Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2022
- 54 participants
- 53 discussions
for a myraid of purposes, i have my radius servers connect to MariaDB,
and have configured mods-available/sql with the requisite user/pass
credential set. i am wondering if the case can be made to add/include
the option to use the keytab created and used for LDAP connectivity.
having a user/pass combo in clear text on the filesystem is no-no in
many organizations.
per the mariadb docs, i setup gssapi and created my user and used gssapi
for authentication
/https://mariadb.com/kb/en/authentication-plugin-gssapi//
create the user that matches what is configured in the keytab in mariadb:
/create user 'radius\/server2.bpk2.com' identified via gssapi;/
note the hard quoting and escaping of the forward slash. this was the
only combination that resulted in the user being successfully created
for me.
i authenticated with the keytab, and pulled a TGT:
/ [root@server1 raddb]# kinit -kt radius.keytab -p
radius/server1.bpk2.com//
// [root@server1 raddb]# klist//
// Ticket cache: FILE:/tmp/krb5cc_0//
// Default principal: radius/server1.bpk2.com(a)BPK2.COM//
//
// Valid starting Expires Service principal//
// 04/28/2022 19:47:51 04/29/2022 19:47:51 krbtgt/BPK2.COM(a)BPK2.COM//
// renew until 05/05/2022 19:47:51/
then i connected to the database using the identity:
/ [root@server1 raddb]# mysql -h database -u radius/server1.bpk2.com
radius//
// Reading table information for completion of table and column names//
// You can turn off this feature to get a quicker startup with -A//
//
// Welcome to the MariaDB monitor. Commands end with ; or \g.//
// Your MariaDB connection id is 125319//
// Server version: 10.4.19-MariaDB MariaDB Server//
//
// Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.//
//
// Type 'help;' or '\h' for help. Type '\c' to clear the current
input statement.//
//
// MariaDB [radius]> show tables;//
// +------------------------+//
// | Tables_in_radius |//
// +------------------------+//
// .../
/ MariaDB [radius]> status//
// --------------//
// mysql Ver 15.1 Distrib 10.4.19-MariaDB, for Linux (x86_64) using
EditLine wrapper//
//
// Connection id: 125319//
// Current database: radius//
// Current user: radius/server1.bpk2.com(a)server1.bpk2.com/
it is entirely possible to use the keytab and connect to a properly
configured mariadb instance with a keytab. can the functionality to
authenticate to databases like mariadb with the keytab be added?
thank you,
brendan
2
1
Hello,
iam trying to build Freeradius 3.2.0 from source when i run make i get
these warnings:
CC src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c
src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c: In function
‘mod_process’:
src/modules/rlm_eap/types/rlm_eap_pwd/rlm_eap_pwd.c:832:8: warning:
implicit declaration of function ‘EC_POINT_get_affine_coordinates’; did you
mean ‘EC_POINT_get_affine_coordinates_GFp’?
[-Wimplicit-function-declaration]
832 | if (!EC_POINT_get_affine_coordinates(session->group,
session->my_element, x, y,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| EC_POINT_get_affine_coordinates_GFp
CC src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c: In function ‘do_equation’:
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c:144:2: warning: implicit
declaration of function ‘EC_GROUP_get_curve’; did you mean
‘EC_GROUP_get_degree’? [-Wimplicit-function-declaration]
144 | EC_GROUP_get_curve(group, p, a, b, bnctx);
| ^~~~~~~~~~~~~~~~~~
| EC_GROUP_get_degree
In file included from src/modules/rlm_eap/eap.h:29,
from src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.h:38,
from src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c:37:
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c: In function
‘compute_password_element’:
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c:259:17: warning: implicit
declaration of function ‘EVP_MD_CTX_new’; did you mean ‘EVP_MD_CTX_init’?
[-Wimplicit-function-declaration]
259 | MEM(hmac_ctx = EVP_MD_CTX_new());
| ^~~~~~~~~~~~~~
src/freeradius-devel/radiusd.h:396:22: note: in definition of macro ‘MEM’
396 | #define MEM(x) if (!(x)) { ERROR("%s[%u] OUT OF MEMORY", __FILE__,
__LINE__); _fr_exit_now(__FILE__, __LINE__, 1); }
| ^
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c:259:15: warning: assignment
to ‘EVP_MD_CTX *’ {aka ‘struct env_md_ctx_st *’} from ‘int’ makes pointer
from integer without a cast [-Wint-conversion]
259 | MEM(hmac_ctx = EVP_MD_CTX_new());
| ^
src/freeradius-devel/radiusd.h:396:22: note: in definition of macro ‘MEM’
396 | #define MEM(x) if (!(x)) { ERROR("%s[%u] OUT OF MEMORY", __FILE__,
__LINE__); _fr_exit_now(__FILE__, __LINE__, 1); }
| ^
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c:390:4: warning: implicit
declaration of function ‘EVP_MD_CTX_reset’; did you mean
‘EVP_MD_CTX_creat’? [-Wimplicit-function-declaration]
390 | EVP_MD_CTX_reset(hmac_ctx);
| ^~~~~~~~~~~~~~~~
| EVP_MD_CTX_create
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c:481:4: warning: implicit
declaration of function ‘EC_POINT_set_affine_coordinates’; did you mean
‘EC_POINT_set_affine_coordinates_GFp’? [-Wimplicit-function-declaration]
481 | !EC_POINT_set_affine_coordinates(session->group, session->pwe,
x_candidate, y, session->bnctx)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| EC_POINT_set_affine_coordinates_GFp
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c:510:2: warning: implicit
declaration of function ‘EVP_MD_CTX_free’; did you mean
‘EVP_MD_CTX_create’? [-Wimplicit-function-declaration]
510 | EVP_MD_CTX_free(hmac_ctx);
| ^~~~~~~~~~~~~~~
| EVP_MD_CTX_create
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c: In function
‘process_peer_commit’:
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c:666:7: warning: implicit
declaration of function ‘EC_POINT_get_affine_coordinates’; did you mean
‘EC_POINT_get_affine_coordinates_GFp’? [-Wimplicit-function-declaration]
666 | if (!EC_POINT_get_affine_coordinates(session->group, K,
session->k, NULL, bn_ctx)) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| EC_POINT_get_affine_coordinates_GFp
How to solve this issue ?
Thanks
Bassem
4
6
Is there a way / config option for freeRadius to reconnect to sql server on
DB operation errors (eg. db write errors).
background: the sql cluster we use is behind a DNS based Load balancer.
Every 2 weeks, half of the cluster are taken out of DNS for service by
automated tasks. The DNS update happens a few seconds after the servers are
taken out (and all DBs marked read-only) and during these few seconds,
radius can still connect to the down'd sql servers but all writes will
fail. Eventually, the read-only mysql will stop and radius will reconnect
to the valid sql servers.
The one option I see "connect_failure_retry_delay" seems to only matter for
establishing sql connection. In this case, sql connection itself is fine,
just to a read-only DB.
Any suggestions are welcome.
tia.
3
8
Granting varied levels of NAS permission based on LDAP group membership
by Braden McGrath 24 Apr '22
by Braden McGrath 24 Apr '22
24 Apr '22
FR users & maintainers,
I have a functional FreeRADIUS installation (3.0.20 - I know it's
slightly old, it's from the Ubuntu repo - on Ubuntu 20.04LTS), being
used for management access and authorization on varied network
equipment at an ISP (not everything supports TACACS so we're using
RADIUS).
When I first setup this system, Alan and other members of this group
gave me a bunch of help and I threw together a policy.d file (called
"group_authz") that is querying for LDAP group membership, and then
altering the replies back to the various NASes with specific
attributes to grant read-only or read-write permissions on the
devices. I was originally told by my boss that a universal read-only
and read-write group would be sufficient, so it was pretty easy to
check for membership in one of those two groups and then just send
back specific attributes depending on %{client:nas_type}.
Of course, now the goalposts have shifted. I've been told that we need
"tiered" access. Some users (tier 2 NOC team) should get R/W to most
of the network, but should *not* have any access at all to some of the
more sensitive gear (core/datacenter network stuff). Others (tier 1
NOC team) should get only R/O to the same chunk of network, but not
the sensitive stuff. We still need a "full R/W" (tier3/architects) and
"full R/O" (probably won't get used much, but just in case) as well.
I'm now trying to figure out the "best" / most elegant way to handle
this new requirement.
I'm thinking that it would be helpful to use group nesting to make
things more simple on the LDAP side, but I don't know if LDAP-Group[*]
will catch nested membership (user is a member of group X, which is a
member of group Y - does LDAP-Group show group Y)?
I'll also need to define the "sensitive" gear somehow (either via NAS
name or IP address as defined in clients.conf) and return a reject for
those cases...
Below is the entirety of my "group_authz" file from policy.d/ so you
know what I'm doing now.
I am far from a developer, so I'm open to any and all ideas to improve
this (in case I've done something stupid), as well as meet my new
"tiered" requirements.
Thanks all!
Braden McGrath
braden(a)big-geek.net
group_authz {
if (&LDAP-Group[*] ==
"cn=network-fulladmin,${modules.ldap.group.base_dn}") {
switch "%{client:nas_type}" {
case mikrotik {
# For Mikrotik routers
update reply {
&Mikrotik-Group := "full"
}
return
}
case dell_os10 {
# For Dell OS10 switches
update reply {
&Cisco-AVPair += 'shell:roles="sysadmin"'
}
return
}
case juniper {
# For Juniper / JunOS devices
update reply {
&Juniper-Local-User-Name := "SUPER"
}
return
}
case cisco {
update reply {
&Cisco-AVPair += "shell:priv-lvl=15"
# &Service-Type := "Administrative-User"
}
return
}
case awplus {
# AlliedWare Plus - Allied Telesis switches (and others)
#
https://www.alliedtelesis.com/sites/default/files/documents/configuration-g…
# NOTE: AWPlus treats any Service-Type other than
"Administrative-User" or "NAS-Prompt-User" as ACCESS-REJECT
update reply {
&Service-Type := "Administrative-User"
}
return
}
case {
# default case - shouldn't ever match!
update reply {
&Reply-Message := "Could not find NAS_Type - check
clients.conf?"
}
reject
}
}
# debug_reply
return
}
elsif (&LDAP-Group[*] ==
"cn=network-readonly,${modules.ldap.group.base_dn}") {
switch "%{client:nas_type}" {
case mikrotik {
# Obviously, this group gets read access...
update reply {
&Mikrotik-Group := "read"
}
return
}
case dell_os10 {
# On the Dells, this allows normal "op" actions but
can't read/dump config
update reply {
&Cisco-AVPair += 'shell:roles="netoperator"'
}
return
}
case juniper {
# true read-only for now, can use "OPR" if we want to
allow clearing counters / etc
update reply {
&Juniper-Local-User-Name := "RO"
}
return
}
case cisco {
update reply {
# priv-lvl=1 is basic RO / not-enabled on Cisco,
not "7" like Allied Telesis
&Cisco-AVPair += "shell:priv-lvl=1"
#&Service-Type := "NAS-Prompt-User"
}
return
}
case awplus {
# this should be readonly/show commands for Allied Telesis
# Definitely need both of these for priv7 level, drop
the AVPair for just priv1
update reply {
&Cisco-AVPair += "shell:priv-lvl=7"
&Service-Type := "NAS-Prompt-User"
}
return
}
case {
# default case, shouldn't ever match
update reply {
&Reply-Message := "Could not find NAS_Type - check
clients.conf?"
}
reject
}
}
return
}
else {
update reply {
&Reply-Message := "User not authorized - check
directory/LDAP group membership"
}
reject
}
}
4
5
Version 3.2.0 has now been released. This is the new "feature" branch of v3.
All features and bug fixes from 3.0.x are included in the 3.2.0 release.
Notable updates include:
- Support PEAP and TTLS with TLS 1.3. This has been tested with
wpa_supplicant and Windows 11.
