Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2021
- 49 participants
- 47 discussions
All,
I've got authentication working nicely with MSCHAP, but now I'd like to
only allow users that are members of a certain AD group.
I would prefer to have this happen only when requests come from a
specific client (wireless access point). In this case the idea is to
have users only be able to get wireless access when they're in a
specific AD group.
How can I do this in freeradius?
Thanks,
Brian
7
18
Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not permitted (1)"
by CpServiceSPb 11 Sep '22
by CpServiceSPb 11 Sep '22
11 Sep '22
I use Freeradius 3.0.21 on Ubuntu 18.04 x64 LTS.
It is started under freerad:freerad, acts as DHCP as well listen to 0.0.0.0
IP and accept broadcast on one of two interfaces and listen to
192.168.0.254 and not accept broadcast on other one interface.
During DHCP conversation with clients using broadcast accepting (IP
0.0.0.0) interface, the following message is got and DHCP don' t assign to
the client:
"Failed adding ARP entry: Failed to add entry in ARP cache: Operation not
permitted (1)"
I don' t want to launch Freeradius under either root user or root/admin
group.
What is the best solution to avoid the error under freerad:freerad and move
on ?
4
7
Hi Together,
we finally got the issue and for the anyone else, how will face the issue, the fix is quite simple. Update your TPM Firmware!
In fact, during the authentication the client is sending a signature which only includes nulls. The packet itself is intact, sizes of the packets are valid and the signature algorithm is also well. The only thing that's not in the tls authentication is a signature. :
````
(4) eap_tls: <<< recv TLS 1.2 (type: 0016) [length 0108] handshake_type: 0f, alert_level: 00, alert_description: 00
0f000104 TLS handshake certificate_verify len 0x000104 = 260
0804 signature algorithm: rsa_pss_rsae_sha256
0100 signature size: 0x0100 = 256
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 000000000000
````
That's also the reason why some of our clients are able to authenticate and some not, with the key, stored in TPM.
Intel ships end customer TPM updater, STM as we know not. We also don't have clients with Infineon chips but they should also ship updates to the end customer.
FYI: This was a team operation and thanks to all that helped here.
Regards,
Lineconnnect
<quote author='Users mailing list'>
2 months later, a quick update on this topic (apologies, I may have
broken the threading as I don't have a copy of the original e-mails any
more!), just so there's an online reference here for anyone encountering
the same error.
Turns out I was wrong about it being Windows and OpenSSL getting muddled
over TLS 1.2 vs. 1.3...
To recap: Windows 10 clients, corporate WiFi network using EAP-TLS to
RADIUS with machine certificate (SCEP) authentication only.
Error in Freeradius logs:
(6) eap_tls: ERROR: TLS Alert write:fatal:decrypt error
tls: TLS_accept: Error in error
(6) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
(6) eap_tls: ERROR: error:0407E086:rsa
routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
(6) eap_tls: ERROR: error:1417B07B:SSL
routines:tls_process_cert_verify:bad signature
(6) eap_tls: ERROR: System call (I/O) error (-1)
(6) eap_tls: ERROR: TLS receive handshake failed during operation
(6) eap_tls: ERROR: [eaptls process] = fail
After encountering the error on a few machines again, even with
"tls_max_version" set, I delved into the guts of Windows again, and
found the error (which isn't helpful or descriptive) was actually caused
because:
* Some machine certificates had were stored/managed by the "Microsoft
Platform Crypto Provider" (TPM-backed)
* Built-in security measures control access to keys in that CSP, and it
cannot be used non-interactively
* Windows WiFi profile was set to auto-join (non-interactive)
* Windows couldn't get the key, so $deity knows what signature it was
sending
* OpenSSL rightly got confused
The solution:
Ensure machine certificate keys are stored in the "Microsoft Software
Key Storage Provider" (or another CSP/KSP that permits non-interactive
use).
All is well again, and I'm close to shutting down NPS :-)
--
Peter Bance
Information Security Adviser
Alan DeKok wrote:
> A final update on this, in case anyone here's interested (or to "wrap
> up" for anyone stumbling across this thread online) - I fixed it, and
> Windows clients are now happily joining WiFi. It's a beautiful thing to
> behold :-)
>
> In the end, I had to force OpenSSL on FreeRADIUS to stop offering
> TLS1.3 ciphers using the mods/eap config:
>
> tls_max_version = "1.2"
Good to hear.
> It seems there may be a bug in OpenSSL 1.1.1 such that even though the
> negotiation resulted in a TLS 1.2 session, the weird back-port of TLS
> 1.3 ciphers into TLS 1.2 confused things (a lot), and it tried checking
> for TLS 1.3 style signatures inappropriately.
Weird, but OK. It's OpenSSL :(
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
</quote>
Quoted from:
http://freeradius.1045715.n5.nabble.com/RE-EAP-TLS-Signature-Check-Failure-…
_____________________________________
Sent from http://freeradius.1045715.n5.nabble.com
3
4
Hi,
I’m seeing a lot of crashes after upgrading to the NR packaged versions of FreeRADIUS 3.0.23:
Tue Jul 6 03:46:10 2021 : Auth: (145) Login OK: [anonymous@realm] (from client roaming1 port 0 cli 70-6F-6C-69-73-68)
Bad talloc magic value - unknown value
talloc abort: Bad talloc magic value - unknown value
Tue Jul 6 03:46:24 2021 : Info: Debugger not attached
Tue Jul 6 03:46:24 2021 : Info: systemd watchdog is disabled
3.0.22 ran nicely, but now I’m concerned about 50 crashes with the above message since 3am this morning... Any ideas, gents? *looks at Arran, Alan and Matthew expectantly*
I’ve rolled back manually to 3.0.22 as a precaution.
With Kind Regards
Stefan Paetow
Federated Roaming Technical Specialist
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp(a)jabber.dev.ja.net
skype: stefan.paetow.janet
In line with government advice, at Jisc we’re now working from home and our offices are currently closed. Read our statement on coronavirus<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
6
11
Hi,
we're running the FreeRADIUS server in a Kubernetes cluster and accepting only RadSec connections and forwarding the requests with Traefik as TCProute to FreeRADIUS.
However it would be nice to preserve the actual IP address of the sender in the requests. Traefik has the opportunity to forward the requests with the PROXY protocol.
Is there any change to accept and interpret the requests correct with the PROXY protocol in FreeRADIUS? Hopefully i haven't overlooked something in the documentation.
