4.5 seconds.
(7) Received Access-Request Id 32 from 172.100.0.60:49947 to
172.16.0.100:1812 length 393
(7) User-Name = "mypc-pc\\Administrator"
(7) NAS-Port = 20497
(7) Service-Type = Framed-User
(7) Framed-Protocol = PPP
(7) Calling-Station-Id = "44a8-42f7-952d"
(7) NAS-Identifier = "S5735_K6_SW1"
(7) NAS-Port-Type = Ethernet
(7) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(7) State = 0x06df9fcc007586aa43639075ca7d333a
(7) EAP-Message =
0x02aa003b190017030100303d5c35ae730f2e2172de89948e051cb0b227033be363ddea1c384cc141c1593d7ed0251c4ca849138cfdebf0e810852a
(7) Message-Authenticator = 0x1a8ae85940fcefdcbc7a0528828a0c77
(7) Called-Station-Id = "44-67-47-26-F7-90"
(7) Login-IP-Host = 0.0.0.0
(7) NAS-IP-Address = 172.100.0.60
(7) Framed-MTU = 1500
(7) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(7) Huawei-Startup-Stamp = 1589932873
(7) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(7) Huawei-Connect-ID = 45
(7) Huawei-Version = "Huawei S5735"
(7) Huawei-Product-ID = "S5735"
(7) Huawei-User-Mac = "\000\000\000\001"
(7) Huawei-Domain-Name = "default"
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(7) &session-state:TLS-Session-Version = "TLS 1.0"
(7) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(7) authorize {
(7) update {
(7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(7) EXPAND --username=%{User-Name}
(7) --> --username=mypc-pc\\Administrator
(7) EXPAND --calledStationID=%{Called-Station-Id}
(7) --> --calledStationID=44-67-47-26-F7-90
(7) EXPAND --callingStationID=%{Calling-Station-Id}
(7) --> --callingStationID=44a8-42f7-952d
(7) EXPAND --connectInfo=%{Connect-Info}
(7) --> --connectInfo=
(7) EXPAND --framedMTU=%{Framed-MTU}
(7) --> --framedMTU=1500
(7) EXPAND --framedProtocol=%{Framed-Protocol}
(7) --> --framedProtocol=PPP
(7) EXPAND --nasIdentifier=%{NAS-Identifier}
(7) --> --nasIdentifier=S5735_K6_SW1
(7) EXPAND --nasIPAddress=%{NAS-IP-Address}
(7) --> --nasIPAddress=172.100.0.60
(7) EXPAND --nasPort=%{NAS-Port}
(7) --> --nasPort=20497
(7) EXPAND --nasPortID=%{NAS-Port-Id}
(7) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(7) EXPAND --nasPortType=%{NAS-Port-Type}
(7) --> --nasPortType=Ethernet
(7) EXPAND --serviceType=%{Service-Type}
(7) --> --serviceType=Framed-User
(7) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(7) --> --tunnelMediumType=
(7) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(7) --> --tunnelPrivateGroupID=
(7) EXPAND --tunnelType=%{Tunnel-Type}
(7) --> --tunnelType=
(7) Program returned code (0) and output 'Reply-Message :=""'
(7) control::Reply-Message :=
(7) } # update = noop
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = noop
(7) } # policy filter_username = noop
(7) [preprocess] = ok
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 170 length 59
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x06df9fcc007586aa
(7) eap: Finished EAP session with state 0x06df9fcc007586aa
(7) eap: Previous EAP request found for state 0x06df9fcc007586aa, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - mypc-pc\Administrator
(7) eap_peap: Got inner identity 'mypc-pc\Administrator'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
(7) eap_peap: Setting User-Name to mypc-pc\Administrator
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "mypc-pc\\Administrator"
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "mypc-pc\\Administrator"
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) update {
(7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--verify=true --control=false:
(7) EXPAND --username=%{User-Name}
(7) --> --username=mypc-pc\\Administrator
(7) Program returned code (0) and output 'Idle-Timeout := "30"'
(7) reply::Idle-Timeout := 30
(7) } # update = noop
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = noop
(7) } # policy filter_username = noop
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 170 length 28
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7) [eap] = ok
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file
/mydir/etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 171 length 43
(7) eap: EAP session adding &reply:State = 0xb29197b0b23a8d1a
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) Idle-Timeout := 30
(7) EAP-Message =
0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b667265657261646975732d332e302e3231
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xb29197b0b23a8d1abd34b414c2a4601c
