Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2022
- 26 participants
- 33 discussions
All,
I've got authentication working nicely with MSCHAP, but now I'd like to
only allow users that are members of a certain AD group.
I would prefer to have this happen only when requests come from a
specific client (wireless access point). In this case the idea is to
have users only be able to get wireless access when they're in a
specific AD group.
How can I do this in freeradius?
Thanks,
Brian
7
18
Hello Alan, how are you? I ran some tests as fast as I could.
Now it's giving the following message:
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
checkrad: Unknown NAS 2804:444:1:1::2, not checking
NAS 2804:444:1:1::2 was added normally:
rlm_sql (sql): Adding client 2804:444:1:1::2 (R1.ITU) to global clients list
rlm_sql (2804:444:1:1::2): Client "R1.ITU" (sql) added
Authentication normally takes place with IPv6. The problem is with checkrad.
Below is the Access-Request package and the freeradius -X command output.
Could you help please?
Thank you!
Fabricio Viana
root@li1268-188:/# freeradius -v
radiusd: FreeRADIUS Version 3.0.24 (git #83d87a2), for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.24
(0) Received Access-Request Id 142 from [2804:444:1:1::2]:33926 to [2600:4a00::f132:91a4:f567:34fd]:1812 length 185
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15813747
(0) NAS-Port-Type = Ethernet
(0) User-Name = "joseph.test"
(0) Calling-Station-Id = "AA:BB:B6:41:33:AA"
(0) Called-Station-Id = "pppoe-server-olt02"
(0) NAS-Port-Id = "ether3.501-PPPoE-OLT02"
(0) CHAP-Challenge = 0x388b23cbdc8d67936f09a731c70acf6e
(0) CHAP-Password = 0x018003bc3835139074138c89d63370276a
(0) NAS-Identifier = "R1.ITU"
(0) NAS-IPv6-Address = 2804:444:1:1::2
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) {
(0) EXPAND %{Cisco-AVPair[*]}
(0) -->
(0) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) -> FALSE
(0) elsif (ERX-Dhcp-Mac-Addr =~ /^([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/) {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) else {
(0) update request {
(0) EXPAND %{toupper:%{Calling-Station-Id}}
(0) --> AA:BB:B6:41:33:AA
(0) Calling-Station-Id := AA:BB:B6:41:33:AA
(0) } # update request = noop
(0) } # else = noop
(0) if (!control:Cleartext-Password){
(0) if (!control:Cleartext-Password) -> TRUE
(0) if (!control:Cleartext-Password) {
(0) update control {
(0) Cleartext-Password := "no_user_found_radiusnet"
(0) } # update control = noop
(0) } # if (!control:Cleartext-Password) = noop
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'joseph.test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'joseph.test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "ellen8858"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'joseph.test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'joseph.test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'joseph.test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'joseph.test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '2BLO' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '2BLO' ORDER BY id
(0) sql: Group "2BLO": Conditional check items matched
(0) sql: Group "2BLO": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '2BLO' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '2BLO' ORDER BY id
(0) sql: Group "2BLO": Merging reply items
(0) sql: Mikrotik-Rate-Limit = "100k/100k"
(0) sql: WISPr-Bandwidth-Max-Down = 100000
(0) sql: WISPr-Bandwidth-Max-Up = 100000
(0) sql: Framed-Pool = "pool_bloqueados"
(0) sql: Mikrotik-Address-List = "bloqueados"
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "joseph.test" authenticated successfully
(0) [chap] = ok
(0) if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group){
(0) if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group) -> FALSE
(0) if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group){
(0) if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group) -> FALSE
(0) if (request:Service-Type == Framed-User && reply:Mikrotik-Group){
(0) if (request:Service-Type == Framed-User && reply:Mikrotik-Group) -> FALSE
(0) if (reject && Framed-Protocol == PPP) {
(0) if (reject && Framed-Protocol == PPP) -> FALSE
(0) if (invalid && Framed-Protocol == PPP) {
(0) if (invalid && Framed-Protocol == PPP) -> FALSE
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /etc/freeradius/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
checkrad: Unknown NAS 2804:444:1:1::2, not checking
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) } # session = ok
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{Calling-Station-Id}')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'joseph.test', '0x018003bc3835139074138c89d63370276a', 'Access-Reject', UTC_TIMESTAMP(), '2804:444:1:1::2', 'AA:BB:B6:41:33:AA')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'joseph.test', '0x018003bc3835139074138c89d63370276a', 'Access-Reject', UTC_TIMESTAMP(), '2804:444:1:1::2', 'AA:BB:B6:41:33:AA')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> joseph.test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
FreeRADIUS Version 3.0.24
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/sqlippool_v4
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/sqlippool
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/sql
including configuration file /etc/freeradius/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/ddns_exec
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/sqlippool_v6
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries_v6.conf
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/digest
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/accounting
/etc/freeradius/policy.d/accounting[42]: Reference "${IDRADIUSSERVER}" not found
/etc/freeradius/policy.d/accounting[54]: Reference "${IDRADIUSSERVER}" not found
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/control
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/freeradius.env
including configuration file /etc/freeradius/ddns.env
main {
security {
user = "root"
group = "root"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/var/scriptsradius/callcheckrad.sh"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_sqlippool
# Loading module "sqlippool_v4" from file /etc/freeradius/mods-enabled/sqlippool_v4
sqlippool sqlippool_v4 {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) AND banned = 0 ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "sqlippool" from file /etc/freeradius/mods-enabled/sqlippool
sqlippool {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
ipv6 = yes
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) AND banned = 0 ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "192.0.2.2"
port = 3306
login = "radius_user"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}' AND acctstarttime <= UTC_TIMESTAMP()"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}' AND acctstarttime <= UTC_TIMESTAMP()"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6prefix, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', UTC_TIMESTAMP(), UTC_TIMESTAMP(), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Prefix}', '%{Delegated-IPv6-Prefix}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = UTC_TIMESTAMP(), acctinterval = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', framedipv6prefix = '%{Framed-IPv6-Prefix}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctstoptime = NULL, nasportid = '%{NAS-Port-Id}', calledstationid = '%{Called-Station-Id}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' OR AcctUniqueId = '%{Segundo-AcctUnique-Id}' OR AcctUniqueId = '%{Terceiro-AcctUnique-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{Calling-Station-Id}')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "ddns_del" from file /etc/freeradius/mods-enabled/ddns_exec
exec ddns_del {
wait = yes
program = "/var/scriptsradius/ddns.php del %{User-Name} %{Framed-IP-Address}"
input_pairs = "request"
shell_escape = no
}
# Loading module "ddns_add" from file /etc/freeradius/mods-enabled/ddns_exec
exec ddns_add {
wait = yes
program = "/var/scriptsradius/ddns.php add %{User-Name} %{Framed-IP-Address}"
input_pairs = "request"
shell_escape = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loading module "sqlippool_v6" from file /etc/freeradius/mods-enabled/sqlippool_v6
sqlippool sqlippool_v6 {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
ipv6 = yes
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippoolv6 WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippoolv6 SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippoolv6 WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippoolv6 SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippoolv6 SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôoùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOÙÛÜY"
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
instantiate {
}
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "sqlippool_v4" from file /etc/freeradius/mods-enabled/sqlippool_v4
# Instantiating module "sql" from file /etc/freeradius/mods-enabled/sql
rlm_sql_mysql: libmysql version: 5.7.35
mysql {
tls {
tls_required = no
check_cert = no
check_cert_cn = no
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 2804:444:1:1::2 (R1.ITU) to global clients list
rlm_sql (2804:444:1:1::2): Client "R1.ITU" (sql) added
rlm_sql (sql): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
# Instantiating module "sqlippool" from file /etc/freeradius/mods-enabled/sqlippool
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "sqlippool_v6" from file /etc/freeradius/mods-enabled/sqlippool_v6
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 38092
Listening on proxy address :: port 58617
Ready to process requests
2
3
Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not permitted (1)"
by CpServiceSPb 11 Sep '22
by CpServiceSPb 11 Sep '22
11 Sep '22
I use Freeradius 3.0.21 on Ubuntu 18.04 x64 LTS.
It is started under freerad:freerad, acts as DHCP as well listen to 0.0.0.0
IP and accept broadcast on one of two interfaces and listen to
192.168.0.254 and not accept broadcast on other one interface.
During DHCP conversation with clients using broadcast accepting (IP
0.0.0.0) interface, the following message is got and DHCP don' t assign to
the client:
"Failed adding ARP entry: Failed to add entry in ARP cache: Operation not
permitted (1)"
I don' t want to launch Freeradius under either root user or root/admin
group.
What is the best solution to avoid the error under freerad:freerad and move
on ?
4
7
Hi Together,
we finally got the issue and for the anyone else, how will face the issue, the fix is quite simple. Update your TPM Firmware!
In fact, during the authentication the client is sending a signature which only includes nulls. The packet itself is intact, sizes of the packets are valid and the signature algorithm is also well. The only thing that's not in the tls authentication is a signature. :
````
(4) eap_tls: <<< recv TLS 1.2 (type: 0016) [length 0108] handshake_type: 0f, alert_level: 00, alert_description: 00
0f000104 TLS handshake certificate_verify len 0x000104 = 260
0804 signature algorithm: rsa_pss_rsae_sha256
0100 signature size: 0x0100 = 256
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 000000000000
````
That's also the reason why some of our clients are able to authenticate and some not, with the key, stored in TPM.
Intel ships end customer TPM updater, STM as we know not. We also don't have clients with Infineon chips but they should also ship updates to the end customer.
FYI: This was a team operation and thanks to all that helped here.
Regards,
Lineconnnect
<quote author='Users mailing list'>
2 months later, a quick update on this topic (apologies, I may have
broken the threading as I don't have a copy of the original e-mails any
more!), just so there's an online reference here for anyone encountering
the same error.
Turns out I was wrong about it being Windows and OpenSSL getting muddled
over TLS 1.2 vs. 1.3...
To recap: Windows 10 clients, corporate WiFi network using EAP-TLS to
RADIUS with machine certificate (SCEP) authentication only.
Error in Freeradius logs:
(6) eap_tls: ERROR: TLS Alert write:fatal:decrypt error
tls: TLS_accept: Error in error
(6) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
(6) eap_tls: ERROR: error:0407E086:rsa
routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
(6) eap_tls: ERROR: error:1417B07B:SSL
routines:tls_process_cert_verify:bad signature
(6) eap_tls: ERROR: System call (I/O) error (-1)
(6) eap_tls: ERROR: TLS receive handshake failed during operation
(6) eap_tls: ERROR: [eaptls process] = fail
After encountering the error on a few machines again, even with
"tls_max_version" set, I delved into the guts of Windows again, and
found the error (which isn't helpful or descriptive) was actually caused
because:
* Some machine certificates had were stored/managed by the "Microsoft
Platform Crypto Provider" (TPM-backed)
* Built-in security measures control access to keys in that CSP, and it
cannot be used non-interactively
* Windows WiFi profile was set to auto-join (non-interactive)
* Windows couldn't get the key, so $deity knows what signature it was
sending
* OpenSSL rightly got confused
The solution:
Ensure machine certificate keys are stored in the "Microsoft Software
Key Storage Provider" (or another CSP/KSP that permits non-interactive
use).