After enabling i see only things like this('radiusd -fxxx'):
```
Thu Jul 22 10:12:01 2021 : Info: Ready to process requests
Thu Jul 22 10:12:09 2021 : Debug: ... new connection request on TCP socket
Thu Jul 22 10:12:09 2021 : Debug: Listening on auth+acct from client (10.244.11.70, 36504) -> (*, 2083, virtual-server=felix-radsec)
Thu Jul 22 10:12:09 2021 : Debug: Waking up in 0.4 seconds.
Thu Jul 22 10:12:09 2021 : Debug: (0) (TLS) Initiating new session
Thu Jul 22 10:12:09 2021 : Debug: (0) (TLS) Setting verify mode to require certificate from client
Thu Jul 22 10:12:09 2021 : Debug: (0) Reading from socket 11
READ FROM SSL 342
00: 50 52 4f 58 59 20 54 43 50 34 20 37 37 2e 34 37
10: 2e 36 38 2e 31 31 30 20 31 30 2e 32 34 34 2e 31
20: 31 2e 37 30 20 34 34 33 34 35 20 32 30 38 33 0d
30: 0a 16 03 01 01 20 01 00 01 1c 03 03 01 87 ca 71
40: 59 fb 6b f8 d3 bb cd d4 db d3 e1 08 1f 1b e2 fc
50: 80 41 31 49 14 eb 8e 42 50 2a c9 d3 20 e9 e9 78
60: c4 3b 39 cc fa 60 65 95 96 3d b5 b9 6d 44 69 1a
70: 72 4f 0c ef c9 e6 c7 69 92 21 fe cc 45 00 3e 13
80: 02 13 03 13 01 c0 2c c0 30 00 9f cc a9 cc a8 cc
90: aa c0 2b c0 2f 00 9e c0 24 c0 28 00 6b c0 23 c0
a0: 27 00 67 c0 0a c0 14 00 39 c0 09 c0 13 00 33 00
b0: 9d 00 9c 00 3d 00 3c 00 35 00 2f 00 ff 01 00 00
c0: 95 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00
d0: 1d 00 17 00 1e 00 19 00 18 00 23 00 00 00 16 00
e0: 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 06
f0: 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08
Thu Jul 22 10:12:09 2021 : Debug: (0) Non-TLS data sent to TLS socket: closing
Thu Jul 22 10:12:09 2021 : Debug: Closing TLS socket from client port 36504
Thu Jul 22 10:12:09 2021 : Debug: Client has closed connection
Thu Jul 22 10:12:09 2021 : Info: ... shutting down socket auth+acct from client (10.244.11.70, 36504) -> (*, 2083, virtual-server=felix-radsec)
Thu Jul 22 10:12:09 2021 : Debug: Waking up in 2.9 seconds.
```
Full Debug log('radiusd -fxx'):
Yes the server is loading UDP servers as well because if the Azure loadbalancer would be able to forward the requests correctly(maybe in the next decade...), we would be able to allow those connections too.
```
FreeRADIUS Version 3.0.24
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/mods-available/always
including configuration file /usr/local/etc/raddb/mods-available/attr_filter
including configuration file /usr/local/etc/raddb/mods-available/date
including configuration file /usr/local/etc/raddb/mods-available/detail
including configuration file /usr/local/etc/raddb/mods-available/detail.log
including configuration file /usr/local/etc/raddb/mods-available/eap
including configuration file /usr/local/etc/raddb/mods-available/echo
including configuration file /usr/local/etc/raddb/mods-available/exec
including configuration file /usr/local/etc/raddb/mods-available/expiration
including configuration file /usr/local/etc/raddb/mods-available/expr
including configuration file /usr/local/etc/raddb/mods-available/logintime
including configuration file /usr/local/etc/raddb/mods-available/preprocess
including configuration file /usr/local/etc/raddb/mods-available/unix
including configuration file /usr/local/etc/raddb/mods-available/utf8
including configuration file /usr/local/etc/raddb/mods-available/linelog
including configuration file /usr/local/etc/raddb/mods-available/rest
including configuration file /usr/local/etc/raddb/mods-available/python3
including configuration file /usr/local/etc/raddb/mods-available/inner-eap
including configuration file /usr/local/etc/raddb/mods-available/mschap
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/sites-available/check-eap-tls
including configuration file /usr/local/etc/raddb/sites-available/virt-serv
including configuration file /usr/local/etc/raddb/sites-available/radsec-serv
including configuration file /usr/local/etc/raddb/sites-available/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/var/log/freeradius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log/freeradius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/freeradius/accounting"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 5300000
postauth_client_lost = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = no
allow_vulnerable_openssl = "CVE-2016-6304"
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
Found debugger attached
# Creating Auth-Type = eap
# Creating Auth-Type = inner-eap
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-available/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-available/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-available/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-available/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-available/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-available/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-available/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-available/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-available/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file /usr/local/etc/raddb/mods-available/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-available/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /usr/local/etc/raddb/mods-available/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-available/detail
detail {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail auth_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail reply_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/accounting/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-available/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 5300000
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-available/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-available/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-available/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-available/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-available/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-available/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-available/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-available/utf8
# Loaded module rlm_linelog
# Loading module "log_reply" from file /usr/local/etc/raddb/mods-available/linelog
linelog log_reply {
filename = "/var/log/freeradius/radius-test-detail-log.json"
escape_filenames = no
syslog_severity = "info"
permissions = 420
format = "%t Log for %{jsonquote:%{User-Name}}"
reference = "messages.%{%{reply:Packet-Type}:-format}"
}
# Loading module "log_general_message" from file /usr/local/etc/raddb/mods-available/linelog
linelog log_general_message {
filename = "/var/log/freeradius/radius-test-detail-log.json"
escape_filenames = no
syslog_severity = "info"
permissions = 420
format = "%t Log for %{jsonquote:%{User-Name}}"
reference = "messages.%{%{Packet-Type}:-format}"
}
# Loaded module rlm_rest
# Loading module "rest" from file /usr/local/etc/raddb/mods-available/rest
rest {
connect_timeout = 4.000000
http_negotiation = "default"
}
# Loaded module rlm_python3
# Loading module "python3" from file /usr/local/etc/raddb/mods-available/python3
python3 {
mod_instantiate = "python-magic"
func_instantiate = "instantiate"
mod_authorize = "python-magic"
func_authorize = "authorize"
mod_authenticate = "python-magic"
func_authenticate = "authenticate"
mod_post_auth = "python-magic"
func_post_auth = "post_auth"
python_path = "/etc/raddb/mods-config/python3"
cext_compat = yes
pass_all_vps = no
pass_all_vps_dict = yes
}