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: Idle-Timeout := 30
(7) eap_peap: EAP-Message =
0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b667265657261646975732d332e302e3231
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: Idle-Timeout := 30
(7) eap_peap: EAP-Message =
0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b667265657261646975732d332e302e3231
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 171 length 75
(7) eap: EAP session adding &reply:State = 0x06df9fcc017486aa
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(7) TLS-Session-Version = "TLS 1.0"
(7) Sent Access-Challenge Id 32 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(7) EAP-Message =
0x01ab004b19001703010040f117bdd7e2a2d6530a0eebaac5f17a0b3e5846e1278f4367eeb28499b7d4f60485adaa834a12a2f5fc22b2e4a7b75b2fd584277bbb9e717bf568d0b7c39b9b21
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x06df9fcc017486aa43639075ca7d333a
(7) Finished request
Waking up in 4.5 seconds.
(8) Received Access-Request Id 33 from 172.100.0.60:49947 to
172.16.0.100:1812 length 441
(8) User-Name = "mypc-pc\\Administrator"
(8) NAS-Port = 20497
(8) Service-Type = Framed-User
(8) Framed-Protocol = PPP
(8) Calling-Station-Id = "44a8-42f7-952d"
(8) NAS-Identifier = "S5735_K6_SW1"
(8) NAS-Port-Type = Ethernet
(8) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(8) State = 0x06df9fcc017486aa43639075ca7d333a
(8) EAP-Message =
0x02ab006b1900170301006030a260cec76b817616c8446e917733d195ea67fcb4cba7ea0c15873eccb189ac0c0482c8d146ae81eaf880b90364036ca514b87389987c4879b1e21d8c032b74a3adf543509c62b5cc1e85d7f556043d22e8f68156c08b94226c0358519793f0
(8) Message-Authenticator = 0x99f47b6e04e6c7df9ba0bad3ad23a0dc
(8) Called-Station-Id = "44-67-47-26-F7-90"
(8) Login-IP-Host = 0.0.0.0
(8) NAS-IP-Address = 172.100.0.60
(8) Framed-MTU = 1500
(8) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(8) Huawei-Startup-Stamp = 1589932873
(8) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(8) Huawei-Connect-ID = 45
(8) Huawei-Version = "Huawei S5735"
(8) Huawei-Product-ID = "S5735"
(8) Huawei-User-Mac = "\000\000\000\001"
(8) Huawei-Domain-Name = "default"
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(8) &session-state:TLS-Session-Version = "TLS 1.0"
(8) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(8) authorize {
(8) update {
(8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(8) EXPAND --username=%{User-Name}
(8) --> --username=mypc-pc\\Administrator
(8) EXPAND --calledStationID=%{Called-Station-Id}
(8) --> --calledStationID=44-67-47-26-F7-90
(8) EXPAND --callingStationID=%{Calling-Station-Id}
(8) --> --callingStationID=44a8-42f7-952d
(8) EXPAND --connectInfo=%{Connect-Info}
(8) --> --connectInfo=
(8) EXPAND --framedMTU=%{Framed-MTU}
(8) --> --framedMTU=1500
(8) EXPAND --framedProtocol=%{Framed-Protocol}
(8) --> --framedProtocol=PPP
(8) EXPAND --nasIdentifier=%{NAS-Identifier}
(8) --> --nasIdentifier=S5735_K6_SW1
(8) EXPAND --nasIPAddress=%{NAS-IP-Address}
(8) --> --nasIPAddress=172.100.0.60
(8) EXPAND --nasPort=%{NAS-Port}
(8) --> --nasPort=20497
(8) EXPAND --nasPortID=%{NAS-Port-Id}
(8) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(8) EXPAND --nasPortType=%{NAS-Port-Type}
(8) --> --nasPortType=Ethernet
(8) EXPAND --serviceType=%{Service-Type}
(8) --> --serviceType=Framed-User
(8) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(8) --> --tunnelMediumType=
(8) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(8) --> --tunnelPrivateGroupID=
(8) EXPAND --tunnelType=%{Tunnel-Type}
(8) --> --tunnelType=
(8) Program returned code (0) and output 'Reply-Message :=""'
(8) control::Reply-Message :=
(8) } # update = noop
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = noop
(8) } # policy filter_username = noop
(8) [preprocess] = ok
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 171 length 107
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a
(8) eap: Finished EAP session with state 0x06df9fcc017486aa
(8) eap: Previous EAP request found for state 0x06df9fcc017486aa, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message =
0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f0000000000000000a380d06457734f2b4a8f544de51831e2a54853305befeb550041646d696e6973747261746f72
(8) eap_peap: Setting User-Name to mypc-pc\Administrator
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message =