All is well again, and I'm close to shutting down NPS :-)
--
Peter Bance
Information Security Adviser
Alan DeKok wrote:
> A final update on this, in case anyone here's interested (or to "wrap
> up" for anyone stumbling across this thread online) - I fixed it, and
> Windows clients are now happily joining WiFi. It's a beautiful thing to
> behold :-)
>
> In the end, I had to force OpenSSL on FreeRADIUS to stop offering
> TLS1.3 ciphers using the mods/eap config:
>
> tls_max_version = "1.2"
Good to hear.
> It seems there may be a bug in OpenSSL 1.1.1 such that even though the
> negotiation resulted in a TLS 1.2 session, the weird back-port of TLS
> 1.3 ciphers into TLS 1.2 confused things (a lot), and it tried checking
> for TLS 1.3 style signatures inappropriately.
Weird, but OK. It's OpenSSL :(
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
</quote>
Quoted from:
http://freeradius.1045715.n5.nabble.com/RE-EAP-TLS-Signature-Check-Failure-…
_____________________________________
Sent from http://freeradius.1045715.n5.nabble.com
3
4
Dear folks,
I hope you are enjoying the Christmas season and my best wishes for the
2022,
Sorry if this question is not strictly related to FreeRadius but rather on
the tools it interacts with for a better management of the WiFi accesses.
I'm looking for suggestions/ideas that can point me in the right direction
I have used Freeradius with its 2.0 version for my home project few years
back, Now I'm in charge of providing wireless access in an environment with
a few small companies.
To better organize the air-media and avoid media competition or conflicts
we would like to have just one/two SSIDs and then grant access to
companies' employees or devices.
So far so good, because for devices that can use 802.1x we can proxy
Access-requests to the RADIUS server of each company.
Problems come with non smart devices that still use PSK; I know iPSK helps
a lot but I don't know how to delegate the management of MAC addresses. I'm
not taking into account a text file to manage them; can we use a DB for
iPSK too? And related to the DB is there a way to manage iPSK devices in
this way? Just one table and a value specific to each company and small web
interface that will handle only fields specific to each company?
Would you have any other ideas to share with the community?
Thanks,
Alex
2
5
Hello there
I was checking the information provided about this issue on this thread
-
http://lists.freeradius.org/pipermail/freeradius-users/2021-September/10066…
- and was wondering if anyone had a chance to look at this ? This issue
is hitting a scenario I have been involved and we have been eagerly
waiting for a fix so we can use our NAS with IPv6-only.
In some recent scenarios where more recent ISPs have only IPv6 addresses
provided by their RIRs it will become more common scenarios like this,
as well as other usages towards security as well.
Would anyone involved in that discussion be able to describe what would
take to fix that issue ? Alan, I saw you applied some fixes already and
was progressing with it, but by the report of the person who reported
the issue it seems it didn't work yet.
Many thanks
Fernando
2
4
Hi Experts,
I need a help to know why this problem is coming in Free radius which i am usuing as it was working properly before but now when we connect the Cisco 9000 Series nexus switch we are facing this problem.
Should we need to tweak some parameter in freeradius file to recover this. I have no idea how can i recover it can anyone help or guide.
(7) eap: Expiring EAP session with state 0x287d8eea2e74834b(7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x287d8eea2d75834b(7) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request(7) eap: Failed in handler(7) [eap] = invalid(7) } # authenticate = invalid(7) Failed to authenticate the user(7) Using Post-Auth-Type Reject(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(7) Post-Auth-Type REJECT {(7) attr_filter.access_reject: EXPAND %{User-Name}(7) attr_filter.access_reject: --> E23D364711.x.com(7) attr_filter.access_reject: Matched entry DEFAULT at line 11(7) [attr_filter.access_reject] = updated(7) eap: Expiring EAP session with state 0x287d8eea2e74834b(7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x287d8eea2d75834b(7) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request(7) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
Complete freearidus config and logs I pasted here
root@radius-3:/etc/freeradius/3.0/certs# freeradius -X
FreeRADIUS Version 3.0.16Copyright (C) 1999-2017 The FreeRADIUS server project and contributorsThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSEYou may redistribute copies of FreeRADIUS under the terms of theGNU General Public LicenseFor more information about these matters, see the file named COPYRIGHTStarting - reading configuration files ...including dictionary file /usr/share/freeradius/dictionaryincluding dictionary file /usr/share/freeradius/dictionary.dhcpincluding dictionary file /usr/share/freeradius/dictionary.vqpincluding dictionary file /etc/freeradius/3.0/dictionaryincluding configuration file /etc/freeradius/3.0/radiusd.confincluding configuration file /etc/freeradius/3.0/proxy.confincluding configuration file /etc/freeradius/3.0/clients.confincluding files in directory /etc/freeradius/3.0/mods-enabled/including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clientsincluding configuration file /etc/freeradius/3.0/mods-enabled/detailincluding configuration file /etc/freeradius/3.0/mods-enabled/passwdincluding configuration file /etc/freeradius/3.0/mods-enabled/replicateincluding configuration file /etc/freeradius/3.0/mods-enabled/attr_filterincluding configuration file /etc/freeradius/3.0/mods-enabled/sohincluding configuration file /etc/freeradius/3.0/mods-enabled/echoincluding configuration file /etc/freeradius/3.0/mods-enabled/sradutmpincluding configuration file /etc/freeradius/3.0/mods-enabled/radutmpincluding configuration file /etc/freeradius/3.0/mods-enabled/detail.logincluding configuration file /etc/freeradius/3.0/mods-enabled/papincluding configuration file /etc/freeradius/3.0/mods-enabled/linelogincluding configuration file /etc/freeradius/3.0/mods-enabled/realmincluding configuration file /etc/freeradius/3.0/mods-enabled/expirationincluding configuration file /etc/freeradius/3.0/mods-enabled/unixincluding configuration file /etc/freeradius/3.0/mods-enabled/mschapincluding configuration file /etc/freeradius/3.0/mods-enabled/filesincluding configuration file /etc/freeradius/3.0/mods-enabled/preprocessincluding configuration file /etc/freeradius/3.0/mods-enabled/exprincluding configuration file /etc/freeradius/3.0/mods-enabled/logintimeincluding configuration file /etc/freeradius/3.0/mods-enabled/alwaysincluding configuration file /etc/freeradius/3.0/mods-enabled/cache_eapincluding configuration file /etc/freeradius/3.0/mods-enabled/eapincluding configuration file /etc/freeradius/3.0/mods-enabled/chapincluding configuration file /etc/freeradius/3.0/mods-enabled/utf8including configuration file /etc/freeradius/3.0/mods-enabled/execincluding configuration file /etc/freeradius/3.0/mods-enabled/digestincluding configuration file /etc/freeradius/3.0/mods-enabled/unpackincluding configuration file /etc/freeradius/3.0/mods-enabled/ntlm_authincluding files in directory /etc/freeradius/3.0/policy.d/including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-idsincluding configuration file /etc/freeradius/3.0/policy.d/controlincluding configuration file /etc/freeradius/3.0/policy.d/cuiincluding configuration file /etc/freeradius/3.0/policy.d/abfab-trincluding configuration file /etc/freeradius/3.0/policy.d/operator-nameincluding configuration file /etc/freeradius/3.0/policy.d/canonicalizationincluding configuration file /etc/freeradius/3.0/policy.d/filterincluding configuration file /etc/freeradius/3.0/policy.d/debugincluding configuration file /etc/freeradius/3.0/policy.d/eapincluding configuration file /etc/freeradius/3.0/policy.d/dhcpincluding configuration file /etc/freeradius/3.0/policy.d/accountingincluding files in directory /etc/freeradius/3.0/sites-enabled/including configuration file /etc/freeradius/3.0/sites-enabled/defaultincluding configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnelmain { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius"}main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes }}radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { }radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.67.178.249 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.67.178.249. Please fix your configurationSupport for old-style clients will be removed in a future release client 10.67.178.153 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.67.178.153. Please fix your configurationSupport for old-style clients will be removed in a future release client 10.67.178.27 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.67.178.27. Please fix your configurationSupport for old-style clients will be removed in a future release client 10.67.178.28 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.67.178.28. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f007 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f007. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d980::f007 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d980::f007. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f008 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f008. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d980::f008 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d980::f008. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f010 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f010. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f005 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f005. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f006 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f006. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f009 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f009. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f013 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f013. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f014 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f014. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f012 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f012. Please fix your configurationSupport for old-style clients will be removed in a future releaseDebugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAPradiusd: #### Instantiating modules #### modules { # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" }Creating attribute Unix-Group # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } instantiate { } # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwdrlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.logrlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschaprlm_mschap (mschap): using internal authentication # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/filesreading pairlist file /etc/freeradius/3.0/mods-config/files/authorizereading pairlist file /etc/freeradius/3.0/mods-config/files/accountingreading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocessreading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroupsreading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eaprlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/radius_EJBCA_ederawa_key.pem" certificate_file = "/etc/freeradius/3.0/certs/radius_802_oam_crl.pem" ca_file = "/etc/freeradius/3.0/certs/Root_OAM_802_CRL_21.cert" dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no }tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no }tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } } # modulesradiusd: #### Loading Virtual Servers ####server { # from file /etc/freeradius/3.0/radiusd.conf} # serverserver default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...}Ignoring "sql" (see raddb/mods-available/README.rst)Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...}} # server defaultserver inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:331} # server inner-tunnelradiusd: #### Opening IP addresses and Ports ####listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "auth" ipaddr = 127.0.0.1 port = 18120}Listening on auth address * port 1812 bound to server defaultListening on acct address * port 1813 bound to server defaultListening on auth address :: port 1812 bound to server defaultListening on acct address :: port 1813 bound to server defaultListening on auth address 127.0.0.1 port 18120 bound to server inner-tunnelListening on proxy address * port 42911Listening on proxy address :: port 55432Ready to process requests(0) Received Access-Request Id 121 from 10.67.178.153:58216 to 10.67.178.154:1812 length 198(0) User-Name = "E23D364711.x.com"(0) Cisco-NAS-Port = "Ethernet1/18"(0) NAS-Port = 50118(0) NAS-Port-Id = "Ethernet1/18"(0) Service-Type = Framed-User(0) Framed-MTU = 1500(0) Called-Station-Id = "2C-D0-2D-56-9A-11"(0) Calling-Station-Id = "7C-72-6E-05-F9-E2"(0) EAP-Message = 0x0202001c01453233443336343731312e6572696373736f6e2e636f6d(0) Message-Authenticator = 0x830c70264b098bbbe7c704142347f419(0) NAS-Port-Type = Ethernet(0) NAS-Identifier = "1"(0) NAS-IP-Address = 10.67.178.153(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(0) authorize {(0) policy filter_username {(0) if (&User-Name) {(0) if (&User-Name) -> TRUE(0) if (&User-Name) {(0) if (&User-Name =~ / /) {(0) if (&User-Name =~ / /) -> FALSE(0) if (&User-Name =~ /@[^@]*@/ ) {(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(0) if (&User-Name =~ /\.\./ ) {(0) if (&User-Name =~ /\.\./ ) -> FALSE(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(0) if (&User-Name =~ /\.$/) {(0) if (&User-Name =~ /\.$/) -> FALSE(0) if (&User-Name =~ /(a)\./) {(0) if (&User-Name =~ /(a)\./) -> FALSE(0) } # if (&User-Name) = notfound(0) } # policy filter_username = notfound(0) [preprocess] = ok(0) [chap] = noop(0) [mschap] = noop(0) [digest] = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "E23D364711.ericsson.com", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) eap: Peer sent EAP Response (code 2) ID 2 length 28(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(0) [eap] = ok(0) } # authorize = ok(0) Found Auth-Type = eap(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(0) authenticate {(0) eap: Peer sent packet with method EAP Identity (1)(0) eap: Calling submodule eap_md5 to process data(0) eap_md5: Issuing MD5 Challenge(0) eap: Sending EAP Request (code 1) ID 3 length 22(0) eap: EAP session adding &reply:State = 0x287d8eea287e8a4b(0) [eap] = handled(0) } # authenticate = handled(0) Using Post-Auth-Type Challenge(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(0) Challenge { ... } # empty sub-section is ignored(0) Sent Access-Challenge Id 121 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(0) EAP-Message = 0x0103001604102827fff8d27c46a80b73ec2318db0194(0) Message-Authenticator = 0x00000000000000000000000000000000(0) State = 0x287d8eea287e8a4b37e54b2ae63114fc(0) Finished requestWaking up in 4.9 seconds.(1) Received Access-Request Id 122 from 10.67.178.153:58216 to 10.67.178.154:1812 length 194(1) User-Name = "E23D364711.ericsson.com"(1) Cisco-NAS-Port = "Ethernet1/18"(1) NAS-Port = 50118(1) NAS-Port-Id = "Ethernet1/18"(1) Service-Type = Framed-User(1) Framed-MTU = 1500(1) Called-Station-Id = "2C-D0-2D-56-9A-11"(1) Calling-Station-Id = "7C-72-6E-05-F9-E2"(1) EAP-Message = 0x02030006030d(1) Message-Authenticator = 0x2ee4837480666815e023fd8cf439594e(1) NAS-Port-Type = Ethernet(1) NAS-Identifier = "1"(1) NAS-IP-Address = 10.67.178.153(1) State = 0x287d8eea287e8a4b37e54b2ae63114fc(1) session-state: No cached attributes(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(1) authorize {(1) policy filter_username {(1) if (&User-Name) {(1) if (&User-Name) -> TRUE(1) if (&User-Name) {(1) if (&User-Name =~ / /) {(1) if (&User-Name =~ / /) -> FALSE(1) if (&User-Name =~ /@[^@]*@/ ) {(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(1) if (&User-Name =~ /\.\./ ) {(1) if (&User-Name =~ /\.\./ ) -> FALSE(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(1) if (&User-Name =~ /\.$/) {(1) if (&User-Name =~ /\.$/) -> FALSE(1) if (&User-Name =~ /(a)\./) {(1) if (&User-Name =~ /(a)\./) -> FALSE(1) } # if (&User-Name) = notfound(1) } # policy filter_username = notfound(1) [preprocess] = ok(1) [chap] = noop(1) [mschap] = noop(1) [digest] = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "E23D364711.ericsson.com", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) eap: Peer sent EAP Response (code 2) ID 3 length 6(1) eap: No EAP Start, assuming it's an on-going EAP conversation(1) [eap] = updated(1) [files] = noop(1) [expiration] = noop(1) [logintime] = noop(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type(1) pap: WARNING: Authentication will fail unless a "known good" password is available(1) [pap] = noop(1) } # authorize = updated(1) Found Auth-Type = eap(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(1) authenticate {(1) eap: Expiring EAP session with state 0x287d8eea287e8a4b(1) eap: Finished EAP session with state 0x287d8eea287e8a4b(1) eap: Previous EAP request found for state 0x287d8eea287e8a4b, released from the list(1) eap: Peer sent packet with method EAP NAK (3)(1) eap: Found mutually acceptable type TLS (13)(1) eap: Calling submodule eap_tls to process data(1) eap_tls: Initiating new EAP-TLS session(1) eap_tls: Setting verify mode to require certificate from client(1) eap_tls: [eaptls start] = request(1) eap: Sending EAP Request (code 1) ID 4 length 6(1) eap: EAP session adding &reply:State = 0x287d8eea2979834b(1) [eap] = handled(1) } # authenticate = handled(1) Using Post-Auth-Type Challenge(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(1) Challenge { ... } # empty sub-section is ignored(1) Sent Access-Challenge Id 122 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(1) EAP-Message = 0x010400060d20(1) Message-Authenticator = 0x00000000000000000000000000000000(1) State = 0x287d8eea2979834b37e54b2ae63114fc(1) Finished requestWaking up in 4.9 seconds.(2) Received Access-Request Id 123 from 10.67.178.153:58216 to 10.67.178.154:1812 length 384(2) User-Name = "E23D364711.ericsson.com"(2) Cisco-NAS-Port = "Ethernet1/18"(2) NAS-Port = 50118(2) NAS-Port-Id = "Ethernet1/18"(2) Service-Type = Framed-User(2) Framed-MTU = 1500(2) Called-Station-Id = "2C-D0-2D-56-9A-11"(2) Calling-Station-Id = "7C-72-6E-05-F9-E2"(2) EAP-Message = 0x020400c40d0016030100b9010000b503033e6ff312b8e1fe6888ac40fa6a6f6d250753d13706e6e0e3b66045d3b8336d7d000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b0004030001(2) Message-Authenticator = 0xe45f7ba695b5740131950441854ec2bc(2) NAS-Port-Type = Ethernet(2) NAS-Identifier = "1"(2) NAS-IP-Address = 10.67.178.153(2) State = 0x287d8eea2979834b37e54b2ae63114fc(2) session-state: No cached attributes(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(2) authorize {(2) policy filter_username {(2) if (&User-Name) {(2) if (&User-Name) -> TRUE(2) if (&User-Name) {(2) if (&User-Name =~ / /) {(2) if (&User-Name =~ / /) -> FALSE(2) if (&User-Name =~ /@[^@]*@/ ) {(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(2) if (&User-Name =~ /\.\./ ) {(2) if (&User-Name =~ /\.\./ ) -> FALSE(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(2) if (&User-Name =~ /\.$/) {(2) if (&User-Name =~ /\.$/) -> FALSE(2) if (&User-Name =~ /(a)\./) {(2) if (&User-Name =~ /(a)\./) -> FALSE(2) } # if (&User-Name) = notfound(2) } # policy filter_username = notfound(2) [preprocess] = ok(2) [chap] = noop(2) [mschap] = noop(2) [digest] = noop(2) suffix: Checking for suffix after "@"(2) suffix: No '@' in User-Name = "E23D364711.ericsson.com", looking up realm NULL(2) suffix: No such realm "NULL"(2) [suffix] = noop(2) eap: Peer sent EAP Response (code 2) ID 4 length 196(2) eap: No EAP Start, assuming it's an on-going EAP conversation(2) [eap] = updated(2) [files] = noop(2) [expiration] = noop(2) [logintime] = noop(2) [pap] = noop(2) } # authorize = updated(2) Found Auth-Type = eap(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(2) authenticate {(2) eap: Expiring EAP session with state 0x287d8eea2979834b(2) eap: Finished EAP session with state 0x287d8eea2979834b(2) eap: Previous EAP request found for state 0x287d8eea2979834b, released from the list(2) eap: Peer sent packet with method EAP TLS (13)(2) eap: Calling submodule eap_tls to process data(2) eap_tls: Continuing EAP-TLS(2) eap_tls: [eaptls verify] = ok(2) eap_tls: Done initial handshake(2) eap_tls: (other): before SSL initialization(2) eap_tls: TLS_accept: before SSL initialization(2) eap_tls: TLS_accept: before SSL initialization(2) eap_tls: <<< recv UNKNOWN TLS VERSION ?0304? [length 00b9](2) eap_tls: TLS_accept: SSLv3/TLS read client hello(2) eap_tls: >>> send TLS 1.2 [length 003d](2) eap_tls: TLS_accept: SSLv3/TLS write server hello(2) eap_tls: >>> send TLS 1.2 [length 0aed](2) eap_tls: TLS_accept: SSLv3/TLS write certificate(2) eap_tls: >>> send TLS 1.2 [length 014d](2) eap_tls: TLS_accept: SSLv3/TLS write key exchange(2) eap_tls: >>> send TLS 1.2 [length 027c](2) eap_tls: TLS_accept: SSLv3/TLS write certificate request(2) eap_tls: >>> send TLS 1.2 [length 0004](2) eap_tls: TLS_accept: SSLv3/TLS write server done(2) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done(2) eap_tls: In SSL Handshake Phase(2) eap_tls: In SSL Accept mode(2) eap_tls: [eaptls process] = handled(2) eap: Sending EAP Request (code 1) ID 5 length 1004(2) eap: EAP session adding &reply:State = 0x287d8eea2a78834b(2) [eap] = handled(2) } # authenticate = handled(2) Using Post-Auth-Type Challenge(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(2) Challenge { ... } # empty sub-section is ignored(2) Sent Access-Challenge Id 123 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(2) EAP-Message = 0x010503ec0dc000000f10160303003d0200003903033a40b5d19c874950b0020e6a14b3f04e2f628299dc20c04411baaba5bfb107e300c030000011ff01000100000b000403000102001700001603030aed0b000ae9000ae60003ba308203b63082029ea003020102020a3345cf7feea6954d84a1300d06(2) Message-Authenticator = 0x00000000000000000000000000000000(2) State = 0x287d8eea2a78834b37e54b2ae63114fc(2) Finished requestWaking up in 4.9 seconds.