# Loading module "inner-eap" from file /usr/local/etc/raddb/mods-available/inner-eap
eap inner-eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 5300000
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-available/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-available/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file /usr/local/etc/raddb/mods-available/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/coa
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-available/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-available/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-available/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-available/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
virtual_server = "check-eap-tls"
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/servercert.key"
certificate_file = "/etc/raddb/servercert.pem"
ca_file = "/etc/raddb/ca.crt"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH"
cipher_server_preference = yes
ecdh_curve = "secp384r1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 2
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-available/expiration
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-available/logintime
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-available/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "log_reply" from file /usr/local/etc/raddb/mods-available/linelog
# Instantiating module "log_general_message" from file /usr/local/etc/raddb/mods-available/linelog
# Instantiating module "rest" from file /usr/local/etc/raddb/mods-available/rest
rlm_rest: libcurl version: libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
rlm_rest (rest): Initialising connection pool
pool {
start = 5
min = 5
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_rest (rest): Opening additional connection (0), 1 of 10 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (1), 1 of 9 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (2), 1 of 8 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (3), 1 of 7 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
rlm_rest (rest): Opening additional connection (4), 1 of 6 pending slots used
rlm_rest (rest): Skipping pre-connect, connect_uri not specified
# Instantiating module "python3" from file /usr/local/etc/raddb/mods-available/python3
Python version: 3.8.5 (default, May 27 2021, 13:30:53) [GCC 9.3.0]
# Instantiating module "inner-eap" from file /usr/local/etc/raddb/mods-available/inner-eap
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-available/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server check-eap-tls { # from file /usr/local/etc/raddb/sites-available/check-eap-tls
# Loading authorize {...}
} # server check-eap-tls
server test { # from file /usr/local/etc/raddb/sites-available/virt-serv
# Loading authenticate {...}
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server test
server test-radsec { # from file /usr/local/etc/raddb/sites-available/radsec-serv
# Loading authenticate {...}
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server test-radsec
server inner-tunnel { # from file /usr/local/etc/raddb/sites-available/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type MS-CHAP for attr Auth-Type
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
thread pool {
start_servers = 3
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 300
cleanup_delay = 5
max_queue_size = 65536
auto_limit_acct = no
}
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread pool initialized
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
Thread 3 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 1 waiting to be assigned a request
client test {
ipaddr = *
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "test"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "acct"
ipaddr = *
port = 1813
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth+acct"
ipaddr = *
port = 2083
proto = "tcp"
tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/servercert-radsec.key"
certificate_file = "/etc/raddb/servercert-radsec.pem"
ca_file = "/etc/raddb/ca-radsec.crt"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH"
cipher_server_preference = yes
require_client_cert = yes
ecdh_curve = "secp384r1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 2
softfail = yes
}
}
check_client_connections = no
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
client test-radsec {
ipaddr = *
require_message_authenticator = yes
secret = <<< secret >>>
proto = "tls"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server test
Listening on acct address * port 1813 bound to server test
Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server test-radsec
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
... new connection request on TCP socket
Listening on auth+acct from client (10.244.11.70, 37068) -> (*, 2083, virtual-server=test-radsec)
Waking up in 0.3 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) Non-TLS data sent to TLS socket: closing
Closing TLS socket from client port 37068
Client has closed connection
... shutting down socket auth+acct from client (10.244.11.70, 37068) -> (*, 2083, virtual-server=test-radsec)
Waking up in 2.9 seconds.
```
Regards,
Lineconnect
2
6
EAP-TLS, anonymous user ids, "WARNING: Outer and inner identities are the same"
by Jason Healy 31 Jul '21
by Jason Healy 31 Jul '21
31 Jul '21
Newbie EAP-TLS question here; we've been using FreeRADIUS for a long time with PEAP-MSCHAPv2 and are trying to make the switch to pure certificate-based auth. Here's the warning I'm getting:
WARNING: Outer and inner identities are the same. User privacy is compromised.
I couldn't find much about this on the list archives (just one post with an unspecified EAP type and non-anonymous ids). I understand that this is a problem with tunneled EAP types (because the outer request isn't secure), but I wasn't sure about EAP-TLS; it doesn't really have an inner/outer, right?
I have a test cert deployed (both real-world client and eapol_test) that is validating on FreeRADIUS. We're using "@suffieldacademy.org" as the anonymized user id, which I believe is the IETF recommendation (anonymous(a)suffieldacademy.org being the second choice).
In the FreeRADIUS config we are ignoring the user id and just relying on the certificate details to authorize the user. We are updating the User-Name attribute in the "check-eap-tls" virtual server, so the cert details are used in the User-Name that is reported back to the NAS. However, the warning is still there (before the virtual "check-eap-tls"), so that doesn't seem to be the way to quiet the message.
So my questions are:
1) Is this warning an issue for EAP-TLS, or is it a harmless side effect of my using an anonymous user id in the request?
2a) If I'm doing it wrong, what should I send as the user id? My MDM only lets me set one user id, so I'm not sure what I would configure differently. If I leave it blank, it sends the certificate CN which seems like a much bigger privacy issue.
2b) If I'm correct that the warning isn't an issue in my use case, is there a way for me to quiet the warning (e.g., by updating the User-Name somehow so the check doesn't trigger the warning)? Just updating the reply:User-Name doesn't stop the error, though the NAS gets the correct value in the reply.
Debug output below (apologies for not having the latest version, but we're targeting Debian Bullseye and there aren't official packages yet as Bullseye doesn't officially release until next month).
Many thanks!