0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f0000000000000000a380d06457734f2b4a8f544de51831e2a54853305befeb550041646d696e6973747261746f72
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "mypc-pc\\Administrator"
(8) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
(8) Virtual server inner-tunnel received request
(8) EAP-Message =
0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f0000000000000000a380d06457734f2b4a8f544de51831e2a54853305befeb550041646d696e6973747261746f72
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "mypc-pc\\Administrator"
(8) State = 0xb29197b0b23a8d1abd34b414c2a4601c
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) update {
(8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--verify=true --control=false:
(8) EXPAND --username=%{User-Name}
(8) --> --username=mypc-pc\\Administrator
(8) Program returned code (0) and output 'Idle-Timeout := "30"'
(8) reply::Idle-Timeout := 30
(8) } # update = noop
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = noop
(8) } # policy filter_username = noop
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 171 length 72
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file
/mydir/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a
(8) eap: Finished EAP session with state 0xb29197b0b23a8d1a
(8) eap: Previous EAP request found for state 0xb29197b0b23a8d1a, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file
/mydir/etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2: authenticate {
(8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as
MS-CHAP Name (Administrator) from EAP-MSCHAPv2
(8) mschap: Creating challenge hash with username: Administrator
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-00}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(8) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
(8) mschap: --> --username=Administrator
(8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not the same as
MS-CHAP Name (Administrator) from EAP-MSCHAPv2
(8) mschap: Creating challenge hash with username: Administrator
(8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(8) mschap: --> --challenge=54f8ede55f4a4abb
(8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(8) mschap: -->
--nt-response=a380d06457734f2b4a8f544de51831e2a54853305befeb55
(8) mschap: ERROR: Program returned code (1) and output 'Reading winbind
reply failed! (0xc0000001)'
(8) mschap: ERROR: Reading winbind reply failed! (0xc0000001)
(8) mschap: Authentication failed
(8) eap_mschapv2: [mschap] = fail
(8) eap_mschapv2: } # authenticate = fail
(8) eap: Sending EAP Failure (code 4) ID 171 length 4
(8) eap: Freeing handler
(8) [eap] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file
/mydir/etc/raddb/sites-enabled/inner-tunnel
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> mypc-pc\\Administrator
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) update outer.session-state {
(8) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: Program returned code (1) and output \'Reading winbind reply
failed! (0xc0000001)\''
(8) } # update outer.session-state = noop
(8) } # Post-Auth-Type REJECT = updated
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) MS-CHAP-Error = "\253E=691 R=1 C=be33295ca3e819f0d59751ac4be850ab V=3
M=Authentication failed"
(8) EAP-Message = 0x04ab0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply code 3
(8) eap_peap: MS-CHAP-Error = "\253E=691 R=1
C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed"
(8) eap_peap: EAP-Message = 0x04ab0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply RADIUS code 3
(8) eap_peap: MS-CHAP-Error = "\253E=691 R=1
C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed"
(8) eap_peap: EAP-Message = 0x04ab0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Tunneled authentication was rejected
(8) eap_peap: FAILURE
(8) eap: Sending EAP Request (code 1) ID 172 length 43
(8) eap: EAP session adding &reply:State = 0x06df9fcc0e7386aa
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(8) TLS-Session-Version = "TLS 1.0"
(8) Module-Failure-Message := "mschap: Program returned code (1) and
output 'Reading winbind reply failed! (0xc0000001)'"
(8) Sent Access-Challenge Id 33 from 172.16.0.100:1812 to
172.100.0.60:49947 length
0
(8) EAP-Message =
0x01ac002b1900170301002026931b104878a5280e9a66fdc3cfdebbdb1f8246a377c0748067abbfc703e7f7
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x06df9fcc0e7386aa43639075ca7d333a
(8) Finished request
Waking up in 4.3 seconds.