- Support OpenSSL 3.
- Support for the haproxy "PROXY" protocol.
Source and tarballs are available on GitHub:
https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_0
Packages and Docker images will be available shortly.
--
Matthew
4
5
Hello,
When we start freeradius server and the database server connection is
working properly, freeradius server is started correctly but when we stop
the database server, freeradaius server is always up and running and makes
responses to the nas with reject response.
Is there any solution to make freeradius gow down when it losts connection
to database or not send response to NAS ?
Thanks
Bassem
4
5
Freeradius 3.0.21 with chroot enables fails to start from the Systemd unit file.
by Antonios Kalkakos 21 Apr '22
by Antonios Kalkakos 21 Apr '22
21 Apr '22
Hello all,
I am trying to test chroot on a Raspberry Pi running the distro-provided
Freeradius 3.0.21 on the 32bit Raspberry Pi OS (Debian) 11.
According to the instructions from networkradius.com and freeradius -X
error messages, I created the chroot folder hierarchy and the required
files as shown below:
The character devices null, zero, random and urandom were created under
/var/freeradius/chroot/dev.
/var/freeradius/chroot/etc/ssl/certs
/var/freeradius/chroot/etc/ssl/certs/private
/var/freeradius/chroot/etc/passwd
/var/freeradius/chroot/var/run
The following folders and files are bind mounted in the chroot:
/var/freeradius/chroot/usr/lib/freeradius/
/var/freeradius/chroot/usr/lib/arm-linux-gnueabihf/
/var/freeradius/chroot/etc/freeradius/3.0/certs/
/var/freeradius/chroot/etc/freeradius/3.0/mods-config/
/var/freeradius/chroot/etc/nsswitch.conf
/var/freeradius/chroot/etc/resolv.conf
/var/freeradius/chroot/var/log/freeradius/
The ownership and permission bits for all files and folders in the
chroot folder are the same as their non-chrooted counterparts.
Finally, I enabled chroot in radiusd.conf.
Running freeradius -X, the debug output seems to be *exactly* the same
as running freeradius -X with chroot disabled (well, only the line
chroot = "/var/freeradius/chroot" was added in the security {} block
output). While running the chrooted Freeradius as freeradius -X,
Freeradius performs client authentication with EAP-PEAP and EAP-(T)TLS,
proxing, etc normally. If -P is provided (freeradius -XP), the PID file
is created in the /var/freeradius/chroot/var/run/ as expected. The
output of freeradius -X with chroot enabled is given below:
---------------freeradius -X output------------------------
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/filter
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
chroot = "/var/freeradius/chroot"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server home_server1 {
ipaddr = 192.168.1.10
port = 0
type = "auth+acct"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
home_server_pool test_local_pool {
type = fail-over
home_server = home_server1
}
realm MY_REALM {
pool = test_local_pool
nostrip
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 192.168.1.11 {
ipaddr = 192.168.1.11
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = eap
# Creating Auth-Type = mschap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_detail
# Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_always
# Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_digest
# Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_radutmp
# Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_mschap
# Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
instantiate {
}
# Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/freeradius.key"
certificate_file = "/etc/ssl/certs/freeradius.crt"
ca_file =
"/usr/local/share/ca-certificates/ca-certificates-freeradius.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:335
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipv4addr = 192.168.1.20
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv4addr = 192.168.1.20
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address 192.168.1.20 port 1812 bound to server default
Listening on acct address 192.168.1.20 port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 44958
Listening on proxy address :: port 32891
Ready to process requests
---------------End of freeradius -X output-----------------
If I try to start the chrooted Freeradius from the provided Systemd
startup script, it fails and journalctl -xe returns the following:
---------------journalctl -xe output --------------------------
Support: https://www.debian.org/support
The unit freeradius.service completed and consumed the indicated resources.
Apr 16 14:14:36 raspberry systemd[1]: Starting FreeRADIUS multi-protocol
policy server...
Subject: A start job for unit freeradius.service has begun execution
Defined-By: systemd
Support: https://www.debian.org/support
A start job for unit freeradius.service has begun execution.
The job identifier is 2157.
Apr 16 14:14:37 raspberry freeradius[2624]: FreeRADIUS Version 3.0.21
Apr 16 14:14:37 raspberry freeradius[2624]: Copyright (C) 1999-2019 The
FreeRADIUS server project and contributors
Apr 16 14:14:37 raspberry freeradius[2624]: There is NO warranty; not
even for MERCHANTABILITY or FITNESS FOR A
Apr 16 14:14:37 raspberry freeradius[2624]: PARTICULAR PURPOSE
Apr 16 14:14:37 raspberry freeradius[2624]: You may redistribute copies
of FreeRADIUS under the terms of the
Apr 16 14:14:37 raspberry freeradius[2624]: GNU General Public License
Apr 16 14:14:37 raspberry freeradius[2624]: For more information about
these matters, see the file named COPYRIGHT
Apr 16 14:14:37 raspberry freeradius[2624]: Starting - reading
configuration files ...
Apr 16 14:14:37 raspberry freeradius[2624]: Debug state unknown
(cap_sys_ptrace capability not set)
Apr 16 14:14:37 raspberry freeradius[2624]: Creating attribute Unix-Group
Apr 16 14:14:37 raspberry freeradius[2624]: rlm_cache (cache_eap):
Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
Apr 16 14:14:37 raspberry freeradius[2624]: tls: Using cached TLS
configuration from previous invocation
Apr 16 14:14:37 raspberry freeradius[2624]: tls: Using cached TLS
configuration from previous invocation
Apr 16 14:14:37 raspberry freeradius[2624]: rlm_detail (auth_log):
'User-Password' suppressed, will not appear in detail output
Apr 16 14:14:37 raspberry freeradius[2624]: rlm_mschap (mschap): using
internal authentication
Apr 16 14:14:37 raspberry freeradius[2624]: Ignoring "sql" (see
raddb/mods-available/README.rst)
Apr 16 14:14:37 raspberry freeradius[2624]: # Skipping contents of 'if'
as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:335
Apr 16 14:14:37 raspberry freeradius[2624]: radiusd: #### Skipping IP
addresses and Ports ####
Apr 16 14:14:37 raspberry freeradius[2624]: Configuration appears to be OK
Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Main process
exited, code=exited, status=1/FAILURE
Subject: Unit process exited
Defined-By: systemd
Support: https://www.debian.org/support
An ExecStart= process belonging to unit freeradius.service has exited.
The process' exit code is 'exited' and its exit status is 1.
Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Failed with
result 'exit-code'.
Subject: Unit failed
Defined-By: systemd
Support: https://www.debian.org/support
The unit freeradius.service has entered the 'failed' state with result
'exit-code'.
Apr 16 14:14:37 raspberry systemd[1]: Failed to start FreeRADIUS
multi-protocol policy server.
Subject: A start job for unit freeradius.service has failed
Defined-By: systemd
Support: https://www.debian.org/support
A start job for unit freeradius.service has finished with a failure.
The job identifier is 2157 and the job result is failed.
Apr 16 14:14:37 raspberry systemd[1]: freeradius.service: Consumed
1.338s CPU time.
Subject: Resources consumed by unit runtime
Defined-By: systemd
Support: https://www.debian.org/support
The unit freeradius.service completed and consumed the indicated resources.
---------------End of journalctl -xe output--------------------
Although I am not a Systemd or a Freeradius guru, I made a simple
investigation with the following results:
1) The provided systemd script contains the following lines:
ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout
ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS
The variable $FREERADIUS_OPTIONS populated in /etc/default/freeradius is
set to an empty string ("") - the provided default value.
2) The command in ExecStartPre (/usr/sbin/freeradius -Cx -lstdout)
always returns with the message "Configuration appears to be OK".
3) If I run freeradius -f -lstdout (as shown above in ExecStart) from
the command line, I am getting the following output depending on the
user I am logged in:
a) As 'root' *regardless if chroot is enabled or not* or as 'freerad'
(the Freeradius user in Debian) *with chroot disabled*, the output is:
----------freeradius -f -lstdout output---------------------
root@raspberry:~# freeradius -f -lstdout
Sat Apr 16 14:23:07 2022 : Info: Starting - reading configuration files ...
Sat Apr 16 14:23:07 2022 : Info: Debugger not attached
Sat Apr 16 14:23:07 2022 : Info: systemd watchdog is disabled
Sat Apr 16 14:23:07 2022 : Info: Loaded virtual server <default>
Sat Apr 16 14:23:07 2022 : Warning: Ignoring "sql" (see
raddb/mods-available/README.rst)
Sat Apr 16 14:23:07 2022 : Info: Loaded virtual server default
Sat Apr 16 14:23:07 2022 : Info: # Skipping contents of 'if' as it is
always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:335
Sat Apr 16 14:23:07 2022 : Info: Loaded virtual server inner-tunnel
Sat Apr 16 14:23:07 2022 : Info: Ready to process requests
----------End of freeradius -f -lstdout output--------------
b) As 'freerad' *with chroot enabled*, freeradius -f -lstdout returns
immediately without reporting or logging any error(s):
----------freeradius -f -lstdout output---------------------
freerad@raspberry:$ freeradius -f -lstdout
Sat Apr 16 14:24:50 2022 : Info: Starting - reading configuration files ...
freerad@raspberry:$
----------End of freeradius -f -lstdout output--------------
Is this a permission problem or am I doing something wrong?
Thank you in advance,
Antonios
4
7
Is rlm_smsotp still a supported module?
2
2
Hello All,
I started to play with FreeRADIUS v4 and i use the Dockerfile (Debian 11) in order to have the lastest FreeRADIUS v4 version (last commit id) running.
The only thing i changed from the default configuration is the clients.conf file just to add my my source ip:
```
client test {
ipaddr = 172.17.0.1
secret = testing123
}
```
I did a simple test with eapol_test with a fake account and it end with a seg fault.
eapol_test -c v4_peap_user.conf -s testing123 -a 172.17.0.1 -M de:ad:be:ef:42:42 -N 30:s:00:11:22:33:44:55:UConnect -N4:x:c0a80001
v4_peap_user.conf:
```
network={
ssid="UConnect"
key_mgmt=WPA-EAP
eap=PEAP
identity="testuser(a)testuser.ca"
anonymous_identity="testuser(a)testuser.ca"
password="strongestpasswordintheworld"
phase2="autheap=MSCHAPV2"
#
# Uncomment the following to perform server certificate validation.
# ca_cert="/etc/raddb/certs/ca.der"
}
```
```
(6.0) eap.peap - Virtual server (null) received request
(6.0) eap.peap - EAP-Identity = "testuser(a)testuser.ca"
(6.0) eap.peap - EAP-Type = PEAP
(6.0) eap.peap - server (null) {
CAUGHT SIGNAL: Segmentation fault
Backtrace of last 2 frames:
/opt/freeradius/lib/libfreeradius-util.so(fr_fault+0xe8)[0x7f6ea5a1106b]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x14140)[0x7f6ea5797140]
No panic action set
_EXIT(139) CALLED src/lib/util/debug.c[1052]
```
Not sure what happen exactly, but can it be a configuration issue or is it too early to start to test FreeRADIUS 4 ?
Thanks
Regards
Fabrice
```
root@d8616b73313c:/opt/freeradius# ./sbin/radiusd -X
Info : FreeRADIUS Version 4.0.0
Info : Copyright 1999-2022 The FreeRADIUS server project and contributors
Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info : PARTICULAR PURPOSE
Info : You may redistribute copies of FreeRADIUS under the terms of the
Info : GNU General Public License
Info : For more information about these matters, see the file named COPYRIGHT
Getting debug state failed: ptrace capability not set. If debugger detection is required run as root or: setcap cap_sys_ptrace+ep <path_to_binary>
Info : Starting - reading configuration files ...