Jason
# freeradius -X
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/sa-check-eap-tls
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client mgmt-wifi-1 {
ipv6addr = 2607:f460:1833:15::/64
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
instantiate {
}
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
virtual_server = "sa-check-eap-tls"
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/ssl/private/sa-radius-eduroam-2026.suffieldacademy.org-key.pem"
certificate_file = "/etc/ssl/private/sa-radius-eduroam-2026.suffieldacademy.org-crt.pem"
ca_file = "/etc/ssl/private/sa-radius-eduroam-2026.suffieldacademy.org-root-and-intermediate.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server sa-check-eap-tls { # from file /etc/freeradius/3.0/sites-enabled/sa-check-eap-tls
# Loading authorize {...}
} # server sa-check-eap-tls
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 55009
Listening on proxy address :: port 35913
Ready to process requests
(0) Received Access-Request Id 0 from 127.0.0.1:36986 to 127.0.0.1:1812 length 154
(0) User-Name = "@suffieldacademy.org"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x020d001901407375666669656c6461636164656d792e6f7267
(0) Message-Authenticator = 0x91cf8cf6a1df3fa822a9ef8372a84043
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(0) suffix: No such realm "suffieldacademy.org"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 13 length 25
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 14 length 6
(0) eap: EAP session adding &reply:State = 0xed196798ed176a4f
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(0) EAP-Message = 0x010e00060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xed196798ed176a4fafc8729dfaa7718e
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 127.0.0.1:36986 to 127.0.0.1:1812 length 343
(1) User-Name = "@suffieldacademy.org"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x020e00c40d0016030100b9010000b50303edb1c3cd3c06f2e8a6892d59e9373d14cbab4d882e70ad6d260c090ef20c2a86000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(1) State = 0xed196798ed176a4fafc8729dfaa7718e
(1) Message-Authenticator = 0x4b74eb6ef3118ac0cf2b501def1b43b7
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(1) suffix: No such realm "suffieldacademy.org"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 14 length 196
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xed196798ed176a4f
(1) eap: Finished EAP session with state 0xed196798ed176a4f
(1) eap: Previous EAP request found for state 0xed196798ed176a4f, released from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Got final TLS record fragment (190 bytes)
(1) eap_tls: WARNING: Total received TLS record fragments (190 bytes), does not equal indicated TLS record length (0 bytes)
(1) eap_tls: [eaptls verify] = ok
(1) eap_tls: Done initial handshake
(1) eap_tls: (other): before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: TLS_accept: before SSL initialization
(1) eap_tls: <<< recv TLS 1.3 [length 00b9]
(1) eap_tls: TLS_accept: SSLv3/TLS read client hello
(1) eap_tls: >>> send TLS 1.2 [length 003d]
(1) eap_tls: TLS_accept: SSLv3/TLS write server hello
(1) eap_tls: >>> send TLS 1.2 [length 0cf8]
(1) eap_tls: TLS_accept: SSLv3/TLS write certificate
(1) eap_tls: >>> send TLS 1.2 [length 014d]
(1) eap_tls: TLS_accept: SSLv3/TLS write key exchange
(1) eap_tls: >>> send TLS 1.2 [length 00ce]
(1) eap_tls: TLS_accept: SSLv3/TLS write certificate request
(1) eap_tls: >>> send TLS 1.2 [length 0004]
(1) eap_tls: TLS_accept: SSLv3/TLS write server done
(1) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done
(1) eap_tls: TLS - In Handshake Phase
(1) eap_tls: TLS - got 3949 bytes of data
(1) eap_tls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 15 length 1024
(1) eap: EAP session adding &reply:State = 0xed196798ec166a4f
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(1) EAP-Message = 0x010f04000dc000000f6d160303003d0200003903035f07837dc5dc6b195285a53fccda39fa9859c791ca27ee97dfc418691071a29e00c030000011ff01000100000b000403000102001700001603030cf80b000cf4000cf100052b308205273082040fa003020102021016b495b805c129f9e47203b49ebf74eb300d06092a864886f70d01010b0500304d31193017060355040a0c105375666669656c642041636164656d793130302e06035504030c275375666669656c642041636164656d792053657276657220496e7465726d656469617465204341301e170d3231303732373139343630305a170d3236303831373030303030305a305031193017060355040a0c105375666669656c642041636164656d793133303106035504030c2a73612d7261646975732d656475726f616d2d323032362e7375666669656c6461636164656d792e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ac792ec4a2f2b24b9a77bcee
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xed196798ec166a4fafc8729dfaa7718e
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 127.0.0.1:36986 to 127.0.0.1:1812 length 153
(2) User-Name = "@suffieldacademy.org"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message = 0x020f00060d00
(2) State = 0xed196798ec166a4fafc8729dfaa7718e
(2) Message-Authenticator = 0xcad4e715b6f0e83413c1962adef02ebf
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(2) suffix: No such realm "suffieldacademy.org"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 15 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xed196798ec166a4f
(2) eap: Finished EAP session with state 0xed196798ec166a4f
(2) eap: Previous EAP request found for state 0xed196798ec166a4f, released from the list
(2) eap: Peer sent packet with method EAP TLS (13)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: Peer ACKed our handshake fragment
(2) eap_tls: [eaptls verify] = request
(2) eap_tls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 16 length 1024
(2) eap: EAP session adding &reply:State = 0xed196798ef096a4f
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(2) EAP-Message = 0x011004000dc000000f6d74703a2f2f63726c2e73656375726577322e636f6d2f63726c2f62383965323134382d313266352d343766332d393336322d3039323931656238343939642f5375666669656c6425323041636164656d79253230536572766572253230496e7465726d65646961746525323043412e63726c300d06092a864886f70d01010b0500038201010041a5f1312f4076cca28e69bb3998f6d742065285bd100c6a2c2a56af40c029bd309969870fd2bc513ffc898fdec94796db27118672b2e9c40a5b5221b5f85042dd3a47c091b7d26f611d01a17d450d0fa94211cc802829ce9b46f13a431c9c77ae226da3a99da6d0b2935d8573924f194e2f65f41acdd61ac7375a9a2bb0194fb3d013a6dfe818ff6b5a3ed2fee8bed9f86502dc2a1b076aafc475589c65fcb10b3b8981743dd05029c03b8e2ce6fee43c89c2a05cfc6923cae98e35f3f560283294abe0683d21076cf448e5fe0072ce47db78f3e551cc7f08d5fbb0c1126d5fcf895ee5a9e8f6