(9) Received Access-Request Id 34 from 172.100.0.60:49947 to
172.16.0.100:1812 length 377
(9) User-Name = "mypc-pc\\Administrator"
(9) NAS-Port = 20497
(9) Service-Type = Framed-User
(9) Framed-Protocol = PPP
(9) Calling-Station-Id = "44a8-42f7-952d"
(9) NAS-Identifier = "S5735_K6_SW1"
(9) NAS-Port-Type = Ethernet
(9) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
(9) State = 0x06df9fcc0e7386aa43639075ca7d333a
(9) EAP-Message =
0x02ac002b1900170301002002a19fd10d3999b09ff706b3c9a2e1b6f1de661047ec0e47760dd1c38e3479ce
(9) Message-Authenticator = 0x9991289c6858191d73f190917ff6d23e
(9) Called-Station-Id = "44-67-47-26-F7-90"
(9) Login-IP-Host = 0.0.0.0
(9) NAS-IP-Address = 172.100.0.60
(9) Framed-MTU = 1500
(9) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
(9) Huawei-Startup-Stamp = 1589932873
(9) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
(9) Huawei-Connect-ID = 45
(9) Huawei-Version = "Huawei S5735"
(9) Huawei-Product-ID = "S5735"
(9) Huawei-User-Mac = "\000\000\000\001"
(9) Huawei-Domain-Name = "default"
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
(9) &session-state:TLS-Session-Version = "TLS 1.0"
(9) &session-state:Module-Failure-Message := "mschap: Program returned
code (1) and output 'Reading winbind reply failed! (0xc0000001)'"
(9) # Executing section authorize from file
/mydir/etc/raddb/sites-enabled/default
(9) authorize {
(9) update {
(9) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
--calledStationID='%{Called-Station-Id}'
--callingStationID='%{Calling-Station-Id}' --connectInfo='%{Connect-Info}'
--framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
--nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
--nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
--nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
--tunnelMediumType='%{Tunnel-Medium-Type}'
--tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
--tunnelType='%{Tunnel-Type}' --control=false --verify=false
--logging=true:
(9) EXPAND --username=%{User-Name}
(9) --> --username=mypc-pc\\Administrator
(9) EXPAND --calledStationID=%{Called-Station-Id}
(9) --> --calledStationID=44-67-47-26-F7-90
(9) EXPAND --callingStationID=%{Calling-Station-Id}
(9) --> --callingStationID=44a8-42f7-952d
(9) EXPAND --connectInfo=%{Connect-Info}
(9) --> --connectInfo=
(9) EXPAND --framedMTU=%{Framed-MTU}
(9) --> --framedMTU=1500
(9) EXPAND --framedProtocol=%{Framed-Protocol}
(9) --> --framedProtocol=PPP
(9) EXPAND --nasIdentifier=%{NAS-Identifier}
(9) --> --nasIdentifier=S5735_K6_SW1
(9) EXPAND --nasIPAddress=%{NAS-IP-Address}
(9) --> --nasIPAddress=172.100.0.60
(9) EXPAND --nasPort=%{NAS-Port}
(9) --> --nasPort=20497
(9) EXPAND --nasPortID=%{NAS-Port-Id}
(9) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
(9) EXPAND --nasPortType=%{NAS-Port-Type}
(9) --> --nasPortType=Ethernet
(9) EXPAND --serviceType=%{Service-Type}
(9) --> --serviceType=Framed-User
(9) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
(9) --> --tunnelMediumType=
(9) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
(9) --> --tunnelPrivateGroupID=
(9) EXPAND --tunnelType=%{Tunnel-Type}
(9) --> --tunnelType=
(9) Program returned code (0) and output 'Reply-Message :=""'
(9) control::Reply-Message :=
(9) } # update = noop
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = noop
(9) } # policy filter_username = noop
(9) [preprocess] = ok
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "mypc-pc\Administrator", looking up realm
NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 172 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x06df9fcc0e7386aa
(9) eap: Finished EAP session with state 0x06df9fcc0e7386aa
(9) eap: Previous EAP request found for state 0x06df9fcc0e7386aa, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv failure
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: ERROR: The users session was previously rejected: returning
reject (again.)