(3) Received Access-Request Id 124 from 10.67.178.153:58216 to 10.67.178.154:1812 length 194(3) User-Name = "E23D364711.ericsson.com"(3) Cisco-NAS-Port = "Ethernet1/18"(3) NAS-Port = 50118(3) NAS-Port-Id = "Ethernet1/18"(3) Service-Type = Framed-User(3) Framed-MTU = 1500(3) Called-Station-Id = "2C-D0-2D-56-9A-11"(3) Calling-Station-Id = "7C-72-6E-05-F9-E2"(3) EAP-Message = 0x020500060d00(3) Message-Authenticator = 0x8df55c667bb83842a601cd67fc06e2dd(3) NAS-Port-Type = Ethernet(3) NAS-Identifier = "1"(3) NAS-IP-Address = 10.67.178.153(3) State = 0x287d8eea2a78834b37e54b2ae63114fc(3) session-state: No cached attributes(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(3) authorize {(3) policy filter_username {(3) if (&User-Name) {(3) if (&User-Name) -> TRUE(3) if (&User-Name) {(3) if (&User-Name =~ / /) {(3) if (&User-Name =~ / /) -> FALSE(3) if (&User-Name =~ /@[^@]*@/ ) {(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(3) if (&User-Name =~ /\.\./ ) {(3) if (&User-Name =~ /\.\./ ) -> FALSE(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(3) if (&User-Name =~ /\.$/) {(3) if (&User-Name =~ /\.$/) -> FALSE(3) if (&User-Name =~ /(a)\./) {(3) if (&User-Name =~ /(a)\./) -> FALSE(3) } # if (&User-Name) = notfound(3) } # policy filter_username = notfound(3) [preprocess] = ok(3) [chap] = noop(3) [mschap] = noop(3) [digest] = noop(3) suffix: Checking for suffix after "@"(3) suffix: No '@' in User-Name = "E23D364711.ericsson.com", looking up realm NULL(3) suffix: No such realm "NULL"(3) [suffix] = noop(3) eap: Peer sent EAP Response (code 2) ID 5 length 6(3) eap: No EAP Start, assuming it's an on-going EAP conversation(3) [eap] = updated(3) [files] = noop(3) [expiration] = noop(3) [logintime] = noop(3) [pap] = noop(3) } # authorize = updated(3) Found Auth-Type = eap(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(3) authenticate {(3) eap: Expiring EAP session with state 0x287d8eea2a78834b(3) eap: Finished EAP session with state 0x287d8eea2a78834b(3) eap: Previous EAP request found for state 0x287d8eea2a78834b, released from the list(3) eap: Peer sent packet with method EAP TLS (13)(3) eap: Calling submodule eap_tls to process data(3) eap_tls: Continuing EAP-TLS(3) eap_tls: Peer ACKed our handshake fragment(3) eap_tls: [eaptls verify] = request(3) eap_tls: [eaptls process] = handled(3) eap: Sending EAP Request (code 1) ID 6 length 1004(3) eap: EAP session adding &reply:State = 0x287d8eea2b7b834b(3) [eap] = handled(3) } # authenticate = handled(3) Using Post-Auth-Type Challenge(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(3) Challenge { ... } # empty sub-section is ignored(3) Sent Access-Challenge Id 124 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(3) EAP-Message = 0x010603ec0dc000000f1019c9df1fdabfbfd01845b634c4587c46f79062d22181e61b02fd235046b638003b22582f5a042211df0003913082038d30820275a003020102020a3ff0fc92401de8a6963a300d06092a864886f70d01010b050030173115301306035504030c0c526f6f745f3830325f43524c(3) Message-Authenticator = 0x00000000000000000000000000000000(3) State = 0x287d8eea2b7b834b37e54b2ae63114fc(3) Finished requestWaking up in 4.8 seconds.(4) Received Access-Request Id 125 from 10.67.178.153:58216 to 10.67.178.154:1812 length 194(4) User-Name = "E23D364711.ericsson.com"(4) Cisco-NAS-Port = "Ethernet1/18"(4) NAS-Port = 50118(4) NAS-Port-Id = "Ethernet1/18"(4) Service-Type = Framed-User(4) Framed-MTU = 1500(4) Called-Station-Id = "2C-D0-2D-56-9A-11"(4) Calling-Station-Id = "7C-72-6E-05-F9-E2"(4) EAP-Message = 0x020600060d00(4) Message-Authenticator = 0xdf96c2bbab0e7a0241e955aebaf5e93e(4) NAS-Port-Type = Ethernet(4) NAS-Identifier = "1"(4) NAS-IP-Address = 10.67.178.153(4) State = 0x287d8eea2b7b834b37e54b2ae63114fc(4) session-state: No cached attributes(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(4) authorize {(4) policy filter_username {(4) if (&User-Name) {(4) if (&User-Name) -> TRUE(4) if (&User-Name) {(4) if (&User-Name =~ / /) {(4) if (&User-Name =~ / /) -> FALSE(4) if (&User-Name =~ /@[^@]*@/ ) {(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(4) if (&User-Name =~ /\.\./ ) {(4) if (&User-Name =~ /\.\./ ) -> FALSE(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(4) if (&User-Name =~ /\.$/) {(4) if (&User-Name =~ /\.$/) -> FALSE(4) if (&User-Name =~ /(a)\./) {(4) if (&User-Name =~ /(a)\./) -> FALSE(4) } # if (&User-Name) = notfound(4) } # policy filter_username = notfound(4) [preprocess] = ok(4) [chap] = noop(4) [mschap] = noop(4) [digest] = noop(4) suffix: Checking for suffix after "@"(4) suffix: No '@' in User-Name = "E23D364711.ericsson.com", looking up realm NULL(4) suffix: No such realm "NULL"(4) [suffix] = noop(4) eap: Peer sent EAP Response (code 2) ID 6 length 6(4) eap: No EAP Start, assuming it's an on-going EAP conversation(4) [eap] = updated(4) [files] = noop(4) [expiration] = noop(4) [logintime] = noop(4) [pap] = noop(4) } # authorize = updated(4) Found Auth-Type = eap(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(4) authenticate {(4) eap: Expiring EAP session with state 0x287d8eea2b7b834b(4) eap: Finished EAP session with state 0x287d8eea2b7b834b(4) eap: Previous EAP request found for state 0x287d8eea2b7b834b, released from the list(4) eap: Peer sent packet with method EAP TLS (13)(4) eap: Calling submodule eap_tls to process data(4) eap_tls: Continuing EAP-TLS(4) eap_tls: Peer ACKed our handshake fragment(4) eap_tls: [eaptls verify] = request(4) eap_tls: [eaptls process] = handled(4) eap: Sending EAP Request (code 1) ID 7 length 1004(4) eap: EAP session adding &reply:State = 0x287d8eea2c7a834b(4) [eap] = handled(4) } # authenticate = handled(4) Using Post-Auth-Type Challenge(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(4) Challenge { ... } # empty sub-section is ignored(4) Sent Access-Challenge Id 125 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(4) EAP-Message = 0x010703ec0dc000000f100d01010b050030173115301306035504030c0c526f6f745f3830325f43524c301e170d3231303732373133313831385a170d3236303732363133313831385a30173115301306035504030c0c526f6f745f3830325f43524c30820122300d06092a864886f70d01010105000382(4) Message-Authenticator = 0x00000000000000000000000000000000(4) State = 0x287d8eea2c7a834b37e54b2ae63114fc(4) Finished requestWaking up in 4.8 seconds.(5) Received Access-Request Id 126 from 10.67.178.153:58216 to 10.67.178.154:1812 length 194(5) User-Name = "E23D364711.ericsson.com"(5) Cisco-NAS-Port = "Ethernet1/18"(5) NAS-Port = 50118(5) NAS-Port-Id = "Ethernet1/18"(5) Service-Type = Framed-User(5) Framed-MTU = 1500(5) Called-Station-Id = "2C-D0-2D-56-9A-11"(5) Calling-Station-Id = "7C-72-6E-05-F9-E2"(5) EAP-Message = 0x020700060d00(5) Message-Authenticator = 0x5820791f49a3b9fa2d70fdf72cae4e04(5) NAS-Port-Type = Ethernet(5) NAS-Identifier = "1"(5) NAS-IP-Address = 10.67.178.153(5) State = 0x287d8eea2c7a834b37e54b2ae63114fc(5) session-state: No cached attributes(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(5) authorize {(5) policy filter_username {(5) if (&User-Name) {(5) if (&User-Name) -> TRUE(5) if (&User-Name) {(5) if (&User-Name =~ / /) {(5) if (&User-Name =~ / /) -> FALSE(5) if (&User-Name =~ /@[^@]*@/ ) {(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(5) if (&User-Name =~ /\.\./ ) {(5) if (&User-Name =~ /\.\./ ) -> FALSE(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(5) if (&User-Name =~ /\.$/) {(5) if (&User-Name =~ /\.$/) -> FALSE(5) if (&User-Name =~ /(a)\./) {(5) if (&User-Name =~ /(a)\./) -> FALSE(5) } # if (&User-Name) = notfound(5) } # policy filter_username = notfound(5) [preprocess] = ok(5) [chap] = noop(5) [mschap] = noop(5) [digest] = noop(5) suffix: Checking for suffix after "@"(5) suffix: No '@' in User-Name = "E23D364711.ericsson.com", looking up realm NULL(5) suffix: No such realm "NULL"(5) [suffix] = noop(5) eap: Peer sent EAP Response (code 2) ID 7 length 6(5) eap: No EAP Start, assuming it's an on-going EAP conversation(5) [eap] = updated(5) [files] = noop(5) [expiration] = noop(5) [logintime] = noop(5) [pap] = noop(5) } # authorize = updated(5) Found Auth-Type = eap(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(5) authenticate {(5) eap: Expiring EAP session with state 0x287d8eea2c7a834b(5) eap: Finished EAP session with state 0x287d8eea2c7a834b(5) eap: Previous EAP request found for state 0x287d8eea2c7a834b, released from the list(5) eap: Peer sent packet with method EAP TLS (13)(5) eap: Calling submodule eap_tls to process data(5) eap_tls: Continuing EAP-TLS(5) eap_tls: Peer ACKed our handshake fragment(5) eap_tls: [eaptls verify] = request(5) eap_tls: [eaptls process] = handled(5) eap: Sending EAP Request (code 1) ID 8 length 884(5) eap: EAP session adding &reply:State = 0x287d8eea2d75834b(5) [eap] = handled(5) } # authenticate = handled(5) Using Post-Auth-Type Challenge(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(5) Challenge { ... } # empty sub-section is ignored(5) Sent Access-Challenge Id 126 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(5) EAP-Message = 0x010803740d8000000f10078da56b9233b87bd592bcf512b5861c722426f8e775f8f8f9ac1971d32e7315a4d4cfdc96cf76c0f7c2615f08b791cdab76012fd06d7683241d322e22ce31728de05cdb78d73e67bafe5eb95fdda0426fba257d27273151edda36870830d7a7ae34841801eab8d859568ba093(5) Message-Authenticator = 0x00000000000000000000000000000000(5) State = 0x287d8eea2d75834b37e54b2ae63114fc(5) Finished requestWaking up in 4.8 seconds.(6) Received Access-Request Id 127 from 10.67.178.153:58216 to 10.67.178.154:1812 length 1474(6) User-Name = "E23D364711.ericsson.com"(6) Cisco-NAS-Port = "Ethernet1/18"(6) NAS-Port = 50118(6) NAS-Port-Id = "Ethernet1/18"(6) Service-Type = Framed-User(6) Framed-MTU = 1500(6) Called-Station-Id = "2C-D0-2D-56-9A-11"(6) Calling-Station-Id = "7C-72-6E-05-F9-E2"(6) EAP-Message = 0x020804fc0dc000001b2b160303189b0b0018970018940006523082064e30820436a00302010202087d55fbf6467a83ab300d06092a864886f70d01010b0500303e310b30090603550406130253453111300f060355040a0c084572696373736f6e311c301a06035504030c1356435f4431365f53756243(6) Message-Authenticator = 0x40786dcaae3d6b63450402d5c5cc429a(6) NAS-Port-Type = Ethernet(6) NAS-Identifier = "1"(6) NAS-IP-Address = 10.67.178.153(6) State = 0x287d8eea2d75834b37e54b2ae63114fc(6) session-state: No cached attributes(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(6) authorize {(6) policy filter_username {(6) if (&User-Name) {(6) if (&User-Name) -> TRUE(6) if (&User-Name) {(6) if (&User-Name =~ / /) {(6) if (&User-Name =~ / /) -> FALSE(6) if (&User-Name =~ /@[^@]*@/ ) {(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(6) if (&User-Name =~ /\.