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xed196798ef096a4fafc8729dfaa7718e
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 127.0.0.1:36986 to 127.0.0.1:1812 length 153
(3) User-Name = "@suffieldacademy.org"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x021000060d00
(3) State = 0xed196798ef096a4fafc8729dfaa7718e
(3) Message-Authenticator = 0x48a6d115a3f3d4dbf67bfbae3eae0df6
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(3) suffix: No such realm "suffieldacademy.org"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 16 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xed196798ef096a4f
(3) eap: Finished EAP session with state 0xed196798ef096a4f
(3) eap: Previous EAP request found for state 0xed196798ef096a4f, released from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: Continuing EAP-TLS
(3) eap_tls: Peer ACKed our handshake fragment
(3) eap_tls: [eaptls verify] = request
(3) eap_tls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 17 length 1024
(3) eap: EAP session adding &reply:State = 0xed196798ee086a4f
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(3) EAP-Message = 0x011104000dc000000f6d6d792044657669636520526f6f742043418210784dbd16c8e641e2d5d90ce07d509ff8301d0603551d0e04160414ad7acdb8eeb3b0712a102b31388e5cd7598ec1f7300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186307d0603551d1f047630743072a070a06e866c687474703a2f2f63726c2e73656375726577322e636f6d2f63726c2f31363266616663332d646662662d343438322d623563612d6531393734363938646566302f5375666669656c6425323041636164656d79253230446576696365253230526f6f7425323043412e63726c300d06092a864886f70d01010b050003820101003cf28547280ac1f9af58be2174b48a88863871b3c918bd723f82168da1720031a86c9a54f09ee962fa8f002d5a9f694a94005581e3626ac126f8d3012274854f13b4aa007b04617d7b9220c12d4fc8e4aadc2df2c2c426e8010391f0c479a3934d91d916f54e7a3c54f7bbda51e8900408f9ff4a20d0c7
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xed196798ee086a4fafc8729dfaa7718e
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 127.0.0.1:36986 to 127.0.0.1:1812 length 153
(4) User-Name = "@suffieldacademy.org"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x021100060d00
(4) State = 0xed196798ee086a4fafc8729dfaa7718e
(4) Message-Authenticator = 0x1e86802a1d3a8f909350405386788df1
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(4) suffix: No such realm "suffieldacademy.org"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 17 length 6
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xed196798ee086a4f
(4) eap: Finished EAP session with state 0xed196798ee086a4f
(4) eap: Previous EAP request found for state 0xed196798ee086a4f, released from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: Continuing EAP-TLS
(4) eap_tls: Peer ACKed our handshake fragment
(4) eap_tls: [eaptls verify] = request
(4) eap_tls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 18 length 917
(4) eap: EAP session adding &reply:State = 0xed196798e90b6a4f
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(4) EAP-Message = 0x011203950d8000000f6d0203010001a3423040301d0603551d0e04160414a49c98816337cb47ea13e5d716eabfa6be9e9183300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820101003b62d851368e94b4370710509f61c5aebd1c77ded2122cd1774bf87098304438b2aba99d1f6925f0297eaca819b634d4d3d31b156ded4d4fd9a340c1b89a52b309169aae6821d8a38a3eff3b73821d12a8e719bbad68ac9641d70fed9d5ff310d12a15c94789e9419d582f69a6ade11f7c9b6cb8ba1685bc60ba4c90270f65b6676ed4eb1564f20fcdeb9f8d3f5fb62285e17ae9ef21a37768069e1993ded19128c26f1ec9669a9b1f77b39d721684b434ae7476afd873e97cebcf636f7e706ea44cb8419f6be5cad3353a4f37b5caf2c71ef775eba499b0f74232f89656d856891b358257bde93dfd053005b3ad007f79baf17f1ab33edd4ced67f7d645ff20160303014d0c00014903001741041966
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xed196798e90b6a4fafc8729dfaa7718e
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 5 from 127.0.0.1:36986 to 127.0.0.1:1812 length 1565
(5) User-Name = "@suffieldacademy.org"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message = 0x021205800dc000000e501603030cc00b000cbc000cb90004f0308204ec308203d4a00302010202103888adb8c63f74e45be610200664b4b7300d06092a864886f70d01010b0500304d31193017060355040a0c105375666669656c642041636164656d793130302e06035504030c275375666669656c642041636164656d792044657669636520496e7465726d656469617465204341301e170d3231303733303232343530305a170d3232303733303232353530375a304a31193017060355040a0c105375666669656c642041636164656d79312d302b06035504030c2454657374205573657220285465737444657669636520534552313233343536373839302930820122300d06092a864886f70d01010105000382010f003082010a0282010100910abd4f615f6b4785766b9ac52235fe3dfd969ee40f949d9ba6a217abc3abfcc8c00a3ef4825d0c32186472a77e7fce7305031f4ffa9881c115e6d2035bb09152c67d73b23d0bef9aa6c811b58a134d32adf008
(5) State = 0xed196798e90b6a4fafc8729dfaa7718e
(5) Message-Authenticator = 0xa94983a613ff0986e6a71723b562c382
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(5) suffix: No such realm "suffieldacademy.org"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 18 length 1408
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xed196798e90b6a4f
(5) eap: Finished EAP session with state 0xed196798e90b6a4f
(5) eap: Previous EAP request found for state 0xed196798e90b6a4f, released from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: Continuing EAP-TLS
(5) eap_tls: Peer indicated complete TLS record size will be 3664 bytes
(5) eap_tls: Expecting 3 TLS record fragments
(5) eap_tls: Got first TLS record fragment (1398 bytes). Peer indicated more fragments to follow
(5) eap_tls: [eaptls verify] = first fragment
(5) eap_tls: ACKing Peer's TLS record fragment
(5) eap_tls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 19 length 6
(5) eap: EAP session adding &reply:State = 0xed196798e80a6a4f
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(5) EAP-Message = 0x011300060d00
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xed196798e80a6a4fafc8729dfaa7718e
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 6 from 127.0.0.1:36986 to 127.0.0.1:1812 length 1561