(9) eap_peap: This means you need to read the PREVIOUS messages in the
debug output
(9) eap_peap: to find out the reason why the user was rejected
(9) eap_peap: Look for "reject" or "fail". Those earlier messages will
tell you
(9) eap_peap: what went wrong, and how to fix the problem
(9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(9) eap: Sending EAP Failure (code 4) ID 172 length 4
(9) eap: Failed in EAP select
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /mydir/etc/raddb/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> mypc-pc\\Administrator
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) [eap] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 34 from 172.16.0.100:1812 to
172.100.0.60:49947 length
44
(9) EAP-Message = 0x04ac0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.3 seconds.
2
3
Hi FreeRADIUS,
I'm running Winbindd on some other directory. I have to update winbindd
prieveleged socket path on FreeRADIUS side. I've read some documents but I
couldn't find a configuration for this.
My samba config:
# cat /etc/samba/smb.conf
[global]
winbindd socket directory = /mydir/var/run/winbindd
state directory = / mydir /var/run/samba/locks/state
pid directory = / mydir /var/run/
cache directory = / mydir /var/run/samba/locks/cache
lock directory = / mydir /var/run/samba/locks
FreeRADIUS looks for the default winbindd socket directory
(/var/run/samba/winbindd), but actually it should look for
/permanent/var/run/samba/winbindd, how can I configure FreeRADIUS for that?
Thanks in advance..
3
4
Hi Folks,
i've edited the linelog module(also with help from this forum) to get a json log file(sample):
```
linelog log_general_message {
format = "%t Log for %{jsonquote:%{User-Name}}"
filename = ${logfile}
permissions = 0644
reference = "messages.%{%{Packet-Type}:-format}"
messages {
Access-Request = "{\"Datetime\": \"%t\",\"Packet-Type\": \"%{Packet-Type}\",\"TLS-Cert-Issuer\": \"%{jsonquote:%{TLS-Client-Cert-Issuer}}\"}"
}
}
```
which results in:
```
{"Datetime": "Fri Jun 18 15:18:30 2021","Packet-Type": "Access-Request","TLS-Cert-Issuer": "/O=sample/OU=sample/CN=sample"}
```
It works fine. I've also such entries to log the Access-Acecpt, Reject and challange with other variables. Those variables are not always filled so it would be perfect to set them to null to eayseli remove those entries in the later log parsing.
It's in general also possible with the conditional syntax '%{%{Foo}:-bar}'. The problem comes when the variable is filled then because it don't get quotet.