Debug : Including dictionary file "/opt/freeradius/etc/raddb/dictionary"
including configuration file /opt/freeradius/etc/raddb/radiusd.conf
Including files in directory "/opt/freeradius/etc/raddb/template.d/"
including configuration file /opt/freeradius/etc/raddb/template.d/default
including configuration file /opt/freeradius/etc/raddb/clients.conf
Including files in directory "/opt/freeradius/etc/raddb/mods-enabled/"
including configuration file /opt/freeradius/etc/raddb/mods-enabled/always
including configuration file /opt/freeradius/etc/raddb/mods-enabled/attr_filter
including configuration file /opt/freeradius/etc/raddb/mods-enabled/cache_eap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/chap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/client
including configuration file /opt/freeradius/etc/raddb/mods-enabled/delay
including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail
including configuration file /opt/freeradius/etc/raddb/mods-enabled/detail.log
including configuration file /opt/freeradius/etc/raddb/mods-enabled/digest
including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/eap_inner
including configuration file /opt/freeradius/etc/raddb/mods-enabled/echo
including configuration file /opt/freeradius/etc/raddb/mods-enabled/escape
including configuration file /opt/freeradius/etc/raddb/mods-enabled/exec
including configuration file /opt/freeradius/etc/raddb/mods-enabled/expr
including configuration file /opt/freeradius/etc/raddb/mods-enabled/files
including configuration file /opt/freeradius/etc/raddb/mods-enabled/linelog
including configuration file /opt/freeradius/etc/raddb/mods-enabled/logintime
including configuration file /opt/freeradius/etc/raddb/mods-enabled/mschap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/ntlm_auth
including configuration file /opt/freeradius/etc/raddb/mods-enabled/pap
including configuration file /opt/freeradius/etc/raddb/mods-enabled/passwd
including configuration file /opt/freeradius/etc/raddb/mods-enabled/radutmp
including configuration file /opt/freeradius/etc/raddb/mods-enabled/soh
including configuration file /opt/freeradius/etc/raddb/mods-enabled/sradutmp
including configuration file /opt/freeradius/etc/raddb/mods-enabled/stats
including configuration file /opt/freeradius/etc/raddb/mods-enabled/unix
including configuration file /opt/freeradius/etc/raddb/mods-enabled/unpack
including configuration file /opt/freeradius/etc/raddb/mods-enabled/utf8
Including files in directory "/opt/freeradius/etc/raddb/policy.d/"
including configuration file /opt/freeradius/etc/raddb/policy.d/abfab-tr
including configuration file /opt/freeradius/etc/raddb/policy.d/accounting
including configuration file /opt/freeradius/etc/raddb/policy.d/canonicalisation
including configuration file /opt/freeradius/etc/raddb/policy.d/control
including configuration file /opt/freeradius/etc/raddb/policy.d/cui
including configuration file /opt/freeradius/etc/raddb/policy.d/debug
including configuration file /opt/freeradius/etc/raddb/policy.d/dhcp
including configuration file /opt/freeradius/etc/raddb/policy.d/eap
including configuration file /opt/freeradius/etc/raddb/policy.d/filter
including configuration file /opt/freeradius/etc/raddb/policy.d/operator-name
including configuration file /opt/freeradius/etc/raddb/policy.d/tacacs
including configuration file /opt/freeradius/etc/raddb/policy.d/time
including configuration file /opt/freeradius/etc/raddb/policy.d/vendor
Including files in directory "/opt/freeradius/etc/raddb/sites-enabled/"
including configuration file /opt/freeradius/etc/raddb/sites-enabled/default
Loaded module "process_radius"
Loaded module "proto_radius"
including configuration file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnel
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
prefix = /opt/freeradius
security {
allow_core_dumps = no
allow_vulnerable_openssl = yes
openssl_fips_mode = no
}
name = radiusd
local_state_dir = "/opt/freeradius/var"
run_dir = /opt/freeradius/var/run/radiusd
}
Parsing main configuration.
main {
server default {
namespace = radius
radius {
Access-Request {
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
session {
timeout = 15
max = 4096
}
}
}
listen {
type = Access-Request
type = Status-Server
transport = udp
Loaded module "proto_radius_udp"
udp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 5.068619887
idle_timeout = 60.068619887
nak_lifetime = 30.068619887
max_connections = 256
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen {
type = Access-Request
type = Status-Server
transport = tcp
Loaded module "proto_radius_tcp"
tcp {
ipaddr = *
port = 1812
networks {
allow = 127/8
allow = 192.0.2/24
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 16.70678144
idle_timeout = 36.719805145
nak_lifetime = 37.379572924
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
listen {
type = Accounting-Request
transport = udp
udp {
ipaddr = *
port = 1813
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 21.384014109
idle_timeout = 41.397037814
nak_lifetime = 42.056805593
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
server inner-tunnel {
namespace = radius
radius {
Access-Request {
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
session {
timeout = 15
max = 4096
}
}
}
listen {
type = Access-Request
transport = udp
udp {
ipaddr = 127.0.0.1
port = 18120
networks {
}
max_packet_size = 4096
max_attributes = 255
}
limit {
cleanup_delay = 16.966142743
idle_timeout = 36.979166448
nak_lifetime = 37.638934227
max_connections = 1024
max_clients = 256
max_pending_packets = 256
}
priority {
Access-Request = high
Accounting-Request = low
CoA-Request = normal
Disconnect-Request = low
Status-Server = now
}
}
}
security {
}
sbin_dir = "/opt/freeradius/sbin"
logdir = /opt/freeradius/var/log/radius
radacctdir = /opt/freeradius/var/log/radius/radacct
reverse_lookups = no
hostname_lookups = yes
max_request_time = 30
pidfile = /opt/freeradius/var/run/radiusd/radiusd.pid
debug_level = 0
max_requests = 16384
log {
colourise = yes
}
resources {
}
thread pool {
num_networks = 1
num_workers = 0
Setting thread.workers = 2
openssl_async_pool_init = 64
openssl_async_pool_max = 1024
}
}
Switching to configured log settings
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
dedup_authenticator = no
secret = <<< secret >>>
proto = *
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
dedup_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client test {
ipaddr = 172.17.0.1
require_message_authenticator = no
dedup_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debug state unknown (cap_sys_ptrace capability not set)
systemd watchdog is disabled
pre-suid-down capabilities: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
trigger { ... } subsection not found, triggers will be disabled
#### Bootstrapping listeners ####
client localhost {
ipaddr = 192.0.2.1
require_message_authenticator = no
dedup_authenticator = no
secret = <<< secret >>>
shortname = sample
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Creating Auth-Type = pap
Creating Auth-Type = chap
Creating Auth-Type = mschap
Creating Auth-Type = digest
Creating Auth-Type = ldap
Creating Auth-Type = eap
#### Bootstrapping modules ####
modules {
Loaded module "rlm_always"
always reject {
rcode = reject
simulcount = 0
mpp = no
}
Bootstrapping module "reject"
always fail {
rcode = fail
simulcount = 0
mpp = no
}
Bootstrapping module "fail"
always ok {
rcode = ok
simulcount = 0
mpp = no
}
Bootstrapping module "ok"
always handled {
rcode = handled
simulcount = 0
mpp = no
}
Bootstrapping module "handled"
always invalid {
rcode = invalid
simulcount = 0
mpp = no
}
Bootstrapping module "invalid"
always disallow {
rcode = disallow
simulcount = 0
mpp = no
}
Bootstrapping module "disallow"
always notfound {
rcode = notfound
simulcount = 0
mpp = no
}
Bootstrapping module "notfound"
always noop {
rcode = noop
simulcount = 0
mpp = no
}
Bootstrapping module "noop"
always updated {
rcode = updated
simulcount = 0
mpp = no
}
Bootstrapping module "updated"
Loaded module "rlm_attr_filter"
attr_filter attr_filter.pre-proxy {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.post-proxy {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
key = "%{Realm}"
relaxed = no
}
attr_filter attr_filter.access_reject {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.access_challenge {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
key = "%{User-Name}"
relaxed = no
}
attr_filter attr_filter.accounting_response {
filename = /opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
key = "%{User-Name}"
relaxed = no
}
Loaded module "rlm_cache"
cache cache_eap {
driver = rbtree
Loaded module "rlm_cache_rbtree"
key = "%{%{control.State}:-%{%{reply.State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
Bootstrapping module "cache_eap"
Loaded module "rlm_chap"
Loaded module "rlm_client"
Loaded module "rlm_delay"
delay {
delay = 1.0
relative = no
force_reschedule = no
}
Bootstrapping module "delay"
delay delay_reject {
delay = "%{%{reply.FreeRADIUS-Response-Delay}:-1}"
relative = yes
force_reschedule = no
}
Bootstrapping module "delay_reject"
Loaded module "rlm_detail"
detail {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail auth_log {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail reply_log {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail pre_proxy_log {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
detail post_proxy_log {
filename = /opt/freeradius/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y-%m-%d
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
Loaded module "rlm_digest"
Loaded module "rlm_eap"
eap {
require_identity_realm = nai
type = md5
Loaded module "rlm_eap_md5"
type = gtc
Loaded module "rlm_eap_gtc"
gtc {
challenge = "Password: "
auth_type = PAP
}
type = tls
Loaded module "rlm_eap_tls"
tls {
tls = tls-common
require_client_cert = yes
include_length = yes
}
type = ttls
Loaded module "rlm_eap_ttls"
ttls {
tls = tls-common
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
type = mschapv2
Loaded module "rlm_eap_mschapv2"
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = peap
Loaded module "rlm_eap_peap"
peap {
tls = tls-common
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
ignore_unknown_eap_types = no
}
Bootstrapping module "eap"
eap inner-eap {
require_identity_realm = nai
default_eap_type = mschapv2
type = md5
type = gtc
gtc {
challenge = "Password: "
auth_type = PAP
}
type = mschapv2
mschapv2 {
with_ntdomain_hack = no
auth_type = mschap
send_error = no
}
type = tls
tls {
tls = tls-peer
require_client_cert = yes
include_length = yes
}
ignore_unknown_eap_types = no
}
Bootstrapping module "inner-eap"
Loaded module "rlm_exec"
exec echo {
wait = yes
program = "/bin/echo Tmp-String-0 := %{User-Name}"
input_pairs = request
output_pairs = reply
shell_escape = yes
env_inherit = no
}
Bootstrapping module "echo"
Loaded module "rlm_escape"
escape {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
Bootstrapping module "escape"
exec {
wait = yes
input_pairs = request
shell_escape = yes
env_inherit = no
timeout = 10
}
Bootstrapping module "exec"
Loaded module "rlm_expr"
Bootstrapping module "expr"
Loaded module "rlm_files"
files {
filename = /opt/freeradius/etc/raddb/mods-config/files/authorize
acctusersfile = /opt/freeradius/etc/raddb/mods-config/files/accounting
key = "%{%{Stripped-User-Name}:-%{User-Name}}"
}
Loaded module "rlm_linelog"
linelog {
destination = file
delimiter = "\n"
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply.Packet-Type}:-default}"
file {
filename = /opt/freeradius/var/log/radius/linelog
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
server = localhost IPv4 address [127.0.0.1]
port = 514
timeout = 7.284352243
}
udp {
server = localhost IPv4 address [127.0.0.1]
port = 514
timeout = 4.749470769
}
}
linelog log_accounting {
destination = file
delimiter = "\n"
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
file {
filename = /opt/freeradius/var/log/radius/linelog-accounting
permissions = 384
escape_filenames = no
}
syslog {
severity = "info"
}
unix {
}
tcp {
timeout = 1000
}
udp {
timeout = 1000
}
}
Loaded module "rlm_logintime"
logintime {
minimum_timeout = 60
}
Loaded module "rlm_mschap"
mschap {
normalise = yes
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind {
retry_with_normalised_username = no
}
}
Bootstrapping module "mschap"
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%(mschap:User-Name) --password=%{User-Password}"
shell_escape = yes
env_inherit = no
}
Bootstrapping module "ntlm_auth"
Loaded module "rlm_pap"
pap {
normalise = yes
}
Loaded module "rlm_passwd"
passwd etc_passwd {
filename = /etc/passwd
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
Loaded module "rlm_radutmp"
radutmp {
filename = /opt/freeradius/var/log/radius/radutmp
username = "%{User-Name}"
check_with_nas = yes
permissions = 384
caller_id = no
}
Loaded module "rlm_soh"
soh {
dhcp = yes
}
Bootstrapping module "soh"
radutmp sradutmp {
filename = /opt/freeradius/var/log/radius/sradutmp
username = "%{User-Name}"
check_with_nas = yes
permissions = 420
caller_id = no
}
Loaded module "rlm_stats"
stats {
}
Loaded module "rlm_unix"
unix {
}
Bootstrapping module "unix"
Creating attribute Unix-Group
Loaded module "rlm_unpack"
Bootstrapping module "unpack"
Loaded module "rlm_utf8"
} # modules
#### Instantiating listeners ####
Compiling policies in server default { ... }
Compiling policies in - recv Access-Request {...}
/opt/freeradius/etc/raddb/sites-enabled/default[795]: Ignoring "-sql" as the "sql" module is not enabled.