\./ ) {(6) if (&User-Name =~ /\.\./ ) -> FALSE(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(6) if (&User-Name =~ /\.$/) {(6) if (&User-Name =~ /\.$/) -> FALSE(6) if (&User-Name =~ /(a)\./) {(6) if (&User-Name =~ /(a)\./) -> FALSE(6) } # if (&User-Name) = notfound(6) } # policy filter_username = notfound(6) [preprocess] = ok(6) [chap] = noop(6) [mschap] = noop(6) [digest] = noop(6) suffix: Checking for suffix after "@"(6) suffix: No '@' in User-Name = "E23D364711.ericsson.com", looking up realm NULL(6) suffix: No such realm "NULL"(6) [suffix] = noop(6) eap: Peer sent EAP Response (code 2) ID 8 length 1276(6) eap: No EAP Start, assuming it's an on-going EAP conversation(6) [eap] = updated(6) [files] = noop(6) [expiration] = noop(6) [logintime] = noop(6) [pap] = noop(6) } # authorize = updated(6) Found Auth-Type = eap(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(6) authenticate {(6) eap: Expiring EAP session with state 0x287d8eea2d75834b(6) eap: Finished EAP session with state 0x287d8eea2d75834b(6) eap: Previous EAP request found for state 0x287d8eea2d75834b, released from the list(6) eap: Peer sent packet with method EAP TLS (13)(6) eap: Calling submodule eap_tls to process data(6) eap_tls: Continuing EAP-TLS(6) eap_tls: Peer indicated complete TLS record size will be 6955 bytes(6) eap_tls: Expecting 6 TLS record fragments(6) eap_tls: Got first TLS record fragment (1266 bytes). Peer indicated more fragments to follow(6) eap_tls: [eaptls verify] = first fragment(6) eap_tls: ACKing Peer's TLS record fragment(6) eap_tls: [eaptls process] = handled(6) eap: Sending EAP Request (code 1) ID 9 length 6(6) eap: EAP session adding &reply:State = 0x287d8eea2e74834b(6) [eap] = handled(6) } # authenticate = handled(6) Using Post-Auth-Type Challenge(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(6) Challenge { ... } # empty sub-section is ignored(6) Sent Access-Challenge Id 127 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(6) EAP-Message = 0x010900060d00(6) Message-Authenticator = 0x00000000000000000000000000000000(6) State = 0x287d8eea2e74834b37e54b2ae63114fc(6) Finished requestWaking up in 4.7 seconds.(0) Cleaning up request packet ID 121 with timestamp +1041(1) Cleaning up request packet ID 122 with timestamp +1041(2) Cleaning up request packet ID 123 with timestamp +1041(3) Cleaning up request packet ID 124 with timestamp +1041(4) Cleaning up request packet ID 125 with timestamp +1041(5) Cleaning up request packet ID 126 with timestamp +1041(6) Cleaning up request packet ID 127 with timestamp +1042Ready to process requests(7) Received Access-Request Id 127 from 10.67.178.153:58216 to 10.67.178.154:1812 length 1474(7) User-Name = "E23D364711.ericsson.com"(7) Cisco-NAS-Port = "Ethernet1/18"(7) NAS-Port = 50118(7) NAS-Port-Id = "Ethernet1/18"(7) Service-Type = Framed-User(7) Framed-MTU = 1500(7) Called-Station-Id = "2C-D0-2D-56-9A-11"(7) Calling-Station-Id = "7C-72-6E-05-F9-E2"(7) EAP-Message = 0x020804fc0dc000001b2b160303189b0b0018970018940006523082064e30820436a00302010202087d55fbf6467a83ab300d06092a864886f70d01010b0500303e310b30090603550406130253453111300f060355040a0c084572696373736f6e311c301a06035504030c1356435f4431365f53756243(7) Message-Authenticator = 0x40786dcaae3d6b63450402d5c5cc429a(7) NAS-Port-Type = Ethernet(7) NAS-Identifier = "1"(7) NAS-IP-Address = 10.67.178.153(7) State = 0x287d8eea2d75834b37e54b2ae63114fc(7) session-state: No cached attributes(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(7) authorize {(7) policy filter_username {(7) if (&User-Name) {(7) if (&User-Name) -> TRUE(7) if (&User-Name) {(7) if (&User-Name =~ / /) {(7) if (&User-Name =~ / /) -> FALSE(7) if (&User-Name =~ /@[^@]*@/ ) {(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(7) if (&User-Name =~ /\.\./ ) {(7) if (&User-Name =~ /\.\./ ) -> FALSE(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(7) if (&User-Name =~ /\.$/) {(7) if (&User-Name =~ /\.$/) -> FALSE(7) if (&User-Name =~ /(a)\./) {(7) if (&User-Name =~ /(a)\./) -> FALSE(7) } # if (&User-Name) = notfound(7) } # policy filter_username = notfound(7) [preprocess] = ok(7) [chap] = noop(7) [mschap] = noop(7) [digest] = noop(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "E23D364711.ericsson.com", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) eap: Peer sent EAP Response (code 2) ID 8 length 1276(7) eap: No EAP Start, assuming it's an on-going EAP conversation(7) [eap] = updated(7) [files] = noop(7) [expiration] = noop(7) [logintime] = noop(7) [pap] = noop(7) } # authorize = updated(7) Found Auth-Type = eap(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(7) authenticate {(7) eap: Expiring EAP session with state 0x287d8eea2e74834b(7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x287d8eea2d75834b(7) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request(7) eap: Failed in handler(7) [eap] = invalid(7) } # authenticate = invalid(7) Failed to authenticate the user(7) Using Post-Auth-Type Reject(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(7) Post-Auth-Type REJECT {(7) attr_filter.access_reject: EXPAND %{User-Name}(7) attr_filter.access_reject: --> E23D364711.ericsson.com(7) attr_filter.access_reject: Matched entry DEFAULT at line 11(7) [attr_filter.access_reject] = updated(7) eap: Expiring EAP session with state 0x287d8eea2e74834b(7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x287d8eea2d75834b(7) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request(7) eap: Failed to get handler, probably already removed, not inserting EAP-Failure(7) [eap] = noop(7) policy remove_reply_message_if_eap {(7) if (&reply:EAP-Message && &reply:Reply-Message) {(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(7) else {(7) [noop] = noop(7) } # else = noop(7) } # policy remove_reply_message_if_eap = noop(7) } # Post-Auth-Type REJECT = updated(7) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(7) Sending delayed response(7) Sent Access-Reject Id 127 from 10.67.178.154:1812 to 10.67.178.153:58216 length 20
Kind Regards,Deepak Rawat
root@radius-3:/etc/freeradius/3.0/certs# freeradius -XFreeRADIUS Version 3.0.16Copyright (C) 1999-2017 The FreeRADIUS server project and contributorsThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSEYou may redistribute copies of FreeRADIUS under the terms of theGNU General Public LicenseFor more information about these matters, see the file named COPYRIGHTStarting - reading configuration files ...including dictionary file /usr/share/freeradius/dictionaryincluding dictionary file /usr/share/freeradius/dictionary.dhcpincluding dictionary file /usr/share/freeradius/dictionary.vqpincluding dictionary file /etc/freeradius/3.0/dictionaryincluding configuration file /etc/freeradius/3.0/radiusd.confincluding configuration file /etc/freeradius/3.0/proxy.confincluding configuration file /etc/freeradius/3.0/clients.confincluding files in directory /etc/freeradius/3.0/mods-enabled/including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clientsincluding configuration file /etc/freeradius/3.0/mods-enabled/detailincluding configuration file /etc/freeradius/3.0/mods-enabled/passwdincluding configuration file /etc/freeradius/3.0/mods-enabled/replicateincluding configuration file /etc/freeradius/3.0/mods-enabled/attr_filterincluding configuration file /etc/freeradius/3.0/mods-enabled/sohincluding configuration file /etc/freeradius/3.0/mods-enabled/echoincluding configuration file /etc/freeradius/3.0/mods-enabled/sradutmpincluding configuration file /etc/freeradius/3.0/mods-enabled/radutmpincluding configuration file /etc/freeradius/3.0/mods-enabled/detail.logincluding configuration file /etc/freeradius/3.0/mods-enabled/papincluding configuration file /etc/freeradius/3.0/mods-enabled/linelogincluding configuration file /etc/freeradius/3.0/mods-enabled/realmincluding configuration file /etc/freeradius/3.0/mods-enabled/expirationincluding configuration file /etc/freeradius/3.0/mods-enabled/unixincluding configuration file /etc/freeradius/3.0/mods-enabled/mschapincluding configuration file /etc/freeradius/3.0/mods-enabled/filesincluding configuration file /etc/freeradius/3.0/mods-enabled/preprocessincluding configuration file /etc/freeradius/3.0/mods-enabled/exprincluding configuration file /etc/freeradius/3.0/mods-enabled/logintimeincluding configuration file /etc/freeradius/3.0/mods-enabled/alwaysincluding configuration file /etc/freeradius/3.0/mods-enabled/cache_eapincluding configuration file /etc/freeradius/3.0/mods-enabled/eapincluding configuration file /etc/freeradius/3.0/mods-enabled/chapincluding configuration file /etc/freeradius/3.0/mods-enabled/utf8including configuration file /etc/freeradius/3.0/mods-enabled/execincluding configuration file /etc/freeradius/3.0/mods-enabled/digestincluding configuration file /etc/freeradius/3.0/mods-enabled/unpackincluding configuration file /etc/freeradius/3.0/mods-enabled/ntlm_authincluding files in directory /etc/freeradius/3.0/policy.d/including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-idsincluding configuration file /etc/freeradius/3.0/policy.d/controlincluding configuration file /etc/freeradius/3.0/policy.d/cuiincluding configuration file /etc/freeradius/3.0/policy.d/abfab-trincluding configuration file /etc/freeradius/3.0/policy.d/operator-nameincluding configuration file /etc/freeradius/3.0/policy.d/canonicalizationincluding configuration file /etc/freeradius/3.0/policy.d/filterincluding configuration file /etc/freeradius/3.0/policy.d/debugincluding configuration file /etc/freeradius/3.0/policy.d/eapincluding configuration file /etc/freeradius/3.0/policy.d/dhcpincluding configuration file /etc/freeradius/3.0/policy.d/accountingincluding files in directory /etc/freeradius/3.0/sites-enabled/including configuration file /etc/freeradius/3.0/sites-enabled/defaultincluding configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnelmain { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius"}main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes }}radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { }radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.67.178.249 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.67.178.249. Please fix your configurationSupport for old-style clients will be removed in a future release client 10.67.178.153 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.67.178.153. Please fix your configurationSupport for old-style clients will be removed in a future release client 10.67.178.27 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.67.178.27. Please fix your configurationSupport for old-style clients will be removed in a future release client 10.67.178.28 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.67.178.28. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f007 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f007. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d980::f007 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d980::f007. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f008 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f008. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d980::f008 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d980::f008. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f010 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f010. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f005 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f005. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f006 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f006. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f009 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f009. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f013 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f013. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f014 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f014. Please fix your configurationSupport for old-style clients will be removed in a future release client 2001:1b70:8292:d900::f012 { require_message_authenticator = no secret = <<< secret >>> shortname = "client" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 2001:1b70:8292:d900::f012. Please fix your configurationSupport for old-style clients will be removed in a future releaseDebugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAPradiusd: #### Instantiating modules #### modules { # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" }Creating attribute Unix-Group # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } instantiate { } # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwdrlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filterreading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.logrlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschaprlm_mschap (mschap): using internal authentication # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/filesreading pairlist file /etc/freeradius/3.0/mods-config/files/authorizereading pairlist file /etc/freeradius/3.0/mods-config/files/accountingreading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocessreading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroupsreading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eaprlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/radius_EJBCA_ederawa_key.pem" certificate_file = "/etc/freeradius/3.0/certs/radius_802_oam_crl.pem" ca_file = "/etc/freeradius/3.0/certs/Root_OAM_802_CRL_21.cert" dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no }tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no }tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } } # modulesradiusd: #### Loading Virtual Servers ####server { # from file /etc/freeradius/3.0/radiusd.conf} # serverserver default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...}Ignoring "sql" (see raddb/mods-available/README.rst)Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...}} # server defaultserver inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:331} # server inner-tunnelradiusd: #### Opening IP addresses and Ports ####listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 }}listen { type = "auth" ipaddr = 127.0.0.1 port = 18120}Listening on auth address * port 1812 bound to server defaultListening on acct address * port 1813 bound to server defaultListening on auth address :: port 1812 bound to server defaultListening on acct address :: port 1813 bound to server defaultListening on auth address 127.0.0.1 port 18120 bound to server inner-tunnelListening on proxy address * port 42911Listening on proxy address :: port 55432Ready to process requests(0) Received Access-Request Id 121 from 10.67.178.153:58216 to 10.67.178.154:1812 length 198(0) User-Name = "E23D364711.x.com"(0) Cisco-NAS-Port = "Ethernet1/18"(0) NAS-Port = 50118(0) NAS-Port-Id = "Ethernet1/18"(0) Service-Type = Framed-User(0) Framed-MTU = 1500(0) Called-Station-Id = "2C-D0-2D-56-9A-11"(0) Calling-Station-Id = "7C-72-6E-05-F9-E2"(0) EAP-Message = 0x0202001c01453233443336343731312e6572696373736f6e2e636f6d(0) Message-Authenticator = 0x830c70264b098bbbe7c704142347f419(0) NAS-Port-Type = Ethernet(0) NAS-Identifier = "1"(0) NAS-IP-Address = 10.67.178.153(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(0) authorize {(0) policy filter_username {(0) if (&User-Name) {(0) if (&User-Name) -> TRUE(0) if (&User-Name) {(0) if (&User-Name =~ / /) {(0) if (&User-Name =~ / /) -> FALSE(0) if (&User-Name =~ /@[^@]*@/ ) {(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(0) if (&User-Name =~ /\.\./ ) {(0) if (&User-Name =~ /\.\./ ) -> FALSE(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(0) if (&User-Name =~ /\.$/) {(0) if (&User-Name =~ /\.$/) -> FALSE(0) if (&User-Name =~ /(a)\./) {(0) if (&User-Name =~ /(a)\./) -> FALSE(0) } # if (&User-Name) = notfound(0) } # policy filter_username = notfound(0) [preprocess] = ok(0) [chap] = noop(0) [mschap] = noop(0) [digest] = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "E23D364711.x.com", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) eap: Peer sent EAP Response (code 2) ID 2 length 28(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(0) [eap] = ok(0) } # authorize = ok(0) Found Auth-Type = eap(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(0) authenticate {(0) eap: Peer sent packet with method EAP Identity (1)(0) eap: Calling submodule eap_md5 to process data(0) eap_md5: Issuing MD5 Challenge(0) eap: Sending EAP Request (code 1) ID 3 length 22(0) eap: EAP session adding &reply:State = 0x287d8eea287e8a4b(0) [eap] = handled(0) } # authenticate = handled(0) Using Post-Auth-Type Challenge(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(0) Challenge { ... } # empty sub-section is ignored(0) Sent Access-Challenge Id 121 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(0) EAP-Message = 0x0103001604102827fff8d27c46a80b73ec2318db0194(0) Message-Authenticator = 0x00000000000000000000000000000000(0) State = 0x287d8eea287e8a4b37e54b2ae63114fc(0) Finished requestWaking up in 4.9 seconds.(1) Received Access-Request Id 122 from 10.67.178.153:58216 to 10.67.178.154:1812 length 194(1) User-Name = "E23D364711.x.com"(1) Cisco-NAS-Port = "Ethernet1/18"(1) NAS-Port = 50118(1) NAS-Port-Id = "Ethernet1/18"(1) Service-Type = Framed-User(1) Framed-MTU = 1500(1) Called-Station-Id = "2C-D0-2D-56-9A-11"(1) Calling-Station-Id = "7C-72-6E-05-F9-E2"(1) EAP-Message = 0x02030006030d(1) Message-Authenticator = 0x2ee4837480666815e023fd8cf439594e(1) NAS-Port-Type = Ethernet(1) NAS-Identifier = "1"(1) NAS-IP-Address = 10.67.178.153(1) State = 0x287d8eea287e8a4b37e54b2ae63114fc(1) session-state: No cached attributes(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(1) authorize {(1) policy filter_username {(1) if (&User-Name) {(1) if (&User-Name) -> TRUE(1) if (&User-Name) {(1) if (&User-Name =~ / /) {(1) if (&User-Name =~ / /) -> FALSE(1) if (&User-Name =~ /@[^@]*@/ ) {(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(1) if (&User-Name =~ /\.\./ ) {(1) if (&User-Name =~ /\.\./ ) -> FALSE(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(1) if (&User-Name =~ /\.$/) {(1) if (&User-Name =~ /\.$/) -> FALSE(1) if (&User-Name =~ /(a)\./) {(1) if (&User-Name =~ /(a)\./) -> FALSE(1) } # if (&User-Name) = notfound(1) } # policy filter_username = notfound(1) [preprocess] = ok(1) [chap] = noop(1) [mschap] = noop(1) [digest] = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "E23D364711.x.com", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) eap: Peer sent EAP Response (code 2) ID 3 length 6(1) eap: No EAP Start, assuming it's an on-going EAP conversation(1) [eap] = updated(1) [files] = noop(1) [expiration] = noop(1) [logintime] = noop(1) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type(1) pap: WARNING: Authentication will fail unless a "known good" password is available(1) [pap] = noop(1) } # authorize = updated(1) Found Auth-Type = eap(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(1) authenticate {(1) eap: Expiring EAP session with state 0x287d8eea287e8a4b(1) eap: Finished EAP session with state 0x287d8eea287e8a4b(1) eap: Previous EAP request found for state 0x287d8eea287e8a4b, released from the list(1) eap: Peer sent packet with method EAP NAK (3)(1) eap: Found mutually acceptable type TLS (13)(1) eap: Calling submodule eap_tls to process data(1) eap_tls: Initiating new EAP-TLS session(1) eap_tls: Setting verify mode to require certificate from client(1) eap_tls: [eaptls start] = request(1) eap: Sending EAP Request (code 1) ID 4 length 6(1) eap: EAP session adding &reply:State = 0x287d8eea2979834b(1) [eap] = handled(1) } # authenticate = handled(1) Using Post-Auth-Type Challenge(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(1) Challenge { ... } # empty sub-section is ignored(1) Sent Access-Challenge Id 122 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(1) EAP-Message = 0x010400060d20(1) Message-Authenticator = 0x00000000000000000000000000000000(1) State = 0x287d8eea2979834b37e54b2ae63114fc(1) Finished requestWaking up in 4.9 seconds.(2) Received Access-Request Id 123 from 10.67.178.153:58216 to 10.67.178.154:1812 length 384(2) User-Name = "E23D364711.x.com"(2) Cisco-NAS-Port = "Ethernet1/18"(2) NAS-Port = 50118(2) NAS-Port-Id = "Ethernet1/18"(2) Service-Type = Framed-User(2) Framed-MTU = 1500(2) Called-Station-Id = "2C-D0-2D-56-9A-11"(2) Calling-Station-Id = "7C-72-6E-05-F9-E2"(2) EAP-Message = 0x020400c40d0016030100b9010000b503033e6ff312b8e1fe6888ac40fa6a6f6d250753d13706e6e0e3b66045d3b8336d7d000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b0004030001(2) Message-Authenticator = 0xe45f7ba695b5740131950441854ec2bc(2) NAS-Port-Type = Ethernet(2) NAS-Identifier = "1"(2) NAS-IP-Address = 10.67.178.153(2) State = 0x287d8eea2979834b37e54b2ae63114fc(2) session-state: No cached attributes(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(2) authorize {(2) policy filter_username {(2) if (&User-Name) {(2) if (&User-Name) -> TRUE(2) if (&User-Name) {(2) if (&User-Name =~ / /) {(2) if (&User-Name =~ / /) -> FALSE(2) if (&User-Name =~ /@[^@]*@/ ) {(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(2) if (&User-Name =~ /\.