Sample to understand what i mean:
```
linelog log_general_message {
format = "%t Log for %{jsonquote:%{User-Name}}"
filename = ${logfile}
permissions = 0644
reference = "messages.%{%{Packet-Type}:-format}"
messages {
Access-Request = "{\"Datetime\": \"%t\",\"Packet-Type\": \"%{Packet-Type}\",\"TLS-Cert-Issuer\": %{jsonquote:%{%{TLS-Client-Cert-Issuer}:-null}}"
}
}
```
results in
```
{"Datetime": "Fri Jun 18 15:18:30 2021","Packet-Type": "Access-Request","TLS-Cert-Issuer": null}
```
which is perfect. But when %{TLS-Client-Cert-Issuer} is filled it results in a not valid json file because it's not in quotes:
```
{"Datetime": "Fri Jun 18 15:18:30 2021","Packet-Type": "Access-Request","TLS-Cert-Issuer": /O=sample/OU=sample/CN=sample}
```
Does anyone have a idea how the contitional syntax could be used to get a quoted string when a variable is filled but a not quoted string 'null' when not?
Best regards,
lineconnect
3
2
Hi all,
I've been a happy FreeRadius user for over 3 years now. I have had 3.0.13
running for that entire time with no complaints. (I've been using it w/ a
Sonicwall to do 2-factor authentication for VPN login.)
Recently, I've been revisiting the installation, and I thought, rather than
making changes to a very stable and reliable system, I'd spin up a new
installation with the latest version of FreeRadius (3.0.23).
So, my new server is running Ubuntu 20.04 and using the NetworkRadius
packages to install freeradius 3.0.23. I have also installed
libpam-google-authenticatior, and integrated it according to these steps:
https://networkjutsu.com/freeradius-google-authenticator/
This seems to have worked fine. I was running freeradius manually, with
debug (-X) enabled, and everything seemed to be working fine.
sudo /usr/sbin/freeradius -X
So, I killed freeradius (CTRL-C), and tried:
sudo service freeradius start
It started up fine.
But, now when I try authenticating (using radtest):
radtest mbobak redacted123456 localhost:1812 0 'redacted'
I get Access-Rejected
Looking at the log file, /var/log/freeradius/radius.log, I see:
Wed Jun 16 22:42:54 2021 : Info: Ready to process requests
Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: PAM conversation failed
Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: Error "Read-only file
system" while writing config
Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: pam_authenticate failed:
Authentication failure
Wed Jun 16 22:43:27 2021 : Auth: (0) Login incorrect (pam: PAM conversation
failed): [mbobak/Akosama30404615] (from client localhost port 0)
The only read-only filesystems do not appear to be relevant to the
freeradius installation:
mount | grep ro,
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
/var/lib/snapd/snaps/amazon-ssm-agent_3552.snap on
/snap/amazon-ssm-agent/3552 type squashfs (ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/core18_1997.snap on /snap/core18/1997 type squashfs
(ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/lxd_19647.snap on /snap/lxd/19647 type squashfs
(ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/snapd_12057.snap on /snap/snapd/12057 type squashfs
(ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/core18_2066.snap on /snap/core18/2066 type squashfs
(ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/lxd_20326.snap on /snap/lxd/20326 type squashfs
(ro,nodev,relatime,x-gdu.hide)
/var/lib/snapd/snaps/snapd_12159.snap on /snap/snapd/12159 type squashfs
(ro,nodev,relatime,x-gdu.hide)
But, even though it's reporting a read-only filesystem error, I'm thinking
it could be a permission problem on some file?
But, I'm really baffled by the system working when I run freeradius
manually, but only errors when I run it from the service.
Any help would be appreciated.