/opt/freeradius/etc/raddb/sites-enabled/default[811]: Ignoring "-ldap" as the "ldap" module is not enabled.
Compiling policies in - send Access-Accept {...}
/opt/freeradius/etc/raddb/sites-enabled/default[1122]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Access-Challenge {...}
Compiling policies in - send Access-Reject {...}
/opt/freeradius/etc/raddb/sites-enabled/default[1239]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - recv Accounting-Request {...}
Compiling policies in - send Accounting-Response {...}
/opt/freeradius/etc/raddb/sites-enabled/default[1458]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - recv Status-Server {...}
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate digest {...}
Compiling policies in - authenticate ldap {...}
/opt/freeradius/etc/raddb/sites-enabled/default[981]: Ignoring "-ldap" as the "ldap" module is not enabled.
Compiling policies in - authenticate eap {...}
Compiling policies in - accounting Start {...}
Compiling policies in - accounting Stop {...}
Compiling policies in - accounting Alive {...}
Compiling policies in - accounting Accounting-On {...}
Compiling policies in - accounting Accounting-Off {...}
Compiling policies in - accounting Failed {...}
/opt/freeradius/etc/raddb/sites-enabled/default[80]: radius { ... } section is unused
Compiling policies in server inner-tunnel { ... }
Compiling policies in - recv Access-Request {...}
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[124]: Ignoring "-sql" as the "sql" module is not enabled.
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[134]: Ignoring "-ldap" as the "ldap" module is not enabled.
Compiling policies in - send Access-Accept {...}
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[269]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - send Access-Reject {...}
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnel[304]: Ignoring "-sql" as the "sql" module is not enabled.
Compiling policies in - authenticate pap {...}
Compiling policies in - authenticate chap {...}
Compiling policies in - authenticate mschap {...}
Compiling policies in - authenticate eap {...}
src/lib/server/virtual_servers.c[380]: radius { ... } section is unused
#### Instantiating modules ####
Instantiating module "attr_filter.access_challenge"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_challenge
Instantiating module "attr_filter.access_reject"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/access_reject
Instantiating module "attr_filter.accounting_response"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/accounting_response
Instantiating module "attr_filter.post-proxy"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/post-proxy
Instantiating module "attr_filter.pre-proxy"
Reading file /opt/freeradius/etc/raddb/mods-config/attr_filter/pre-proxy
Instantiating module "auth_log"
auth_log - 'User-Password' suppressed, will not appear in detail output
Instantiating module "cache_eap"
Instantiating module "chap"
Instantiating module "detail"
Instantiating module "digest"
Instantiating module "disallow"
Instantiating module "eap"
Instantiating module "echo"
Instantiating module "etc_passwd"
Instantiating module "exec"
Instantiating module "fail"
Instantiating module "files"
Reading file /opt/freeradius/etc/raddb/mods-config/files/authorize
Reading file /opt/freeradius/etc/raddb/mods-config/files/accounting
Instantiating module "handled"
Instantiating module "inner-eap"
inner-eap - Failed to find 'authenticate inner-eap {...}' section. EAP authentication will likely not work
Instantiating module "invalid"
Instantiating module "linelog"
Instantiating module "log_accounting"
Instantiating module "logintime"
Instantiating module "mschap"
mschap - Using internal authentication
Instantiating module "noop"
Instantiating module "notfound"
Instantiating module "ntlm_auth"
Instantiating module "ok"
Instantiating module "pap"
Instantiating module "post_proxy_log"
Instantiating module "pre_proxy_log"
Instantiating module "reject"
Instantiating module "reply_log"
Instantiating module "stats"
Instantiating module "updated"
Instantiating module "cache_eap.rbtree"
Instantiating module "eap.mschapv2"
Instantiating module "eap.peap"
tls-config tls-common {
chain rsa {
format = pem
certificate_file = /opt/freeradius/etc/raddb/certs/rsa/server.pem
private_key_password = <<< secret >>>
private_key_file = /opt/freeradius/etc/raddb/certs/rsa/server.key
ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem
verify_mode = hard
include_root_ca = no
}
verify_depth = 0
ca_path = /opt/freeradius/etc/raddb/certs
ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem
dh_file = /opt/freeradius/etc/raddb/certs/dh
fragment_size = 1024
cipher_list = "DEFAULT"
cipher_server_preference = yes
allow_renegotiation = no
ecdh_curve = prime256v1
tls_min_version = 1.200000
session {
mode = auto
name = "%{EAP-Type}%{Virtual-Server}"
lifetime = 86400
require_extended_master_secret = yes
require_perfect_forward_secrecy = no
}
verify {
mode = all
attribute_mode = client-and-issuer
check_crl = no
}
}
tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless"
Instantiating module "eap.tls"
tls - Using cached TLS configuration from previous invocation
Instantiating module "eap.ttls"
tls - Using cached TLS configuration from previous invocation
Instantiating module "inner-eap.mschapv2"
Instantiating module "inner-eap.tls"
tls-config tls-peer {
chain {
format = pem
certificate_file = /opt/freeradius/etc/raddb/certs/rsa/server.pem
private_key_password = <<< secret >>>
private_key_file = /opt/freeradius/etc/raddb/certs/rsa/server.key
ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem
verify_mode = hard
include_root_ca = no
}
verify_depth = 0
ca_path = /opt/freeradius/etc/raddb/certs
ca_file = /opt/freeradius/etc/raddb/certs/rsa/ca.pem
dh_file = /opt/freeradius/etc/raddb/certs/dh
fragment_size = 16384
cipher_server_preference = yes
allow_renegotiation = no
ecdh_curve = "prime256v1"
tls_min_version = 1.200000
session {
mode = auto
name = "%{EAP-Type}%{Virtual-Server}"
lifetime = 86400
require_extended_master_secret = yes
require_perfect_forward_secrecy = no
}
verify {
mode = all
attribute_mode = client-and-issuer
check_crl = no
}
}
tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless"
Scheduler created in single-threaded mode
#### Opening listener interfaces ####
Listening on radius_udp server * port 1812 bound to virtual server default
Listening on radius_tcp server * port 1812 bound to virtual server default
Listening on radius_udp server * port 1813 bound to virtual server default
Listening on radius_udp server 127.0.0.1 port 18120 bound to virtual server inner-tunnel
post-suid-down capabilities: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Ready to process requests
proto_radius_udp - Received Access-Request ID 0 length 182 radius_udp server * port 1812
Worker - Resetting cleanup timer to +30
(0) default {
(0) Received Access-Request ID 0 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(0) User-Name = "testuser(a)testuser.ca"
(0) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(0) NAS-IP-Address = 192.168.0.1
(0) EAP-Message = 0x02e100190174657374757365724074657374757365722e6361
(0) Message-Authenticator = 0x0974fe1b57a5e18d67d63ebca3cca28b
(0) Packet-Type = Access-Request
(0) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) recv Access-Request {
(0) policy filter_username {
(0) if (&State) {
(0) ...
(0) }
(0) elsif (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) ...
(0) }
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) ...
(0) }
(0) if (&User-Name =~ /\.\./ ) {
(0) ...
(0) }
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)[^.]+(\.[^.]+)+$/)) {
(0) ...
(0) }
(0) if (&User-Name =~ /\.$/) {
(0) ...
(0) }
(0) if (&User-Name =~ /(a)\./) {
(0) ...
(0) }
(0) update session-state {
(0) &Session-State-User-Name := &User-Name -> "testuser(a)testuser.ca"
(0) } # update session-state (noop)
(0) } # elsif (&User-Name) (noop)
(0) } # policy filter_username (noop)
(0) chap (noop)
(0) mschap (noop)
(0) digest (noop)
(0) eap - Peer sent EAP Response (code 2) ID 225 length 25
(0) eap - Peer sent EAP-Identity. Returning 'ok' so we can short-circuit the rest of authorize
(0) eap - Setting &control.Auth-Type = eap
(0) eap (ok)
(0) } # recv Access-Request (ok)
(0) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) authenticate eap {
(0) eap - New EAP session started
(0) eap - Peer sent packet with EAP method Identity (1)
(0) eap - Calling submodule eap_md5
(0) subrequest {
(0.0) eap.md5 - Issuing MD5 Challenge
(0.0) eap.md5 (handled)
(0) subrequest - Resuming execution
(0) } # subrequest (noop)
(0) eap - Sending EAP Request (code 1) ID 226 length 22
(0) eap (handled)
(0) } # authenticate eap (handled)
(0) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) send Access-Challenge {
(0) attr_filter.access_challenge - EXPAND %{User-Name}
(0) attr_filter.access_challenge - --> testuser(a)testuser.ca
(0) attr_filter.access_challenge - --> testuser(a)testuser.ca
(0) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(0) attr_filter.access_challenge.post-auth (updated)
(0) handled (handled)
(0) } # send Access-Challenge (handled)
(0) radius - Saving &session-state
(0) radius - &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(0) radius (ok)
(0) } # default (ok)
(0) Done request
(0) Sending Access-Challenge ID 0 from 172.17.0.2:1812 to 172.17.0.1:49022 length 80 via socket radius_udp server * port 1812
(0) EAP-Message = 0x01e200160410cf1c6b1980299aa0d90419f575e2436d
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x01018d0013280e7289558d518d7bb3b9
(0) Packet-Type = Access-Challenge
(0) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 1 length 181 radius_udp server * port 1812
(1) default {
(1) Received Access-Request ID 1 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(1) User-Name = "testuser(a)testuser.ca"
(1) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(1) NAS-IP-Address = 192.168.0.1
(1) EAP-Message = 0x02e200060319
(1) State = 0x01018d0013280e7289558d518d7bb3b9
(1) Message-Authenticator = 0x497720a6d791a595ceaa6044754cf031
(1) Packet-Type = Access-Request
(1) Restored &session-state
(1) &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(1) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) recv Access-Request {
(1) policy filter_username {
(1) if (&State) {
(1) if (&User-Name) {
(1) if (!&session-state.Session-State-User-Name) {
(1) ...
(1) }
(1) if (&User-Name != &session-state.Session-State-User-Name) {
(1) ...
(1) }
(1) } # if (&User-Name) (noop)
(1) } # if (&State) (noop)
(1) } # policy filter_username (noop)
(1) chap (noop)
(1) mschap (noop)
(1) digest (noop)
(1) eap - Peer sent EAP Response (code 2) ID 226 length 6
(1) eap - Continuing on-going EAP conversation
(1) eap - Setting &control.Auth-Type = eap
(1) eap (updated)
(1) files - EXPAND %{Stripped-User-Name}
(1) files - -->
(1) files - EXPAND %{User-Name}
(1) files - --> testuser(a)testuser.ca
(1) files - EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(1) files - --> testuser(a)testuser.ca
(1) files (noop)
(1) policy expiration {
(1) if (&control.Expiration) {
(1) ...