\./ ) {(2) if (&User-Name =~ /\.\./ ) -> FALSE(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(2) if (&User-Name =~ /\.$/) {(2) if (&User-Name =~ /\.$/) -> FALSE(2) if (&User-Name =~ /(a)\./) {(2) if (&User-Name =~ /(a)\./) -> FALSE(2) } # if (&User-Name) = notfound(2) } # policy filter_username = notfound(2) [preprocess] = ok(2) [chap] = noop(2) [mschap] = noop(2) [digest] = noop(2) suffix: Checking for suffix after "@"(2) suffix: No '@' in User-Name = "E23D364711.x.com", looking up realm NULL(2) suffix: No such realm "NULL"(2) [suffix] = noop(2) eap: Peer sent EAP Response (code 2) ID 4 length 196(2) eap: No EAP Start, assuming it's an on-going EAP conversation(2) [eap] = updated(2) [files] = noop(2) [expiration] = noop(2) [logintime] = noop(2) [pap] = noop(2) } # authorize = updated(2) Found Auth-Type = eap(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(2) authenticate {(2) eap: Expiring EAP session with state 0x287d8eea2979834b(2) eap: Finished EAP session with state 0x287d8eea2979834b(2) eap: Previous EAP request found for state 0x287d8eea2979834b, released from the list(2) eap: Peer sent packet with method EAP TLS (13)(2) eap: Calling submodule eap_tls to process data(2) eap_tls: Continuing EAP-TLS(2) eap_tls: [eaptls verify] = ok(2) eap_tls: Done initial handshake(2) eap_tls: (other): before SSL initialization(2) eap_tls: TLS_accept: before SSL initialization(2) eap_tls: TLS_accept: before SSL initialization(2) eap_tls: <<< recv UNKNOWN TLS VERSION ?0304? [length 00b9](2) eap_tls: TLS_accept: SSLv3/TLS read client hello(2) eap_tls: >>> send TLS 1.2 [length 003d](2) eap_tls: TLS_accept: SSLv3/TLS write server hello(2) eap_tls: >>> send TLS 1.2 [length 0aed](2) eap_tls: TLS_accept: SSLv3/TLS write certificate(2) eap_tls: >>> send TLS 1.2 [length 014d](2) eap_tls: TLS_accept: SSLv3/TLS write key exchange(2) eap_tls: >>> send TLS 1.2 [length 027c](2) eap_tls: TLS_accept: SSLv3/TLS write certificate request(2) eap_tls: >>> send TLS 1.2 [length 0004](2) eap_tls: TLS_accept: SSLv3/TLS write server done(2) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done(2) eap_tls: In SSL Handshake Phase(2) eap_tls: In SSL Accept mode(2) eap_tls: [eaptls process] = handled(2) eap: Sending EAP Request (code 1) ID 5 length 1004(2) eap: EAP session adding &reply:State = 0x287d8eea2a78834b(2) [eap] = handled(2) } # authenticate = handled(2) Using Post-Auth-Type Challenge(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(2) Challenge { ... } # empty sub-section is ignored(2) Sent Access-Challenge Id 123 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(2) EAP-Message = 0x010503ec0dc000000f10160303003d0200003903033a40b5d19c874950b0020e6a14b3f04e2f628299dc20c04411baaba5bfb107e300c030000011ff01000100000b000403000102001700001603030aed0b000ae9000ae60003ba308203b63082029ea003020102020a3345cf7feea6954d84a1300d06(2) Message-Authenticator = 0x00000000000000000000000000000000(2) State = 0x287d8eea2a78834b37e54b2ae63114fc(2) Finished requestWaking up in 4.9 seconds.(3) Received Access-Request Id 124 from 10.67.178.153:58216 to 10.67.178.154:1812 length 194(3) User-Name = "E23D364711.x.com"(3) Cisco-NAS-Port = "Ethernet1/18"(3) NAS-Port = 50118(3) NAS-Port-Id = "Ethernet1/18"(3) Service-Type = Framed-User(3) Framed-MTU = 1500(3) Called-Station-Id = "2C-D0-2D-56-9A-11"(3) Calling-Station-Id = "7C-72-6E-05-F9-E2"(3) EAP-Message = 0x020500060d00(3) Message-Authenticator = 0x8df55c667bb83842a601cd67fc06e2dd(3) NAS-Port-Type = Ethernet(3) NAS-Identifier = "1"(3) NAS-IP-Address = 10.67.178.153(3) State = 0x287d8eea2a78834b37e54b2ae63114fc(3) session-state: No cached attributes(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(3) authorize {(3) policy filter_username {(3) if (&User-Name) {(3) if (&User-Name) -> TRUE(3) if (&User-Name) {(3) if (&User-Name =~ / /) {(3) if (&User-Name =~ / /) -> FALSE(3) if (&User-Name =~ /@[^@]*@/ ) {(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(3) if (&User-Name =~ /\.\./ ) {(3) if (&User-Name =~ /\.\./ ) -> FALSE(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(3) if (&User-Name =~ /\.$/) {(3) if (&User-Name =~ /\.$/) -> FALSE(3) if (&User-Name =~ /(a)\./) {(3) if (&User-Name =~ /(a)\./) -> FALSE(3) } # if (&User-Name) = notfound(3) } # policy filter_username = notfound(3) [preprocess] = ok(3) [chap] = noop(3) [mschap] = noop(3) [digest] = noop(3) suffix: Checking for suffix after "@"(3) suffix: No '@' in User-Name = "E23D364711.x.com", looking up realm NULL(3) suffix: No such realm "NULL"(3) [suffix] = noop(3) eap: Peer sent EAP Response (code 2) ID 5 length 6(3) eap: No EAP Start, assuming it's an on-going EAP conversation(3) [eap] = updated(3) [files] = noop(3) [expiration] = noop(3) [logintime] = noop(3) [pap] = noop(3) } # authorize = updated(3) Found Auth-Type = eap(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(3) authenticate {(3) eap: Expiring EAP session with state 0x287d8eea2a78834b(3) eap: Finished EAP session with state 0x287d8eea2a78834b(3) eap: Previous EAP request found for state 0x287d8eea2a78834b, released from the list(3) eap: Peer sent packet with method EAP TLS (13)(3) eap: Calling submodule eap_tls to process data(3) eap_tls: Continuing EAP-TLS(3) eap_tls: Peer ACKed our handshake fragment(3) eap_tls: [eaptls verify] = request(3) eap_tls: [eaptls process] = handled(3) eap: Sending EAP Request (code 1) ID 6 length 1004(3) eap: EAP session adding &reply:State = 0x287d8eea2b7b834b(3) [eap] = handled(3) } # authenticate = handled(3) Using Post-Auth-Type Challenge(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(3) Challenge { ... } # empty sub-section is ignored(3) Sent Access-Challenge Id 124 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(3) EAP-Message = 0x010603ec0dc000000f1019c9df1fdabfbfd01845b634c4587c46f79062d22181e61b02fd235046b638003b22582f5a042211df0003913082038d30820275a003020102020a3ff0fc92401de8a6963a300d06092a864886f70d01010b050030173115301306035504030c0c526f6f745f3830325f43524c(3) Message-Authenticator = 0x00000000000000000000000000000000(3) State = 0x287d8eea2b7b834b37e54b2ae63114fc(3) Finished requestWaking up in 4.8 seconds.(4) Received Access-Request Id 125 from 10.67.178.153:58216 to 10.67.178.154:1812 length 194(4) User-Name = "E23D364711.x.com"(4) Cisco-NAS-Port = "Ethernet1/18"(4) NAS-Port = 50118(4) NAS-Port-Id = "Ethernet1/18"(4) Service-Type = Framed-User(4) Framed-MTU = 1500(4) Called-Station-Id = "2C-D0-2D-56-9A-11"(4) Calling-Station-Id = "7C-72-6E-05-F9-E2"(4) EAP-Message = 0x020600060d00(4) Message-Authenticator = 0xdf96c2bbab0e7a0241e955aebaf5e93e(4) NAS-Port-Type = Ethernet(4) NAS-Identifier = "1"(4) NAS-IP-Address = 10.67.178.153(4) State = 0x287d8eea2b7b834b37e54b2ae63114fc(4) session-state: No cached attributes(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(4) authorize {(4) policy filter_username {(4) if (&User-Name) {(4) if (&User-Name) -> TRUE(4) if (&User-Name) {(4) if (&User-Name =~ / /) {(4) if (&User-Name =~ / /) -> FALSE(4) if (&User-Name =~ /@[^@]*@/ ) {(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(4) if (&User-Name =~ /\.\./ ) {(4) if (&User-Name =~ /\.\./ ) -> FALSE(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(4) if (&User-Name =~ /\.$/) {(4) if (&User-Name =~ /\.$/) -> FALSE(4) if (&User-Name =~ /(a)\./) {(4) if (&User-Name =~ /(a)\./) -> FALSE(4) } # if (&User-Name) = notfound(4) } # policy filter_username = notfound(4) [preprocess] = ok(4) [chap] = noop(4) [mschap] = noop(4) [digest] = noop(4) suffix: Checking for suffix after "@"(4) suffix: No '@' in User-Name = "E23D364711.x.com", looking up realm NULL(4) suffix: No such realm "NULL"(4) [suffix] = noop(4) eap: Peer sent EAP Response (code 2) ID 6 length 6(4) eap: No EAP Start, assuming it's an on-going EAP conversation(4) [eap] = updated(4) [files] = noop(4) [expiration] = noop(4) [logintime] = noop(4) [pap] = noop(4) } # authorize = updated(4) Found Auth-Type = eap(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(4) authenticate {(4) eap: Expiring EAP session with state 0x287d8eea2b7b834b(4) eap: Finished EAP session with state 0x287d8eea2b7b834b(4) eap: Previous EAP request found for state 0x287d8eea2b7b834b, released from the list(4) eap: Peer sent packet with method EAP TLS (13)(4) eap: Calling submodule eap_tls to process data(4) eap_tls: Continuing EAP-TLS(4) eap_tls: Peer ACKed our handshake fragment(4) eap_tls: [eaptls verify] = request(4) eap_tls: [eaptls process] = handled(4) eap: Sending EAP Request (code 1) ID 7 length 1004(4) eap: EAP session adding &reply:State = 0x287d8eea2c7a834b(4) [eap] = handled(4) } # authenticate = handled(4) Using Post-Auth-Type Challenge(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(4) Challenge { ... } # empty sub-section is ignored(4) Sent Access-Challenge Id 125 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(4) EAP-Message = 0x010703ec0dc000000f100d01010b050030173115301306035504030c0c526f6f745f3830325f43524c301e170d3231303732373133313831385a170d3236303732363133313831385a30173115301306035504030c0c526f6f745f3830325f43524c30820122300d06092a864886f70d01010105000382(4) Message-Authenticator = 0x00000000000000000000000000000000(4) State = 0x287d8eea2c7a834b37e54b2ae63114fc(4) Finished requestWaking up in 4.8 seconds.(5) Received Access-Request Id 126 from 10.67.178.153:58216 to 10.67.178.154:1812 length 194(5) User-Name = "E23D364711.x.com"(5) Cisco-NAS-Port = "Ethernet1/18"(5) NAS-Port = 50118(5) NAS-Port-Id = "Ethernet1/18"(5) Service-Type = Framed-User(5) Framed-MTU = 1500(5) Called-Station-Id = "2C-D0-2D-56-9A-11"(5) Calling-Station-Id = "7C-72-6E-05-F9-E2"(5) EAP-Message = 0x020700060d00(5) Message-Authenticator = 0x5820791f49a3b9fa2d70fdf72cae4e04(5) NAS-Port-Type = Ethernet(5) NAS-Identifier = "1"(5) NAS-IP-Address = 10.67.178.153(5) State = 0x287d8eea2c7a834b37e54b2ae63114fc(5) session-state: No cached attributes(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(5) authorize {(5) policy filter_username {(5) if (&User-Name) {(5) if (&User-Name) -> TRUE(5) if (&User-Name) {(5) if (&User-Name =~ / /) {(5) if (&User-Name =~ / /) -> FALSE(5) if (&User-Name =~ /@[^@]*@/ ) {(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(5) if (&User-Name =~ /\.\./ ) {(5) if (&User-Name =~ /\.\./ ) -> FALSE(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(5) if (&User-Name =~ /\.$/) {(5) if (&User-Name =~ /\.