Thanks,
-Mark
3
6
freeradius with perl , have Discarding duplicate request from client nas_1 port 58159 - ID: 30 due to delayed response ,when reject
by Muhammed Buvaydani 18 Jun '21
by Muhammed Buvaydani 18 Jun '21
18 Jun '21
hello , I have freeradius 3.x where I enabled Perl module for authentication, I noticed that my freeradius return this error in debug mode
Discarding duplicate request from client nas_1 port 58159 - ID: 30 due to delayed response
I thought that is because of my authentication script but then I disabled the authentication and configured my Perl to reject to all users without any query or authentication (just for checking )
but still, I have the same error
Discarding duplicate request from client nas_1 port 58159 - ID: 30 due to delayed response
this is my perl script
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use IO::Socket;
use locale;
use POSIX;
use PHP::Serialization qw(serialize unserialize);
use LWP::Simple;
use Sys::Syslog;
setlocale(LC_ALL, 'C');
use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */
use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */
use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */
use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */
use constant RLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */
use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */
use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */
use constant RLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */
use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */
use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */
my $splynx;
my $answer;
my $contents;
my $request;
my $ua = LWP::UserAgent->new();
my $res;
sub authorize {
return RLM_MODULE_REJECT;
}
sub authenticate {
return RLM_MODULE_REJECT;
}
as you see I configured my Perl script to only reject users, but in debug mode, I have this warning,
(12) Received Access-Request Id 148 from 104.46.67.10:58063 to 44.118.166.12:1812 length 123
(12) Service-Type = Framed-User
(12) Framed-Protocol = PPP
(12) NAS-Port = 15730188
(12) NAS-Port-Type = Ethernet
(12) User-Name = "test2"
(12) Calling-Station-Id = "00:0C:29:6E:F3:2F"
(12) NAS-Port-Id = "vlan3800"
(12) User-Password = "test2"
(12) NAS-Identifier = "00:0C:29:D5:7F:74"
(12) NAS-IP-Address = 104.46.67.10
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/splynx
(12) authorize {
(12) update control {
(12) Auth-Type := Accept
(12) } # update control = noop
(12) [preprocess] = ok
(12) [mschap] = noop
(12) eap: No EAP-Message, not doing EAP
(12) [eap] = noop
(12) perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'test2'
(12) perl: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'test2'
(12) perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '104.46.67.10'
(12) perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '15730188'
(12) perl: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User'
(12) perl: $RAD_REQUEST{'Framed-Protocol'} = &request:Framed-Protocol -> 'PPP'
(12) perl: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '00:0C:29:6E:F3:2F'
(12) perl: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> '00:0C:29:D5:7F:74'
(12) perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'
(12) perl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jun 18 2021 20:10:15 IST'
(12) perl: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'vlan3800'
(12) perl: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Accept'
(12) perl: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Accept'
(12) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Jun 18 2021 20:10:15 IST'
(12) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'test2'
(12) perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '00:0C:29:6E:F3:2F'
(12) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User'
(12) perl: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'vlan3800'
(12) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '104.46.67.10'
(12) perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> '00:0C:29:D5:7F:74'
(12) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'test2'
(12) perl: &request:Framed-Protocol = $RAD_REQUEST{'Framed-Protocol'} -> 'PPP'
(12) perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet'
(12) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '15730188'
(12) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Accept'
(12) [perl] = reject
(12) } # authorize = reject
(12) Using Post-Auth-Type Reject
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/splynx
(12) Post-Auth-Type REJECT {
(12) attr_filter.access_reject: EXPAND %{User-Name}
(12) attr_filter.access_reject: --> test2
(12) attr_filter.access_reject: Matched entry DEFAULT at line 11
(12) [attr_filter.access_reject] = updated
(12) [eap] = noop
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) } # Post-Auth-Type REJECT = updated
(12) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(12) (12) Discarding duplicate request from client nas_1 port 58063 - ID: 148 due to delayed response
Waking up in 0.6 seconds.
(12) (12) Discarding duplicate request from client nas_1 port 58063 - ID: 148 due to delayed response
Waking up in 0.3 seconds.
(12) Sending delayed response
in the other hand when I am accepting all users, I did not get that warning, this warning is just shown when rejecting user,
as I said there is no query or anything else,
thank you very much in advance
2
3
Logrotate config from Networkradius CentOS package breaks other logrotate configs
by Sven Scharf 18 Jun '21
by Sven Scharf 18 Jun '21
18 Jun '21
Hi,
I'm currently using the CentOS Radius packages provided by
https://networkradius.com/packages/ for an OracleLinux 8 x86_64:
Installed Packages
Name : freeradius
Version : 3.0.23
Release : 1
Architecture : x86_64
Size : 8.0 M
Source : freeradius-3.0.23-1.src.rpm
Repository : @System
>From repo : networkradius-Project
Summary : High-performance and highly configurable free RADIUS
server
URL : http://www.freeradius.org/
License : GPLv2+ and LGPLv2+
Description : The FreeRADIUS Server Project is a high performance and
highly configurable
[...]