(1) }
(1) } # policy expiration (updated)
(1) logintime (noop)
(1) pap (noop)
(1) } # recv Access-Request (updated)
(1) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) authenticate eap {
(1) eap - Continuing EAP session
(1) eap - Peer sent packet with EAP method NAK (3)
(1) eap - Calling submodule eap_peap
(1) subrequest {
(1.0) eap.peap - Initiating new TLS session
(1.0) eap.peap - EXPAND %{EAP-Type}
(1.0) eap.peap - --> PEAP
(1.0) eap.peap - EXPAND %{Virtual-Server}
(1.0) eap.peap - -->
(1.0) eap.peap (handled)
(1) subrequest - Resuming execution
(1) } # subrequest (noop)
(1) eap - Sending EAP Request (code 1) ID 227 length 6
(1) eap (handled)
(1) } # authenticate eap (handled)
(1) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) send Access-Challenge {
(1) attr_filter.access_challenge - EXPAND %{User-Name}
(1) attr_filter.access_challenge - --> testuser(a)testuser.ca
(1) attr_filter.access_challenge - --> testuser(a)testuser.ca
(1) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(1) attr_filter.access_challenge.post-auth (updated)
(1) handled (handled)
(1) } # send Access-Challenge (handled)
(1) radius - Saving &session-state
(1) radius - &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(1) radius (ok)
(1) } # default (ok)
(1) Done request
(1) Sending Access-Challenge ID 1 from 172.17.0.2:1812 to 172.17.0.1:49022 length 64 via socket radius_udp server * port 1812
(1) EAP-Message = 0x01e300061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x02038d008bd3a65c89558d518d7bb3b9
(1) Packet-Type = Access-Challenge
(1) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 2 length 375 radius_udp server * port 1812
(2) default {
(2) Received Access-Request ID 2 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(2) User-Name = "testuser(a)testuser.ca"
(2) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(2) NAS-IP-Address = 192.168.0.1
(2) EAP-Message = 0x02e300c81980000000be16030100b9010000b5030340c75eff9a2146e20efd7538a0308ec6ed2d6df3a09d48d5f53abb65ccdaf553000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(2) State = 0x02038d008bd3a65c89558d518d7bb3b9
(2) Message-Authenticator = 0xf0aedc9cd95dfc616efb7c16b85ac4ca
(2) Packet-Type = Access-Request
(2) Restored &session-state
(2) &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(2) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) recv Access-Request {
(2) policy filter_username {
(2) if (&State) {
(2) if (&User-Name) {
(2) if (!&session-state.Session-State-User-Name) {
(2) ...
(2) }
(2) if (&User-Name != &session-state.Session-State-User-Name) {
(2) ...
(2) }
(2) } # if (&User-Name) (noop)
(2) } # if (&State) (noop)
(2) } # policy filter_username (noop)
(2) chap (noop)
(2) mschap (noop)
(2) digest (noop)
(2) eap - Peer sent EAP Response (code 2) ID 227 length 200
(2) eap - Continuing tunnel setup
(2) eap - Setting &control.Auth-Type = eap
(2) eap (ok)
(2) } # recv Access-Request (ok)
(2) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) authenticate eap {
(2) eap - Continuing EAP session
(2) eap - Peer sent packet with EAP method PEAP (25)
(2) eap - Calling submodule eap_peap
(2) subrequest {
(2.0) eap.peap - Continuing EAP-TLS
(2.0) eap.peap - Peer indicated complete TLS record size will be 190 bytes
(2.0) eap.peap - Got complete TLS record, with length field (190 bytes)
(2.0) eap.peap - [eap-tls verify] = complete
(2.0) Handshake state - before SSL initialization (0)
(2.0) Handshake state - Server before SSL initialization (0)
(2.0) Handshake state - Server before SSL initialization (0)
(2.0) <<< recv TLS 1.3, handshake[length 185], client_hello
(2.0) Allowing future session-resumption
(2.0) Handshake state - Server SSLv3/TLS read client hello (20)
(2.0) >>> send TLS 1.2, handshake[length 61], server_hello
(2.0) Handshake state - Server SSLv3/TLS write server hello (22)
(2.0) >>> send TLS 1.2, handshake[length 1397], certificate
(2.0) Handshake state - Server SSLv3/TLS write certificate (23)
(2.0) >>> send TLS 1.2, handshake[length 333], server_key_exchange
(2.0) Handshake state - Server SSLv3/TLS write key exchange (24)
(2.0) >>> send TLS 1.2, handshake[length 4], server_hello_done
(2.0) Handshake state - Server SSLv3/TLS write server done (26)
(2.0) Need more data from client
(2.0) SSL_read (tls_session_async_handshake_cont) - SSL_ERROR_WANT_READ (2)
(2.0) Complete TLS record (1815 bytes) larger than MTU (990 bytes), will fragment
(2.0) Sending first TLS record fragment (990 bytes), 825 bytes remaining
(2.0) eap.peap - [eap-tls process] = handled
(2.0) eap.peap (handled)
(2) subrequest - Resuming execution
(2) } # subrequest (noop)
(2) eap - Sending EAP Request (code 1) ID 228 length 1000
(2) eap (handled)
(2) } # authenticate eap (handled)
(2) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) send Access-Challenge {
(2) attr_filter.access_challenge - EXPAND %{User-Name}
(2) attr_filter.access_challenge - --> testuser(a)testuser.ca
(2) attr_filter.access_challenge - --> testuser(a)testuser.ca
(2) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(2) attr_filter.access_challenge.post-auth (updated)
(2) handled (handled)
(2) } # send Access-Challenge (handled)
(2) radius - Saving &session-state
(2) radius - &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(2) radius (ok)
(2) } # default (ok)
(2) Done request
(2) Sending Access-Challenge ID 2 from 172.17.0.2:1812 to 172.17.0.1:49022 length 1064 via socket radius_udp server * port 1812
(2) EAP-Message = 0x01e403e819c000000717160303003d020000390303d477d2cab8c6e912f6ef31ac9b07c9c80d7ba2779e10ab73444f574e4752440100c030000011ff01000100000b0004030001020017000016030305750b00057100056e00056b308205673082044fa003020102020101300d06092a864886f70d01010b0500308192310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531143012060355040a0c0b4578616d706c6520496e633120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303431323134303733385a170d3232303631313134303733385a307b310b3009060355040613024652310f300d06035504080c0652616469757331143012060355040a0c0b4578616d706c6520496e633123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e2eae82feaa1c197c639331ba5b8dd5320f9a880088620953e3bceb947e3df8192158f5ee6544cc63104c322da2f345ea14c23892f10cdfb888707e06e0b968be0f322858e5c0c30811986d836886b88b210bd23fcb8eae1a2ff65608d1c799927a4dfaf5401e9b793698ab6ff9193fdf193d18e972b89adb1c07d8f1be784e7d8540fe70bfa8a23bb6cea24aec8a7611c6121b1fd4550fbd927595b66038f972be2508ee3e9cb8ec388e9fa7ea7ff4ef6284767d66ea3cf9c56f31480ae767300aba7e448d1b8158f354023508eac4e9e8dd8643229620e09ff1d74001dc4302ee4d343d49c52bf7b66d54cecf9b232fb46e78a31087f39bb2a8d7b6a139b6d0203010001a38201dc308201d8301d0603551d0e0416041431dc74562239f150d15fd33ce06d6189473c69f63081d20603551d230481ca3081c780147ddde3d24fb7f2c6258d40079b632740a6d36deda18198a48195308192310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531143012060355040a0c0b4578616d706c6520496e633120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982146a1367d2f5e1005ae876ac00c9def9da9e3c943830090603551d1304023000300b0603551d0f0404030205e0301d
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x03018d0013280e7289558d518d7bb3b9
(2) Packet-Type = Access-Challenge
(2) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 3 length 181 radius_udp server * port 1812
(3) default {
(3) Received Access-Request ID 3 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(3) User-Name = "testuser(a)testuser.ca"
(3) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(3) NAS-IP-Address = 192.168.0.1
(3) EAP-Message = 0x02e400061900
(3) State = 0x03018d0013280e7289558d518d7bb3b9
(3) Message-Authenticator = 0x6828bc2a6be551813cfe294e29a7817d
(3) Packet-Type = Access-Request
(3) Restored &session-state
(3) &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(3) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) recv Access-Request {
(3) policy filter_username {
(3) if (&State) {
(3) if (&User-Name) {
(3) if (!&session-state.Session-State-User-Name) {
(3) ...
(3) }
(3) if (&User-Name != &session-state.Session-State-User-Name) {
(3) ...
(3) }
(3) } # if (&User-Name) (noop)
(3) } # if (&State) (noop)
(3) } # policy filter_username (noop)
(3) chap (noop)
(3) mschap (noop)
(3) digest (noop)
(3) eap - Peer sent EAP Response (code 2) ID 228 length 6
(3) eap - Continuing tunnel setup
(3) eap - Setting &control.Auth-Type = eap
(3) eap (ok)
(3) } # recv Access-Request (ok)
(3) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) authenticate eap {
(3) eap - Continuing EAP session
(3) eap - Peer sent packet with EAP method PEAP (25)
(3) eap - Calling submodule eap_peap
(3) subrequest {
(3.0) eap.peap - Continuing EAP-TLS
(3.0) eap.peap - Peer ACKed our handshake fragment
(3.0) eap.peap - [eap-tls verify] = request
(3.0) eap.peap - Sending final TLS record fragment (825 bytes)
(3.0) eap.peap - [eap-tls process] = handled
(3.0) eap.peap (handled)
(3) subrequest - Resuming execution
(3) } # subrequest (noop)
(3) eap - Sending EAP Request (code 1) ID 229 length 831
(3) eap (handled)
(3) } # authenticate eap (handled)
(3) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) send Access-Challenge {
(3) attr_filter.access_challenge - EXPAND %{User-Name}
(3) attr_filter.access_challenge - --> testuser(a)testuser.ca
(3) attr_filter.access_challenge - --> testuser(a)testuser.ca
(3) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(3) attr_filter.access_challenge.post-auth (updated)
(3) handled (handled)
(3) } # send Access-Challenge (handled)
(3) radius - Saving &session-state
(3) radius - &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(3) radius (ok)
(3) } # default (ok)
(3) Done request
(3) Sending Access-Challenge ID 3 from 172.17.0.2:1812 to 172.17.0.1:49022 length 895 via socket radius_udp server * port 1812
(3) EAP-Message = 0x01e5033f19000603551d250416301406082b0601050507030106082b0601050507030e30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c303706082b06010505070101042b3029302706082b06010505073001861b687474703a2f2f7777772e6578616d706c652e6f72672f6f637370303a0603551d110433303182127261646975732e6578616d706c652e6f7267a01b06082b06010505070808a00f0c0d2a2e6578616d706c652e636f6d300d06092a864886f70d01010b05000382010100678d89096e6b3e48248e71e584e9faf3aa8098dd75bf170fb9cb754086997897441c3e72dee297dfa73c153d203c2eda6a06d403b12732d3ac8f7bbf64c20c3be5a9580892abc692368bf68b3cc31bf41a175cf374e0d3bcef0f9fcda4bda7b33544c7e5a4170bb3345bf5f385a54ae974fb97c862dcc35ea0f116efedcc7ac4b89bc2db453dada5ba77f16d5c8b9c5dbd2e8dfb65400cc3f1e14ad9789a83ba32fc6304f7f4f07ad99f3a73cd4faab8cc2131e9b906a46395530d28b0ec95148f7a210853bdfa024623c6ecb41d5c9f20cf27b56a8d40885d7fd81afe4aef185e58819100ac5aee5e20c08333dbad3e16750472614ca278405106d1986fa3f4160303014d0c000149030017410476028412e9b00c2630154399c78ae7b787ed8f87e0a714cbe3b3dc73651afbbe104b6b0e49f83cf27fec9379764f4bab6ba48ca1dc415068fd1bd69e671a421e0804010049f912f96ead536a287d6ff62c6bdf45cf0671b73f530402157bc31789aa3352ac7d72803bc668fee51eb8a6c01eb064f51c003a34284e120f5d856b50c705050c0c04b126f5783f5ac4b7f137109225c2da4cd612e8ace939012af571bc0acc70f25d4dfcdd52c5f741ace11c7cba85e3c0920b935fe920a54db3b056c7434f21a0e4b14cff035d445ff2ceca367a6446120dff3e1aa93190360d07a22cb9bf9503255989d9fd4459fd20486ed1af4082df96acd9516b2c6c4c4e1d57af8675796d98c09424751707adcfb9871438aac2527d1edcfc402c6b08ba52c4b196fffda00564b7d6cfe8c5875e6119914bada29860db0bd4ad3cf5cf75851a5aaeed16030300040e000000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x04078d008bd3a65c89558d518d7bb3b9
(3) Packet-Type = Access-Challenge
(3) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 4 length 311 radius_udp server * port 1812
(4) default {
(4) Received Access-Request ID 4 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(4) User-Name = "testuser(a)testuser.ca"
(4) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(4) NAS-IP-Address = 192.168.0.1
(4) EAP-Message = 0x02e5008819800000007e1603030046100000424104af5f0fd9357c5f1ef85c44412ded07130f03214653071decbdd2423cb8d921a4f1fc02b262f63b1ac40dee0720d86e6327a0240932586a76dd4827c434e3bf0e1403030001011603030028f54dfcc389a7197acb64f4cac2ddd2e4602d8a8909d86a71b151adc37da7fa6fbf1625581506cb05
(4) State = 0x04078d008bd3a65c89558d518d7bb3b9
(4) Message-Authenticator = 0x5321739cd526678d61b3d552e3ea2aa0
(4) Packet-Type = Access-Request
(4) Restored &session-state
(4) &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(4) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) recv Access-Request {
(4) policy filter_username {
(4) if (&State) {
(4) if (&User-Name) {
(4) if (!&session-state.Session-State-User-Name) {
(4) ...