(6) User-Name = "@suffieldacademy.org"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message = 0x0213057c0d4041301e170d3139303730333136313930305a170d3339303730333136303030305a304d31193017060355040a0c105375666669656c642041636164656d793130302e06035504030c275375666669656c642041636164656d792044657669636520496e7465726d65646961746520434130820122300d06092a864886f70d01010105000382010f003082010a0282010100b9025c18a6eaa607aa4e41105bba6eb9c715cfcba59dc536d480a04d4b31d00e2a32138821a47aab35a8e9f889a6c527d6156477e09878326467fdbe98d853263ca81bd49fb1c5a0199a7a55ce3cfa9a6e08d2efeae464652166964536b93e75e8683a2484777109fe62f295231bae432c2fe60ff4d24b73dcb2f4628ad8b9bacb0b38b189ccbc8f0dd492083071f9454b323f028e8970fe2efd06c1c7838d20a821187852e6e76ad70989c07ada0480543114389b3ae5fde013d9f1c7f0bac7a03323f0d95f309e33ea8556477a222ff4f26a0c149a79017a385a856ef27ac7
(6) State = 0xed196798e80a6a4fafc8729dfaa7718e
(6) Message-Authenticator = 0xfd86936da3d74e65255829cc51c5b39a
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(6) suffix: No such realm "suffieldacademy.org"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 19 length 1404
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xed196798e80a6a4f
(6) eap: Finished EAP session with state 0xed196798e80a6a4f
(6) eap: Previous EAP request found for state 0xed196798e80a6a4f, released from the list
(6) eap: Peer sent packet with method EAP TLS (13)
(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: Continuing EAP-TLS
(6) eap_tls: Got additional TLS record fragment (1398 bytes). Peer indicated more fragments to follow
(6) eap_tls: [eaptls verify] = more fragments
(6) eap_tls: ACKing Peer's TLS record fragment
(6) eap_tls: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 20 length 6
(6) eap: EAP session adding &reply:State = 0xed196798eb0d6a4f
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(6) EAP-Message = 0x011400060d00
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xed196798eb0d6a4fafc8729dfaa7718e
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 7 from 127.0.0.1:36986 to 127.0.0.1:1812 length 1027
(7) User-Name = "@suffieldacademy.org"
(7) NAS-IP-Address = 127.0.0.1
(7) Calling-Station-Id = "02-00-00-00-00-01"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Connect-Info = "CONNECT 11Mbps 802.11b"
(7) EAP-Message = 0x0214036a0d00b6f31ac23415e410a63f23f2ffecdbb5b804a40ccb008f0030e30a188ce9efe11a0b555d21c0d2fbc332c9c4e7567a3bf44202f12ca460e0d1df0f53b457525c54e8820b1eaae5caaf38078d91e0f89793b1fd1d485a10b6e0fbb1f4a62e1daa1e00b1b583fdc08dcdc0e044bc0c94e962f102940748cbba6303b7c30203010001a3423040301d0603551d0e04160414a49c98816337cb47ea13e5d716eabfa6be9e9183300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820101003b62d851368e94b4370710509f61c5aebd1c77ded2122cd1774bf87098304438b2aba99d1f6925f0297eaca819b634d4d3d31b156ded4d4fd9a340c1b89a52b309169aae6821d8a38a3eff3b73821d12a8e719bbad68ac9641d70fed9d5ff310d12a15c94789e9419d582f69a6ade11f7c9b6cb8ba1685bc60ba4c90270f65b6676ed4eb1564f20fcdeb9f8d3f5fb62285e17ae9ef21a377
(7) State = 0xed196798eb0d6a4fafc8729dfaa7718e
(7) Message-Authenticator = 0x29e0289da62d9fab4a04502cc5f3f368
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(7) suffix: No such realm "suffieldacademy.org"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 20 length 874
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xed196798eb0d6a4f
(7) eap: Finished EAP session with state 0xed196798eb0d6a4f
(7) eap: Previous EAP request found for state 0xed196798eb0d6a4f, released from the list
(7) eap: Peer sent packet with method EAP TLS (13)
(7) eap: Calling submodule eap_tls to process data
(7) eap_tls: Continuing EAP-TLS
(7) eap_tls: Got final TLS record fragment (868 bytes)
(7) eap_tls: [eaptls verify] = ok
(7) eap_tls: Done initial handshake
(7) eap_tls: TLS_accept: SSLv3/TLS write server done
(7) eap_tls: <<< recv TLS 1.2 [length 0cc0]
(7) eap_tls: TLS - Creating attributes from certificate OIDs
(7) eap_tls: TLS - Creating attributes from certificate OIDs
(7) eap_tls: TLS-Cert-Serial := "460d875635c64859ebabee3bba64e93f"
(7) eap_tls: TLS-Cert-Expiration := "390703160000Z"
(7) eap_tls: TLS-Cert-Valid-Since := "190703161900Z"
(7) eap_tls: TLS-Cert-Subject := "/O=Suffield Academy/CN=Suffield Academy Device Intermediate CA"
(7) eap_tls: TLS-Cert-Issuer := "/O=Suffield Academy/CN=Suffield Academy Device Root CA"
(7) eap_tls: TLS-Cert-Common-Name := "Suffield Academy Device Intermediate CA"
(7) eap_tls: TLS - Creating attributes from certificate OIDs
(7) eap_tls: TLS-Client-Cert-Serial := "3888adb8c63f74e45be610200664b4b7"
(7) eap_tls: TLS-Client-Cert-Expiration := "220730225507Z"
(7) eap_tls: TLS-Client-Cert-Valid-Since := "210730224500Z"
(7) eap_tls: TLS-Client-Cert-Subject := "/O=Suffield Academy/CN=Test User (TestDevice SER1234567890)"
(7) eap_tls: TLS-Client-Cert-Issuer := "/O=Suffield Academy/CN=Suffield Academy Device Intermediate CA"
(7) eap_tls: TLS-Client-Cert-Common-Name := "Test User (TestDevice SER1234567890)"
(7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Email := "USERNAME(a)suffieldacademy.org"
(7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "FILEMAKER_ID"
(7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Upn := "Test User (TestDevice SER1234567890)"
(7) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:3E:93:53:11:87:4F:79:3B:00:46:29:37:DB:15:7D:50:48:DA:3F:B9\nDirName:/O=Suffield Academy/CN=Suffield Academy Device Root CA\nserial:46:0D:87:56:35:C6:48:59:EB:AB:EE:3B:BA:64:E9:3F\n"
(7) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "33:6E:27:C7:39:B0:26:C5:9F:35:61:E3:F1:37:A1:51:C0:AF:35:12"
(7) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(7) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(7) eap_tls: <<< recv TLS 1.2 [length 0046]
(7) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(7) eap_tls: <<< recv TLS 1.2 [length 0108]
(7) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(7) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
(7) eap_tls: <<< recv TLS 1.2 [length 0010]
(7) eap_tls: TLS_accept: SSLv3/TLS read finished
(7) eap_tls: >>> send TLS 1.2 [length 0001]
(7) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
(7) eap_tls: >>> send TLS 1.2 [length 0010]
(7) eap_tls: TLS_accept: SSLv3/TLS write finished
(7) eap_tls: (other): SSL negotiation finished successfully
(7) eap_tls: TLS - Connection Established
(7) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) eap_tls: TLS-Session-Version = "TLS 1.2"
(7) eap_tls: TLS - got 51 bytes of data
(7) eap_tls: [eaptls process] = handled
(7) eap: Sending EAP Request (code 1) ID 21 length 61
(7) eap: EAP session adding &reply:State = 0xed196798ea0c6a4f