/etc/logrotate.d/radiusd contains settings outside of a logfile scope.
e.g. su radiusd radiusd
Sadly this affects all other logrotate configs after the radiusd config
file, e.g. samba or sssd. Which now get a permission denied error as
the radiusd user isn't allowed to rotate those logfiles.
As this config file comes from the freeradius package I don't like to
modify it.
Is there any chance that the logrotate config of the package gets
fixed?
Thanks,
Sven
4
5
18 Jun '21
** Why you should design for a worst case scenario
---------------------------------------------
If you live in an earthquake zone, it’s important to engineer buildings to survive an earthquake. You don’t know when an earthquake will happen, or where exactly, or how big it’s going to be, but you know that it will happen at some point during the lifetime of the building. And the consequences of not earthquake proofing can be deadly.
The same goes for your critical network infrastructure. At some point, some part of your network will go down. The consequences are not usually deadly, but it can feel that way when it’s happening to you.
Read the full article...
https://networkradius.com/articles/2021/06/09/why-you-should-design-for-a-w…
** Sign up to get this content directly
---------------------------------------------
Want to get these articles in all their HTML glory?
Sign up here: http://eepurl.com/hwuWrn
** Need RADIUS help?
---------------------------------------------
Get commercial support from the team behind FreeRADIUS.
https://networkradius.com/contact/
** What is the relationship between Network RADIUS and FreeRADIUS?
----------------------------------------------
FreeRADIUS is an open source implementation of the RADIUS protocol and was written by Alan DeKok in 1999.
Network RADIUS is a private, for-profit company founded by Alan DeKok which provides commercial support for FreeRADIUS. The Network RADIUS team has been the primary contributor to FreeRADIUS for the last 20 years. The FreeRADIUS mailing list, wiki, and documentation are all moderated and maintained by the Network RADIUS team.
FreeRADIUS has always been, and will always continue to be, open source. The Network RADIUS team provides commercial support to paying clients, and free product development for the FreeRADIUS community at large.
All of our software development for FreeRADIUS is integrated into the Open Source platform, and will always continue to be.
1
0
18 Jun '21
Hello,
In a BYOD context where each user may own severaldevices, is it possible to
configure a fixed table such as bellow (either simple text file or database
table) and have a single fixed private addresses being allocated to each
802.1X identity ?
802.1x ID Password IP
user001 secret01 192.168.1.101
user002 superpwd02 192.168.1.102
If a device owner connects a second device providing the same 802.1
identity, I would like the first device to be kicked off the network.
Could it be possible with latest Freeradius ?
Comments ?
Suggestions ?
Best regards
2
1
Weird question here, want to stop freeradius sending an Accounting-Response, I assume it's probably possible since it's like a Lego set, but how is best/easiest way of doing it on a per NAS basis.
Why you would want to do such a thing, well I'll have more info on that tomorrow after I've spoken with the Telco.
At the moment I just want to know if it's possible and best way of doing it.
Mark.
________________________________
This e-mail message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorized reviews, use, disclosure or distribution is prohibited. If you are not
the intended recipient, please contact the sender by reply e-mail and destroy all copies
of the original message.
---------------------------------------------------------------------------------------
This email has been scanned for email related threats and delivered safely by Mimecast.
For more information please visit http://www.mimecast.com
---------------------------------------------------------------------------------------
2
5
Hi!
I'm trying to use FreeRADIUS with an Active Directory Server. I've read the
documentations but the server that FreeRADIUS runs has to join the Active
Directory as a client.
Is there any way to authenticate users with AD without joining the AD
server?
P.S.: I'm using MSCHAP protocol.
4
5