(4) }
(4) if (&User-Name != &session-state.Session-State-User-Name) {
(4) ...
(4) }
(4) } # if (&User-Name) (noop)
(4) } # if (&State) (noop)
(4) } # policy filter_username (noop)
(4) chap (noop)
(4) mschap (noop)
(4) digest (noop)
(4) eap - Peer sent EAP Response (code 2) ID 229 length 136
(4) eap - Continuing tunnel setup
(4) eap - Setting &control.Auth-Type = eap
(4) eap (ok)
(4) } # recv Access-Request (ok)
(4) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) authenticate eap {
(4) eap - Continuing EAP session
(4) eap - Peer sent packet with EAP method PEAP (25)
(4) eap - Calling submodule eap_peap
(4) subrequest {
(4.0) eap.peap - Continuing EAP-TLS
(4.0) eap.peap - Peer indicated complete TLS record size will be 126 bytes
(4.0) eap.peap - Got complete TLS record, with length field (126 bytes)
(4.0) eap.peap - [eap-tls verify] = complete
(4.0) Handshake state - Server SSLv3/TLS write server done (26)
(4.0) <<< recv TLS 1.2, handshake[length 70], client_key_exchange
(4.0) Handshake state - Server SSLv3/TLS read client key exchange (28)
(4.0) Handshake state - Server SSLv3/TLS read change cipher spec (31)
(4.0) <<< recv TLS 1.2, handshake[length 16], finished
(4.0) Handshake state - Server SSLv3/TLS read finished (32)
(4.0) >>> send TLS 1.2, change_cipher_spec[length 1]
(4.0) Handshake state - Server SSLv3/TLS write change cipher spec (35)
(4.0) >>> send TLS 1.2, handshake[length 16], finished
(4.0) Handshake state - Server SSLv3/TLS write finished (36)
(4.0) Handshake state - SSL negotiation finished successfully (1)
(4.0) SSL_read (tls_session_async_handshake_cont) - SSL_ERROR_WANT_READ (2)
(4.0) Cipher suite: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
(4.0) Adding TLS session information to request
(4.0) &session-state.TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4.0) &session-state.TLS-Session-Version := "TLS 1.2"
(4.0) Sending complete TLS record (51 bytes)
(4.0) eap.peap - [eap-tls process] = handled
(4.0) eap.peap (handled)
(4) subrequest - Resuming execution
(4) } # subrequest (noop)
(4) eap - Sending EAP Request (code 1) ID 230 length 57
(4) eap (handled)
(4) } # authenticate eap (handled)
(4) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) send Access-Challenge {
(4) attr_filter.access_challenge - EXPAND %{User-Name}
(4) attr_filter.access_challenge - --> testuser(a)testuser.ca
(4) attr_filter.access_challenge - --> testuser(a)testuser.ca
(4) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(4) attr_filter.access_challenge.post-auth (updated)
(4) handled (handled)
(4) } # send Access-Challenge (handled)
(4) radius - Saving &session-state
(4) radius - &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(4) radius (ok)
(4) } # default (ok)
(4) Done request
(4) Sending Access-Challenge ID 4 from 172.17.0.2:1812 to 172.17.0.1:49022 length 115 via socket radius_udp server * port 1812
(4) EAP-Message = 0x01e600391900140303000101160303002855e89feef9aefa2d98c2a520be9d5ba60e5becc07fd359d0f164a8ac94bb6c198ab372d7cf082a1f
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x05018d0013280e7289558d518d7bb3b9
(4) Packet-Type = Access-Challenge
(4) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 5 length 181 radius_udp server * port 1812
(5) default {
(5) Received Access-Request ID 5 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(5) User-Name = "testuser(a)testuser.ca"
(5) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(5) NAS-IP-Address = 192.168.0.1
(5) EAP-Message = 0x02e600061900
(5) State = 0x05018d0013280e7289558d518d7bb3b9
(5) Message-Authenticator = 0xaa9bd0de2ab4c9a24039a10d8964adf3
(5) Packet-Type = Access-Request
(5) Restored &session-state
(5) &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(5) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) recv Access-Request {
(5) policy filter_username {
(5) if (&State) {
(5) if (&User-Name) {
(5) if (!&session-state.Session-State-User-Name) {
(5) ...
(5) }
(5) if (&User-Name != &session-state.Session-State-User-Name) {
(5) ...
(5) }
(5) } # if (&User-Name) (noop)
(5) } # if (&State) (noop)
(5) } # policy filter_username (noop)
(5) chap (noop)
(5) mschap (noop)
(5) digest (noop)
(5) eap - Peer sent EAP Response (code 2) ID 230 length 6
(5) eap - Continuing tunnel setup
(5) eap - Setting &control.Auth-Type = eap
(5) eap (ok)
(5) } # recv Access-Request (ok)
(5) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) authenticate eap {
(5) eap - Continuing EAP session
(5) eap - Peer sent packet with EAP method PEAP (25)
(5) eap - Calling submodule eap_peap
(5) subrequest {
(5.0) eap.peap - Continuing EAP-TLS
(5.0) eap.peap - Peer ACKed our handshake fragment. handshake is finished
(5.0) eap.peap - [eap-tls verify] = established
(5.0) eap.peap - [eap-tls process] = established
(5.0) eap.peap - Session established. Decoding tunneled data
(5.0) eap.peap - PEAP state TUNNEL ESTABLISHED
(5.0) eap.peap - TLS application data to encrypt (5 bytes)
(5.0) eap.peap - Sending complete TLS record (34 bytes)
(5.0) eap.peap (handled)
(5) subrequest - Resuming execution
(5) } # subrequest (noop)
(5) eap - Sending EAP Request (code 1) ID 231 length 40
(5) eap (handled)
(5) } # authenticate eap (handled)
(5) radius - Running 'send Access-Challenge' from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) send Access-Challenge {
(5) attr_filter.access_challenge - EXPAND %{User-Name}
(5) attr_filter.access_challenge - --> testuser(a)testuser.ca
(5) attr_filter.access_challenge - --> testuser(a)testuser.ca
(5) attr_filter.access_challenge - Matched entry DEFAULT at line 12
(5) attr_filter.access_challenge.post-auth (updated)
(5) handled (handled)
(5) } # send Access-Challenge (handled)
(5) radius - Saving &session-state
(5) radius - &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(5) radius (ok)
(5) } # default (ok)
(5) Done request
(5) Sending Access-Challenge ID 5 from 172.17.0.2:1812 to 172.17.0.1:49022 length 98 via socket radius_udp server * port 1812
(5) EAP-Message = 0x01e700281900170303001d55e89feef9aefa2eddf781269ef2298c0b711bd2d99a629cc468e62cca
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x06038d008bd3a65c89558d518d7bb3b9
(5) Packet-Type = Access-Challenge
(5) Finished request
proto_radius_udp - cleaning up request in 5.068620s
proto_radius_udp - Received Access-Request ID 6 length 231 radius_udp server * port 1812
(6) default {
(6) Received Access-Request ID 6 from 172.17.0.1:49022 to 172.17.0.2:1812 via eth0
(6) User-Name = "testuser(a)testuser.ca"
(6) Calling-Station-Id = "DE-AD-BE-EF-42-42"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Called-Station-Id = "00:11:22:33:44:55:UConnect"
(6) NAS-IP-Address = 192.168.0.1
(6) EAP-Message = 0x02e700381900170303002df54dfcc389a7197b019fe17a87ecd0b81c18c14ca1e4037c6fe4b296706a65ddb4acef536fc00eb2744373cacb
(6) State = 0x06038d008bd3a65c89558d518d7bb3b9
(6) Message-Authenticator = 0xf56634caef4bef32092ba0e149273533
(6) Packet-Type = Access-Request
(6) Restored &session-state
(6) &session-state.Session-State-User-Name = "testuser(a)testuser.ca"
(6) Running 'recv Access-Request' from file /opt/freeradius/etc/raddb/sites-enabled/default
(6) recv Access-Request {
(6) policy filter_username {
(6) if (&State) {
(6) if (&User-Name) {
(6) if (!&session-state.Session-State-User-Name) {
(6) ...
(6) }
(6) if (&User-Name != &session-state.Session-State-User-Name) {
(6) ...