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(7) EAP-Message = 0x0115003d0d8000000033140303000101160303002820c44dde9158efed9aece8c93ee8753b97e7e7cb3b5a86a995ae4745e0563177d6272983cdb2f385
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xed196798ea0c6a4fafc8729dfaa7718e
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 8 from 127.0.0.1:36986 to 127.0.0.1:1812 length 153
(8) User-Name = "@suffieldacademy.org"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id = "02-00-00-00-00-01"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) EAP-Message = 0x021500060d00
(8) State = 0xed196798ea0c6a4fafc8729dfaa7718e
(8) Message-Authenticator = 0xeba025748d58c526df75cc7d256c079e
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "suffieldacademy.org" for User-Name = "@suffieldacademy.org"
(8) suffix: No such realm "suffieldacademy.org"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 21 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xed196798ea0c6a4f
(8) eap: Finished EAP session with state 0xed196798ea0c6a4f
(8) eap: Previous EAP request found for state 0xed196798ea0c6a4f, released from the list
(8) eap: Peer sent packet with method EAP TLS (13)
(8) eap: Calling submodule eap_tls to process data
(8) eap_tls: Continuing EAP-TLS
(8) eap_tls: Peer ACKed our handshake fragment. handshake is finished
(8) eap_tls: [eaptls verify] = success
(8) eap_tls: [eaptls process] = success
(8) eap_tls: Validating certificate
(8) Virtual server sa-check-eap-tls received request
(8) User-Name = "@suffieldacademy.org"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id = "02-00-00-00-00-01"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) EAP-Message = 0x021500060d00
(8) State = 0xed196798ea0c6a4fafc8729dfaa7718e
(8) Message-Authenticator = 0xeba025748d58c526df75cc7d256c079e
(8) Event-Timestamp = "Jul 30 2021 22:19:59 EDT"
(8) EAP-Type = TLS
(8) TLS-Cert-Serial := "460d875635c64859ebabee3bba64e93f"
(8) TLS-Cert-Expiration := "390703160000Z"
(8) TLS-Cert-Valid-Since := "190703161900Z"
(8) TLS-Cert-Subject := "/O=Suffield Academy/CN=Suffield Academy Device Intermediate CA"
(8) TLS-Cert-Issuer := "/O=Suffield Academy/CN=Suffield Academy Device Root CA"
(8) TLS-Cert-Common-Name := "Suffield Academy Device Intermediate CA"
(8) TLS-Client-Cert-Serial := "3888adb8c63f74e45be610200664b4b7"
(8) TLS-Client-Cert-Expiration := "220730225507Z"
(8) TLS-Client-Cert-Valid-Since := "210730224500Z"
(8) TLS-Client-Cert-Subject := "/O=Suffield Academy/CN=Test User (TestDevice SER1234567890)"
(8) TLS-Client-Cert-Issuer := "/O=Suffield Academy/CN=Suffield Academy Device Intermediate CA"
(8) TLS-Client-Cert-Common-Name := "Test User (TestDevice SER1234567890)"
(8) TLS-Client-Cert-Subject-Alt-Name-Email := "USERNAME(a)suffieldacademy.org"
(8) TLS-Client-Cert-Subject-Alt-Name-Dns := "FILEMAKER_ID"
(8) TLS-Client-Cert-Subject-Alt-Name-Upn := "Test User (TestDevice SER1234567890)"
(8) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:3E:93:53:11:87:4F:79:3B:00:46:29:37:DB:15:7D:50:48:DA:3F:B9\nDirName:/O=Suffield Academy/CN=Suffield Academy Device Root CA\nserial:46:0D:87:56:35:C6:48:59:EB:AB:EE:3B:BA:64:E9:3F\n"
(8) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "33:6E:27:C7:39:B0:26:C5:9F:35:61:E3:F1:37:A1:51:C0:AF:35:12"
(8) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(8) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(8) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server sa-check-eap-tls {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/sa-check-eap-tls
(8) authorize {
(8) update reply {
(8) User-Name := "EAP-TLS Updated"
(8) } # update reply = noop
(8) update config {
(8) &Auth-Type := Accept
(8) } # update config = noop
(8) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(8) auth_log: --> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20210730
(8) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20210730
(8) auth_log: EXPAND %t
(8) auth_log: --> Fri Jul 30 22:19:59 2021
(8) [auth_log] = ok
(8) } # authorize = ok
(8) Found Auth-Type = Accept
(8) Auth-Type = Accept, accepting the user
(8) } # server sa-check-eap-tls
(8) Virtual server sending reply
(8) User-Name := "EAP-TLS Updated"
(8) eap: Sending EAP Success (code 3) ID 21 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(8) post-auth {
(8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(8) update {
(8) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(8) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(8) } # update = noop
(8) [exec] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # post-auth = noop
(8) Sent Access-Accept Id 8 from 127.0.0.1:1812 to 127.0.0.1:36986 length 0
(8) User-Name := "EAP-TLS Updated"
(8) MS-MPPE-Recv-Key = 0x384da21259dec571f742f183335e2019e995dc038196eae046b4e091c76d1075
(8) MS-MPPE-Send-Key = 0xa0a6bc57390ba56b1b538bc0e377231d6379de8e7265ddc348ed7d684cba7762
(8) EAP-Message = 0x03150004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) Finished request
2
2
Hello,
is there any method to reload freeradius after update configuration files (
clients.conf, radiusd.conf, defaults, ...) without restarting server
i have tested this after adding new client on clients.conf but it doesn't
work for me:
kill -HUP $(cat var/run/radiusd.pid)
Thanks
Bassem
3
3
Can I delete "stopped" records from the FreeRadius table radacct directly with SQL?
by Roland.Baldin@telekom.de 30 Jul '21
by Roland.Baldin@telekom.de 30 Jul '21
30 Jul '21
Hi,
I am new to this mailing list and I am very existing about to get in touch with you.
We are using in one of our IoT services the FreeRadius server and we are happy with it.
During the last year the tables radacct and radpostauth got really big.
Unfortunately I cannot stop the radius server and do some cleanup. I have to do it during operation.
My question is: Can I delete the records for which acctstoptime IS NOT NULL form the radacct table and can I delete records from radpostauth table without any problems to the current productive system?
I scanned the network about it very much but unfortunately and I couldn’t find some hint about it ☹
Maybe you can help.
Regards, Roland
____________________________________________________
DEUTSCHE TELEKOM IOT GMBH
Squad IoT Creators
Roland Baldin
IoT Engineer
Pascalstr. 11, 10587 Berlin, Germany
+49 (160)70 33 606
roland.baldin(a)telekom.de<mailto:roland.baldin@telekom.de>
https://iot.telekom.com/en
https://iotcreators.com/en/
LIFE IS FOR SHARING.