$/) -> FALSE(5) if (&User-Name =~ /(a)\./) {(5) if (&User-Name =~ /(a)\./) -> FALSE(5) } # if (&User-Name) = notfound(5) } # policy filter_username = notfound(5) [preprocess] = ok(5) [chap] = noop(5) [mschap] = noop(5) [digest] = noop(5) suffix: Checking for suffix after "@"(5) suffix: No '@' in User-Name = "E23D364711.x.com", looking up realm NULL(5) suffix: No such realm "NULL"(5) [suffix] = noop(5) eap: Peer sent EAP Response (code 2) ID 7 length 6(5) eap: No EAP Start, assuming it's an on-going EAP conversation(5) [eap] = updated(5) [files] = noop(5) [expiration] = noop(5) [logintime] = noop(5) [pap] = noop(5) } # authorize = updated(5) Found Auth-Type = eap(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(5) authenticate {(5) eap: Expiring EAP session with state 0x287d8eea2c7a834b(5) eap: Finished EAP session with state 0x287d8eea2c7a834b(5) eap: Previous EAP request found for state 0x287d8eea2c7a834b, released from the list(5) eap: Peer sent packet with method EAP TLS (13)(5) eap: Calling submodule eap_tls to process data(5) eap_tls: Continuing EAP-TLS(5) eap_tls: Peer ACKed our handshake fragment(5) eap_tls: [eaptls verify] = request(5) eap_tls: [eaptls process] = handled(5) eap: Sending EAP Request (code 1) ID 8 length 884(5) eap: EAP session adding &reply:State = 0x287d8eea2d75834b(5) [eap] = handled(5) } # authenticate = handled(5) Using Post-Auth-Type Challenge(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(5) Challenge { ... } # empty sub-section is ignored(5) Sent Access-Challenge Id 126 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(5) EAP-Message = 0x010803740d8000000f10078da56b9233b87bd592bcf512b5861c722426f8e775f8f8f9ac1971d32e7315a4d4cfdc96cf76c0f7c2615f08b791cdab76012fd06d7683241d322e22ce31728de05cdb78d73e67bafe5eb95fdda0426fba257d27273151edda36870830d7a7ae34841801eab8d859568ba093(5) Message-Authenticator = 0x00000000000000000000000000000000(5) State = 0x287d8eea2d75834b37e54b2ae63114fc(5) Finished requestWaking up in 4.8 seconds.(6) Received Access-Request Id 127 from 10.67.178.153:58216 to 10.67.178.154:1812 length 1474(6) User-Name = "E23D364711.x.com"(6) Cisco-NAS-Port = "Ethernet1/18"(6) NAS-Port = 50118(6) NAS-Port-Id = "Ethernet1/18"(6) Service-Type = Framed-User(6) Framed-MTU = 1500(6) Called-Station-Id = "2C-D0-2D-56-9A-11"(6) Calling-Station-Id = "7C-72-6E-05-F9-E2"(6) EAP-Message = 0x020804fc0dc000001b2b160303189b0b0018970018940006523082064e30820436a00302010202087d55fbf6467a83ab300d06092a864886f70d01010b0500303e310b30090603550406130253453111300f060355040a0c084572696373736f6e311c301a06035504030c1356435f4431365f53756243(6) Message-Authenticator = 0x40786dcaae3d6b63450402d5c5cc429a(6) NAS-Port-Type = Ethernet(6) NAS-Identifier = "1"(6) NAS-IP-Address = 10.67.178.153(6) State = 0x287d8eea2d75834b37e54b2ae63114fc(6) session-state: No cached attributes(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(6) authorize {(6) policy filter_username {(6) if (&User-Name) {(6) if (&User-Name) -> TRUE(6) if (&User-Name) {(6) if (&User-Name =~ / /) {(6) if (&User-Name =~ / /) -> FALSE(6) if (&User-Name =~ /@[^@]*@/ ) {(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(6) if (&User-Name =~ /\.\./ ) {(6) if (&User-Name =~ /\.\./ ) -> FALSE(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(6) if (&User-Name =~ /\.$/) {(6) if (&User-Name =~ /\.$/) -> FALSE(6) if (&User-Name =~ /(a)\./) {(6) if (&User-Name =~ /(a)\./) -> FALSE(6) } # if (&User-Name) = notfound(6) } # policy filter_username = notfound(6) [preprocess] = ok(6) [chap] = noop(6) [mschap] = noop(6) [digest] = noop(6) suffix: Checking for suffix after "@"(6) suffix: No '@' in User-Name = "E23D364711.x.com", looking up realm NULL(6) suffix: No such realm "NULL"(6) [suffix] = noop(6) eap: Peer sent EAP Response (code 2) ID 8 length 1276(6) eap: No EAP Start, assuming it's an on-going EAP conversation(6) [eap] = updated(6) [files] = noop(6) [expiration] = noop(6) [logintime] = noop(6) [pap] = noop(6) } # authorize = updated(6) Found Auth-Type = eap(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(6) authenticate {(6) eap: Expiring EAP session with state 0x287d8eea2d75834b(6) eap: Finished EAP session with state 0x287d8eea2d75834b(6) eap: Previous EAP request found for state 0x287d8eea2d75834b, released from the list(6) eap: Peer sent packet with method EAP TLS (13)(6) eap: Calling submodule eap_tls to process data(6) eap_tls: Continuing EAP-TLS(6) eap_tls: Peer indicated complete TLS record size will be 6955 bytes(6) eap_tls: Expecting 6 TLS record fragments(6) eap_tls: Got first TLS record fragment (1266 bytes). Peer indicated more fragments to follow(6) eap_tls: [eaptls verify] = first fragment(6) eap_tls: ACKing Peer's TLS record fragment(6) eap_tls: [eaptls process] = handled(6) eap: Sending EAP Request (code 1) ID 9 length 6(6) eap: EAP session adding &reply:State = 0x287d8eea2e74834b(6) [eap] = handled(6) } # authenticate = handled(6) Using Post-Auth-Type Challenge(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(6) Challenge { ... } # empty sub-section is ignored(6) Sent Access-Challenge Id 127 from 10.67.178.154:1812 to 10.67.178.153:58216 length 0(6) EAP-Message = 0x010900060d00(6) Message-Authenticator = 0x00000000000000000000000000000000(6) State = 0x287d8eea2e74834b37e54b2ae63114fc(6) Finished requestWaking up in 4.7 seconds.(0) Cleaning up request packet ID 121 with timestamp +1041(1) Cleaning up request packet ID 122 with timestamp +1041(2) Cleaning up request packet ID 123 with timestamp +1041(3) Cleaning up request packet ID 124 with timestamp +1041(4) Cleaning up request packet ID 125 with timestamp +1041(5) Cleaning up request packet ID 126 with timestamp +1041(6) Cleaning up request packet ID 127 with timestamp +1042Ready to process requests(7) Received Access-Request Id 127 from 10.67.178.153:58216 to 10.67.178.154:1812 length 1474(7) User-Name = "E23D364711.x.com"(7) Cisco-NAS-Port = "Ethernet1/18"(7) NAS-Port = 50118(7) NAS-Port-Id = "Ethernet1/18"(7) Service-Type = Framed-User(7) Framed-MTU = 1500(7) Called-Station-Id = "2C-D0-2D-56-9A-11"(7) Calling-Station-Id = "7C-72-6E-05-F9-E2"(7) EAP-Message = 0x020804fc0dc000001b2b160303189b0b0018970018940006523082064e30820436a00302010202087d55fbf6467a83ab300d06092a864886f70d01010b0500303e310b30090603550406130253453111300f060355040a0c084572696373736f6e311c301a06035504030c1356435f4431365f53756243(7) Message-Authenticator = 0x40786dcaae3d6b63450402d5c5cc429a(7) NAS-Port-Type = Ethernet(7) NAS-Identifier = "1"(7) NAS-IP-Address = 10.67.178.153(7) State = 0x287d8eea2d75834b37e54b2ae63114fc(7) session-state: No cached attributes(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default(7) authorize {(7) policy filter_username {(7) if (&User-Name) {(7) if (&User-Name) -> TRUE(7) if (&User-Name) {(7) if (&User-Name =~ / /) {(7) if (&User-Name =~ / /) -> FALSE(7) if (&User-Name =~ /@[^@]*@/ ) {(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(7) if (&User-Name =~ /\.\./ ) {(7) if (&User-Name =~ /\.\./ ) -> FALSE(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE(7) if (&User-Name =~ /\.$/) {(7) if (&User-Name =~ /\.$/) -> FALSE(7) if (&User-Name =~ /(a)\./) {(7) if (&User-Name =~ /(a)\./) -> FALSE(7) } # if (&User-Name) = notfound(7) } # policy filter_username = notfound(7) [preprocess] = ok(7) [chap] = noop(7) [mschap] = noop(7) [digest] = noop(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "E23D364711.x.com", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) eap: Peer sent EAP Response (code 2) ID 8 length 1276(7) eap: No EAP Start, assuming it's an on-going EAP conversation(7) [eap] = updated(7) [files] = noop(7) [expiration] = noop(7) [logintime] = noop(7) [pap] = noop(7) } # authorize = updated(7) Found Auth-Type = eap(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(7) authenticate {(7) eap: Expiring EAP session with state 0x287d8eea2e74834b(7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x287d8eea2d75834b(7) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request(7) eap: Failed in handler(7) [eap] = invalid(7) } # authenticate = invalid(7) Failed to authenticate the user(7) Using Post-Auth-Type Reject(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default(7) Post-Auth-Type REJECT {(7) attr_filter.access_reject: EXPAND %{User-Name}(7) attr_filter.access_reject: --> E23D364711.x.com(7) attr_filter.access_reject: Matched entry DEFAULT at line 11(7) [attr_filter.access_reject] = updated(7) eap: Expiring EAP session with state 0x287d8eea2e74834b(7) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x287d8eea2d75834b(7) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request(7) eap: Failed to get handler, probably already removed, not inserting EAP-Failure(7) [eap] = noop(7) policy remove_reply_message_if_eap {(7) if (&reply:EAP-Message && &reply:Reply-Message) {(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(7) else {(7) [noop] = noop(7) } # else = noop(7) } # policy remove_reply_message_if_eap = noop(7) } # Post-Auth-Type REJECT = updated(7) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(7) Sending delayed response(7) Sent Access-Reject Id 127 from 10.67.178.154:1812 to 10.67.178.153:58216 length 20
2
11
** How to configure EAP with FreeRADIUS
---------------------------------------------
Once FreeRADIUS has been configured to use PAP, it is straightforward to configure the server to use EAP for authentication.
There are essentially 5 steps:
1) Install OpenSSL
2) Create dummy certificates
3) Configure 802.1x authentication for this SSID
4) Test it
5) Create production certificates
6) Import the root CA (Certificate Authority)
This article is the first in short series about how to configure EAP for FreeRADIUS. In this series, we will walk you through each of the steps above. If you follow this guide, getting EAP authentication to work should be straightforward. The important thing to remember is to take it slow, and do only one step at a time.
Read the full article…
https://networkradius.com/articles/2021/10/18/configuring-EAP.html
** Sign up to get this content directly
---------------------------------------------
Want to get these articles in all their HTML glory?
Sign up here: http://eepurl.com/hwuWrn
** Need RADIUS help?
---------------------------------------------
Get commercial support from the team behind FreeRADIUS.
https://networkradius.com/request/
** What is the relationship between Network RADIUS and FreeRADIUS?
----------------------------------------------
FreeRADIUS is an open source implementation of the RADIUS protocol and was written by Alan DeKok in 1999.
Network RADIUS is a private, for-profit company founded by Alan DeKok which provides commercial support for FreeRADIUS. The Network RADIUS team has been the primary contributor to FreeRADIUS for the last 20 years. The FreeRADIUS mailing list, wiki, and documentation are all moderated and maintained by the Network RADIUS team.
FreeRADIUS has always been, and will always continue to be, open source. The Network RADIUS team provides commercial support to paying clients, and free product development for the FreeRADIUS community at large.
All of our software development for FreeRADIUS is integrated into the Open Source platform, and will always continue to be.
1
0
1
0
1
0