(6) }
(6) } # if (&User-Name) (noop)
(6) } # if (&State) (noop)
(6) } # policy filter_username (noop)
(6) chap (noop)
(6) mschap (noop)
(6) digest (noop)
(6) eap - Peer sent EAP Response (code 2) ID 231 length 56
(6) eap - Continuing tunnel setup
(6) eap - Setting &control.Auth-Type = eap
(6) eap (ok)
(6) } # recv Access-Request (ok)
(6) radius - Running 'authenticate eap' from file /opt/freeradius/etc/raddb/sites-enabled/default
(6) authenticate eap {
(6) eap - Continuing EAP session
(6) eap - Peer sent packet with EAP method PEAP (25)
(6) eap - Calling submodule eap_peap
(6) subrequest {
(6.0) eap.peap - Continuing EAP-TLS
(6.0) eap.peap - Got complete TLS record (50 bytes)
(6.0) eap.peap - [eap-tls verify] = complete
(6.0) eap.peap - Decrypted TLS application data (21 bytes)
(6.0) eap.peap - [eap-tls process] = complete
(6.0) eap.peap - Session established. Decoding tunneled data
(6.0) eap.peap - PEAP state WAITING FOR INNER IDENTITY
(6.0) eap.peap - Received EAP-Identity-Response
(6.0) eap.peap - Got inner identity "testuser(a)testuser.ca"
(6.0) eap.peap - Got tunneled request
(6.0) eap.peap - EAP-Message = 0x02e700190174657374757365724074657374757365722e6361
(6.0) eap.peap - Setting &request.User-Name from tunneled (inner) identity "testuser(a)testuser.ca"
(6.0) eap.peap - Running request through virtual server "(null)"
(6.0) eap.peap - Virtual server (null) received request
(6.0) eap.peap - EAP-Identity = "testuser(a)testuser.ca"
(6.0) eap.peap - EAP-Type = PEAP
(6.0) eap.peap - server (null) {
CAUGHT SIGNAL: Segmentation fault
Backtrace of last 2 frames:
/opt/freeradius/lib/libfreeradius-util.so(fr_fault+0xe8)[0x7f6ea5a1106b]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x14140)[0x7f6ea5797140]
No panic action set
_EXIT(139) CALLED src/lib/util/debug.c[1052]
```
Fabrice Durand
Software Engineer Principal
Office: +1.514.447.4918Akamai Technologies
7000 Parc Avenue
Montreal, QC H3N1X1 Canada
Connect with Us:
2
1
LDAP on GC with TLS in upgrade from FreeRadius 2 to FreeRadius 3 not working
by Xin Huang 20 Apr '22
by Xin Huang 20 Apr '22
20 Apr '22
Hello Experts,
I am trying to troubleshoot an issue with the ldap module after upgrading from FreeRadius version 2.2.9 to FreeRadius version 3.0.19.
When using the GC LDAPs port (3269) the LDAP-Group search no longer works on FR3. It seems that the ldap module does not attempt to start tls on port 3269. In a packet capture I can see that there is no TLS certificate exchange, and FreeRadius sends cleartext username and password after TCP handshake, then the LDAP server immediately sends a RST.
In contrast, on FR2, there is a tls negotiation starting and then when successful it is able to perform the LDAP-Group search.
I would appreciate any guidance on whether LDAP queries over Global Catalogue port 3269 is supported with FR3, and if so, how to correct my configuration. Thanks.
Below are logs from failing connection on FR3.0.19 with ldap_debug enabled:
radiusd:7878:1650470518.551847:Wed Apr 20 11:01:58 2022: (10) EXPAND %{redis:hget %{Calling-Station-Id} domain}
radiusd:7878:1650470518.551861:Wed Apr 20 11:01:58 2022: (10) --> CSURFLAB
radiusd:7878:1650470518.551879:Wed Apr 20 11:01:58 2022: (10) EXPAND %{0}
radiusd:7878:1650470518.551900:Wed Apr 20 11:01:58 2022: (10) --> CSURFLAB
radiusd:7878:1650470518.551916:Wed Apr 20 11:01:58 2022: (10) EXPAND %{0}
radiusd:7878:1650470518.551930:Wed Apr 20 11:01:58 2022: (10) --> CSURFLAB
radiusd:7878:1650470518.551944:Wed Apr 20 11:01:58 2022: (10) Searching for user in group "Domain Admins"
radiusd:7878:1650470518.551958:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): 0 of 0 connections in use. You may need to increase "spare"
radiusd:7878:1650470518.551979:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): Opening additional connection (0), 1 of 5 pending slots used
radiusd:7878:1650470518.552000:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): Connecting to ldap://csurf-dot1x-dc1.csurflab.local:3269
radiusd:7878:1650470518.552018:Wed Apr 20 11:01:58 2022: ldap_create
radiusd:7878:1650470518.552032:Wed Apr 20 11:01:58 2022: ldap_url_parse_ext(ldap://csurf-dot1x-dc1.csurflab.local:3269)
radiusd:7878:1650470518.552046:Wed Apr 20 11:01:58 2022: TLSMC: MozNSS compatibility interception begins.
radiusd:7878:1650470518.552061:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: entry options follow:
radiusd:7878:1650470518.552082:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
radiusd:7878:1650470518.552101:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: certfile = `(null)'
radiusd:7878:1650470518.552115:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: keyfile = `(null)'
radiusd:7878:1650470518.552130:Wed Apr 20 11:01:58 2022: tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
radiusd:7878:1650470518.552146:Wed Apr 20 11:01:58 2022: tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
radiusd:7878:1650470518.685306:Wed Apr 20 11:01:58 2022: tlsmc_open_nssdb: INFO: initialized MozNSS context.
radiusd:7878:1650470518.685508:Wed Apr 20 11:01:58 2022: tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--40F28B6BEE85E0CAEA6EFDCC04C35B59E70A6ECE6BF81E65B3E0FF324E9441CD'.
radiusd:7878:1650470518.685550:Wed Apr 20 11:01:58 2022: tlsmc_convert: INFO: using the existing PEM dir.
radiusd:7878:1650470518.685568:Wed Apr 20 11:01:58 2022: tlsmc_convert: WARN: extracted cert file is not present.
radiusd:7878:1650470518.685597:Wed Apr 20 11:01:58 2022: tlsmc_convert: WARN: extracted key file is not present.
radiusd:7878:1650470518.688107:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: altered options follow:
radiusd:7878:1650470518.688313:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--40F28B6BEE85E0CAEA6EFDCC04C35B59E70A6ECE6BF81E65B3E0FF324E9441CD/cacerts'
radiusd:7878:1650470518.688345:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: certfile = `(null)'
radiusd:7878:1650470518.688362:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: keyfile = `(null)'
radiusd:7878:1650470518.688383:Wed Apr 20 11:01:58 2022: tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
radiusd:7878:1650470518.688400:Wed Apr 20 11:01:58 2022: TLSMC: MozNSS compatibility interception ends.
radiusd:7878:1650470518.694859:Wed Apr 20 11:01:58 2022: ldap_bind
radiusd:7878:1650470518.695011:Wed Apr 20 11:01:58 2022: ldap_simple_bind
radiusd:7878:1650470518.695032:Wed Apr 20 11:01:58 2022: ldap_sasl_bind
radiusd:7878:1650470518.695066:Wed Apr 20 11:01:58 2022: ldap_send_initial_request
radiusd:7878:1650470518.695084:Wed Apr 20 11:01:58 2022: ldap_new_connection 1 1 0
radiusd:7878:1650470518.695099:Wed Apr 20 11:01:58 2022: ldap_int_open_connection
radiusd:7878:1650470518.695123:Wed Apr 20 11:01:58 2022: ldap_connect_to_host: TCP csurf-dot1x-dc1.csurflab.local:3269
radiusd:7878:1650470518.695615:Wed Apr 20 11:01:58 2022: ldap_new_socket: 24
radiusd:7878:1650470518.695713:Wed Apr 20 11:01:58 2022: ldap_prepare_socket: 24
radiusd:7878:1650470518.695738:Wed Apr 20 11:01:58 2022: ldap_connect_to_host: Trying 10.16.167.193:3269
radiusd:7878:1650470518.695758:Wed Apr 20 11:01:58 2022: ldap_pvt_connect: fd: 24 tm: 1 async: 0
radiusd:7878:1650470518.695782:Wed Apr 20 11:01:58 2022: ldap_ndelay_on: 24
radiusd:7878:1650470518.695801:Wed Apr 20 11:01:58 2022: attempting to connect:
radiusd:7878:1650470518.695817:Wed Apr 20 11:01:58 2022: connect errno: 115
radiusd:7878:1650470518.695835:Wed Apr 20 11:01:58 2022: ldap_int_poll: fd: 24 tm: 1
radiusd:7878:1650470518.696115:Wed Apr 20 11:01:58 2022: ldap_is_sock_ready: 24
radiusd:7878:1650470518.696146:Wed Apr 20 11:01:58 2022: ldap_ndelay_off: 24
radiusd:7878:1650470518.696171:Wed Apr 20 11:01:58 2022: ldap_pvt_connect: 0
radiusd:7878:1650470518.696201:Wed Apr 20 11:01:58 2022: ldap_open_defconn: successful
radiusd:7878:1650470518.696230:Wed Apr 20 11:01:58 2022: ldap_send_server_request
radiusd:7878:1650470518.696251:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): Waiting for bind result...
radiusd:7878:1650470518.696290:Wed Apr 20 11:01:58 2022: ldap_result ld 0x244d5d0 msgid 1
radiusd:7878:1650470518.696310:Wed Apr 20 11:01:58 2022: wait4msg ld 0x244d5d0 msgid 1 (timeout 4000000 usec)
radiusd:7878:1650470518.696329:Wed Apr 20 11:01:58 2022: wait4msg continue ld 0x244d5d0 msgid 1 all 1
radiusd:7878:1650470518.696357:Wed Apr 20 11:01:58 2022: ** ld 0x244d5d0 Connections:
radiusd:7878:1650470518.696384:Wed Apr 20 11:01:58 2022: * host: csurf-dot1x-dc1.csurflab.local port: 3269 (default)
radiusd:7878:1650470518.696407:Wed Apr 20 11:01:58 2022: refcnt: 2 status: Connected
radiusd:7878:1650470518.696437:Wed Apr 20 11:01:58 2022: last used: Wed Apr 20 11:01:58 2022
radiusd:7878:1650470518.696463:Wed Apr 20 11:01:58 2022:
radiusd:7878:1650470518.696488:Wed Apr 20 11:01:58 2022:
radiusd:7878:1650470518.696506:Wed Apr 20 11:01:58 2022: ** ld 0x244d5d0 Outstanding Requests:
radiusd:7878:1650470518.696530:Wed Apr 20 11:01:58 2022: * msgid 1, origid 1, status InProgress
radiusd:7878:1650470518.696557:Wed Apr 20 11:01:58 2022: outstanding referrals 0, parent count 0
radiusd:7878:1650470518.696577:Wed Apr 20 11:01:58 2022: ld 0x244d5d0 request count 1 (abandoned 0)
radiusd:7878:1650470518.696596:Wed Apr 20 11:01:58 2022: ** ld 0x244d5d0 Response Queue:
radiusd:7878:1650470518.696622:Wed Apr 20 11:01:58 2022: Empty
radiusd:7878:1650470518.696647:Wed Apr 20 11:01:58 2022: ld 0x244d5d0 response count 0
radiusd:7878:1650470518.696667:Wed Apr 20 11:01:58 2022: ldap_chkResponseList ld 0x244d5d0 msgid 1 all 1
radiusd:7878:1650470518.696686:Wed Apr 20 11:01:58 2022: ldap_chkResponseList returns ld 0x244d5d0 NULL
radiusd:7878:1650470518.696721:Wed Apr 20 11:01:58 2022: ldap_int_select
radiusd:7878:1650470518.696941:Wed Apr 20 11:01:58 2022: read1msg: ld 0x244d5d0 msgid 1 all 1
radiusd:7878:1650470518.697002:Wed Apr 20 11:01:58 2022: ldap_err2string
radiusd:7878:1650470518.697026:Wed Apr 20 11:01:58 2022: rlm_ldap (ldap__CSURFLAB): Bind with Administrator(a)csurflab.local<mailto:Administrator@csurflab.local> to ldap://csurf-dot1x-dc1.csurflab.local:3269 failed: Can't contact LDAP server
========================================================================
For reference, this is logs from a different server running FreeRadius 2.2.9, connecting to the same LDAP server with same user, which works:
radiusd:232612:1650387580.465127:Tue Apr 19 11:59:40 2022: expand: (|(userPrincipalName=%{%{User-Name}:-%{Stripped-User-Name}:-%{mschap:User-Name}:-None}@csurflab.local)(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}:-%{User-Name}:-None})) -> (|(userPrincipalName=anonymous(a)csurflab.local)(sAMAccountName=testuser1)<mailto:userPrincipalName=anonymous@csurflab.local)(sAMAccountName=testuser1)>)
radiusd:232612:1650387580.465156:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] ldap_get_conn: Checking Id: 0
radiusd:232612:1650387580.465195:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] ldap_get_conn: Got Id: 0
radiusd:232612:1650387580.465225:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] attempting LDAP reconnection
radiusd:232612:1650387580.465267:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] (re)connect to csurf-dot1x-dc1.csurflab.local:3269, authentication 0
radiusd:232612:1650387580.465288:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] setting TLS mode to 1
radiusd:232612:1650387580.465305:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] setting TLS CACert File to /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/certs/ad_ca.pem
radiusd:232612:1650387580.465322:Tue Apr 19 11:59:40 2022: [ldap.CSURFLAB] bind as user/password to csurf-dot1x-dc1.csurflab.local:3269
radiusd:232612:1650387580.465373:Tue Apr 19 11:59:40 2022: ldap_bind
radiusd:232612:1650387580.465391:Tue Apr 19 11:59:40 2022: ldap_simple_bind
radiusd:232612:1650387580.465410:Tue Apr 19 11:59:40 2022: ldap_sasl_bind
radiusd:232612:1650387580.465427:Tue Apr 19 11:59:40 2022: ldap_send_initial_request
radiusd:232612:1650387580.465441:Tue Apr 19 11:59:40 2022: ldap_new_connection 1 1 0
radiusd:232612:1650387580.465461:Tue Apr 19 11:59:40 2022: ldap_int_open_connection
radiusd:232612:1650387580.465488:Tue Apr 19 11:59:40 2022: ldap_connect_to_host: TCP csurf-dot1x-dc1.csurflab.local:3269
radiusd:232612:1650387580.465518:Tue Apr 19 11:59:40 2022: ldap_new_socket: 36
radiusd:232612:1650387580.465544:Tue Apr 19 11:59:40 2022: ldap_prepare_socket: 36
radiusd:232612:1650387580.465560:Tue Apr 19 11:59:40 2022: ldap_connect_to_host: Trying 10.16.167.193:3269
radiusd:232612:1650387580.465577:Tue Apr 19 11:59:40 2022: ldap_pvt_connect: fd: 36 tm: 1 async: 0
radiusd:232612:1650387580.465592:Tue Apr 19 11:59:40 2022: ldap_ndelay_on: 36
radiusd:232612:1650387580.465609:Tue Apr 19 11:59:40 2022: attempting to connect:
radiusd:232612:1650387580.465626:Tue Apr 19 11:59:40 2022: connect errno: 115
radiusd:232612:1650387580.465644:Tue Apr 19 11:59:40 2022: ldap_int_poll: fd: 36 tm: 1
radiusd:232612:1650387580.465664:Tue Apr 19 11:59:40 2022: ldap_is_sock_ready: 36
radiusd:232612:1650387580.465681:Tue Apr 19 11:59:40 2022: ldap_ndelay_off: 36
radiusd:232612:1650387580.465698:Tue Apr 19 11:59:40 2022: ldap_pvt_connect: 0
radiusd:232612:1650387580.465717:Tue Apr 19 11:59:40 2022: TLSMC: MozNSS compatibility interception begins.