The compulsory statement can be found here: https://iot.telekom.com/en/compulsory-statement
We care – Enabling more sustainability and participation.
Further information on the Telekom Sustainability Initiative: https://wecare.telekom.com/en/label/
2
2
Greetings,
Running FreeRADIUS Version 3.0.13 on CentOS7.
Referencing official Mac-Auth wiki page:
https://wiki.freeradius.org/guide/mac-auth
Per wiki, created/modified the below files:
- raddb/mods-available/files (replaced existing file per wiki instructions
with provided content)
- raddb/authorized_macs (created new file with my list of MAC addresses
with provided syntax)
- raddb/sites-available/default (added the canonicalisation policy and new
files call per wiki)
Running radius -X resulted in a deprecation warning of the compat line, and
an invalid syntax error for the files module.
Removing the compat line results in the debug output provided below, where
it states it was unable to find "files" as a module or policy as called in
the preacct section of the sites-enabled/default file.
This is the files module as it appears in mods-available and mods-enabled:
files authorized_macs {
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
key = %{Calling-Station-ID}
usersfile = ${confdir}/authorized_macs
}
This is the authorize section of default:
273 authorize {
274 preprocess
275
276 # If cleaning up the Calling-Station-Id...
277 rewrite_calling_station_id
278
279 # Now check against the authorized_macs file
280 authorized_macs
281
282 if (!ok) {
283 # No match was found, so reject
284 reject
285 }
286 else {
287 # The MAC address was found, so update Auth-Type
288 # to accept this auth.
289 update control {
290 Auth-Type := Accept
291 }
292 }
293 }
This is the preacct section of default:
400 preacct {
401 preprocess
402
403 #
404 # Merge Acct-[Input|Output]-Gigawords and
Acct-[Input-Output]-Octets
405 # into a single 64bit counter Acct-[Input|Output]-Octets64.
406 #
407 # acct_counters64
408
409 #
410 # Session start times are *implied* in RADIUS.
411 # The NAS never sends a "start time". Instead, it sends
412 # a start packet, *possibly* with an Acct-Delay-Time.
413 # The server is supposed to conclude that the start time
414 # was "Acct-Delay-Time" seconds in the past.
415 #
416 # The code below creates an explicit start time, which can
417 # then be used in other modules. It will be *mostly*
correct.
418 # Any errors are due to the 1-second resolution of RADIUS,
419 # and the possibility that the time on the NAS may be off.
420 #
421 # The start time is: NOW - delay - session_length
422 #
423
424 # update request {
425 # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l -
%{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
426 # }
427
428
429 #
430 # Ensure that we have a semi-unique identifier for every
431 # request, and many NAS boxes are broken.
432 acct_unique
433
434 #
435 # Look for IPASS-style 'realm/', and if not found, look for
436 # '@realm', and decide whether or not to proxy, based on
437 # that.
438 #
439 # Accounting requests are generally proxied to the same
440 # home server as authentication requests.
441 # IPASS
442 suffix
443 # ntdomain
444
445 #
446 # Read the 'acct_users' file
447 files
448 }
Here is the debug log:
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "authorized_macs" from file /etc/raddb/mods-enabled/files
files authorized_macs {
usersfile = "/etc/raddb/authorized_macs"
key = "%{Calling-Station-ID}"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "authorized_macs" from file
/etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/authorized_macs
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
/etc/raddb/sites-enabled/default[447]: Failed to find "files" as a module
or policy.
/etc/raddb/sites-enabled/default[447]: Please verify that the configuration
exists in /etc/raddb/mods-enabled/files.
/etc/raddb/sites-enabled/default[400]: Errors parsing preacct section.
Any assistance is greatly appreciated.
Thanks,
Taylor
1
1
Hi,
I have been scouring the Internet for a few days now looking for
information about
setting up 2 FA with AD (ntlm_auth) and Yubikey
I found this , which was very useful but it seems to rely on adding the
yubikey to the AD account .
I was hoping to be able to do it without making changes to the AD accounts
Is this possible ?
http://lists.freeradius.org/pipermail/freeradius-users/2021-February/099521…
Basically, the workflow that I am looking for is
1. configure Apache website with AddRadiusAuth pointing to radius
server (DONE)
2. configure freeradius ntlm_auth ( by leveraging samba/winbind)
(DONE)
I was able to connect to the website using my AD credentials
3. configure self-hosted yubico server to validate yubikeys (DONE)
tested
3. install and configure freeradius yubikey
This I am not sure how to test
4. configure freeradius to authenticate via ntlm_auth and, if
successful, via yubikey
This where I am stuck
Here are some details
10.10.30.111 - Yubikey validation server
10.10.30.112 - where Apache website is hosted
10.10.30.114 - FreeRADIUS Version 3.0.16
"..
ntlm_auth: Program executed successfully
(0) [ntlm_auth] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update reply {
(0) EXPAND %{randstr:aaaaaaaaaaaaaaaa}
(0) --> t6cJ6I2cWiGii1aG
(0) State := 0x7436634a364932635769476969316147
(0) Reply-Message := "Please enter OTP"
(0) } # update reply = noop
(0) policy challenge {
(0) update control {
(0) &Response-Packet-Type = Access-Challenge
(0) } # update control = noop
(0) [handled] = handled
(0) } # policy challenge = handled
(0) } # if (ok) = handled
(0) } # Auth-Type ntlm_auth = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 105 from 10.10.30.114:1812 to 10.10.30.112:1026
length 0
(0) State := 0x7436634a364932635769476969316147
(0) Reply-Message := "Please enter OTP"
(0) Finished request
Waking up in 4.9 seconds.
.."
sites-enabled excerpt
if (!control:Auth-Type) {
update control {
Auth-Type = "ntlm_auth"
}
}
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
if (ok) {
update reply {
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
challenge
}
}
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
ntlm_auth
yubikey
eap
..."
/mods-enabled/yubikey
"...
yubikey {
id_length = 12
split = yes
decrypt = no
validate = yes
validation {
servers {
uri = '
http://10.10.30.111/wsapi/2.0/verify?id=%d&otp=%s'
}
client_id = 1
api_key = 'my_key'
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
spread = yes
}
}
}
..."
Any guidance / help will be greatly appreciated
Also, if there is a better scalable/ enterprise ready way to configure
freeradius 2FA with AD and Yubikey I'll be happy to look into it
Many thanks
Steven
2
1