radiusd:232612:1650387580.465735:Tue Apr 19 11:59:40 2022: tlsmc_intercept_initialization: INFO: entry options follow:
radiusd:232612:1650387580.465750:Tue Apr 19 11:59:40 2022: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
radiusd:232612:1650387580.465773:Tue Apr 19 11:59:40 2022: tlsmc_intercept_initialization: INFO: certfile = `(null)'
radiusd:232612:1650387580.465805:Tue Apr 19 11:59:40 2022: tlsmc_intercept_initialization: INFO: keyfile = `(null)'
radiusd:232612:1650387580.465829:Tue Apr 19 11:59:40 2022: tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
radiusd:232612:1650387580.465849:Tue Apr 19 11:59:40 2022: tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
radiusd:232612:1650387580.603137:Tue Apr 19 11:59:40 2022: tlsmc_open_nssdb: INFO: initialized MozNSS context.
radiusd:232612:1650387580.603321:Tue Apr 19 11:59:40 2022: tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49'.
radiusd:232612:1650387580.603365:Tue Apr 19 11:59:40 2022: tlsmc_convert: INFO: using the existing PEM dir.
radiusd:232612:1650387580.603391:Tue Apr 19 11:59:40 2022: tlsmc_convert: ERROR: the PEM dir found does not contain README file. Will remove the PEM dir and try to recreate it.
radiusd:232612:1650387580.603414:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: starting recursively removing directory `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49'.
radiusd:232612:1650387580.603434:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: stepping into directory `cacerts'.
radiusd:232612:1650387580.603453:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: starting recursively removing directory `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts'.
radiusd:232612:1650387580.603488:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing file `b66938e9.0'.
radiusd:232612:1650387580.603521:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing file `7719f463.0'.
...
radiusd:232612:1650387580.605095:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing file `6b99d060.0'.
radiusd:232612:1650387580.605119:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: stepping out of the directory.
radiusd:232612:1650387580.605142:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing the directory itself.
radiusd:232612:1650387580.605167:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: stepping out of the directory.
radiusd:232612:1650387580.605194:Tue Apr 19 11:59:40 2022: tlsmc_remove_dir_recursively: INFO: removing the directory itself.
radiusd:232612:1650387580.605212:Tue Apr 19 11:59:40 2022: tlsmc_convert: WARN: will try to create PEM dir.
radiusd:232612:1650387580.605231:Tue Apr 19 11:59:40 2022: tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49'.
radiusd:232612:1650387580.605246:Tue Apr 19 11:59:40 2022: tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
radiusd:232612:1650387580.605260:Tue Apr 19 11:59:40 2022: tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
radiusd:232612:1650387580.619623:Tue Apr 19 11:59:40 2022: tlsmc_extract_cacerts: INFO: found cert nick=`Default Trust:ACCVRAIZ1', a trusted CA.
radiusd:232612:1650387580.619839:Tue Apr 19 11:59:40 2022: tlsmc_extract_cacerts: INFO: extracting cert nick=`Default Trust:ACCVRAIZ1' to file `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts/cert0.pem'.
radiusd:232612:1650387580.624743:Tue Apr 19 11:59:40 2022: tlsmc_cert_create_hash_symlink: INFO: the cert is now symlinked to /tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts/a94d09e5.0.
...
radiusd:232612:1650387581.093069:Tue Apr 19 11:59:41 2022: tlsmc_extract_cacerts: INFO: extracting cert nick=`Default Trust:thawte Primary Root CA - G3' to file `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts/cert154.pem'.
radiusd:232612:1650387581.095637:Tue Apr 19 11:59:41 2022: tlsmc_cert_create_hash_symlink: INFO: the cert is now symlinked to /tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts/ba89ed3b.0.
radiusd:232612:1650387581.097274:Tue Apr 19 11:59:41 2022: tlsmc_extract_cert_key_pair: WARN: supplied nickname is empty (NULL).
radiusd:232612:1650387581.099975:Tue Apr 19 11:59:41 2022: tlsmc_convert: WARN: extracted cert file is not present.
radiusd:232612:1650387581.100044:Tue Apr 19 11:59:41 2022: tlsmc_convert: WARN: extracted key file is not present.
radiusd:232612:1650387581.103887:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: altered options follow:
radiusd:232612:1650387581.103990:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--B16AB0F6CE916B7E718C9ECC964B8F39FCA3D51A506498B0DBB4BAAFDC17EC49/cacerts'
radiusd:232612:1650387581.104027:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: certfile = `(null)'
radiusd:232612:1650387581.104053:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: keyfile = `(null)'
radiusd:232612:1650387581.104082:Tue Apr 19 11:59:41 2022: tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
radiusd:232612:1650387581.104108:Tue Apr 19 11:59:41 2022: TLSMC: MozNSS compatibility interception ends.
radiusd:232612:1650387581.109580:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:before/connect initialization
radiusd:232612:1650387581.109714:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv2/v3 write client hello A
radiusd:232612:1650387581.109734:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
radiusd:232612:1650387581.109760:Tue Apr 19 11:59:41 2022: ldap_int_tls_start: ldap_int_tls_connect needs read
radiusd:232612:1650387581.109788:Tue Apr 19 11:59:41 2022: ldap_int_poll: fd: 36 tm: 1
radiusd:232612:1650387581.130236:Tue Apr 19 11:59:41 2022: ldap_is_sock_ready: 36
radiusd:232612:1650387581.130424:Tue Apr 19 11:59:41 2022: ldap_ndelay_off: 36
radiusd:232612:1650387581.130453:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server hello A
radiusd:232612:1650387581.130568:Tue Apr 19 11:59:41 2022: TLS certificate verification: depth: 0, err: 20, subject: /CN=CSURF-DOT1X-DC1.csurflab.local, issuer: /DC=local/DC=csurflab/CN=CSURF-DOT1X-DC1-CA
radiusd:232612:1650387581.130626:Tue Apr 19 11:59:41 2022: TLS certificate verification: Error, unable to get local issuer certificate
radiusd:232612:1650387581.130654:Tue Apr 19 11:59:41 2022: TLS certificate verification: depth: 0, err: 21, subject: /CN=CSURF-DOT1X-DC1.csurflab.local, issuer: /DC=local/DC=csurflab/CN=CSURF-DOT1X-DC1-CA
radiusd:232612:1650387581.130693:Tue Apr 19 11:59:41 2022: TLS certificate verification: Error, unable to verify the first certificate
radiusd:232612:1650387581.130715:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server certificate A
radiusd:232612:1650387581.130742:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server key exchange A
radiusd:232612:1650387581.130771:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server certificate request A
radiusd:232612:1650387581.130791:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read server done A
radiusd:232612:1650387581.130809:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 write client certificate A
radiusd:232612:1650387581.135259:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 write client key exchange A
radiusd:232612:1650387581.135447:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 write change cipher spec A
radiusd:232612:1650387581.135472:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 write finished A
radiusd:232612:1650387581.135505:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 flush data
radiusd:232612:1650387581.135537:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:error in SSLv3 read finished A
radiusd:232612:1650387581.135559:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:error in SSLv3 read finished A
radiusd:232612:1650387581.135577:Tue Apr 19 11:59:41 2022: ldap_int_tls_start: ld 0x230d190 0 s 328594 us to go
radiusd:232612:1650387581.135600:Tue Apr 19 11:59:41 2022: ldap_int_tls_start: ldap_int_tls_connect needs read
radiusd:232612:1650387581.135626:Tue Apr 19 11:59:41 2022: ldap_int_poll: fd: 36 tm: 0
radiusd:232612:1650387581.137318:Tue Apr 19 11:59:41 2022: ldap_is_sock_ready: 36
radiusd:232612:1650387581.137465:Tue Apr 19 11:59:41 2022: ldap_ndelay_off: 36
radiusd:232612:1650387581.137517:Tue Apr 19 11:59:41 2022: TLS trace: SSL_connect:SSLv3 read finished A
radiusd:232612:1650387581.137575:Tue Apr 19 11:59:41 2022: TLS: unable to get peer certificate.
radiusd:232612:1650387581.137600:Tue Apr 19 11:59:41 2022: ldap_open_defconn: successful
radiusd:232612:1650387581.137618:Tue Apr 19 11:59:41 2022: ldap_send_server_request
radiusd:232612:1650387581.137637:Tue Apr 19 11:59:41 2022: [ldap.CSURFLAB] waiting for bind result ...
radiusd:232612:1650387581.137673:Tue Apr 19 11:59:41 2022: ldap_result ld 0x230d190 msgid 1
radiusd:232612:1650387581.137691:Tue Apr 19 11:59:41 2022: wait4msg ld 0x230d190 msgid 1 (timeout 4000000 usec)
radiusd:232612:1650387581.137709:Tue Apr 19 11:59:41 2022: wait4msg continue ld 0x230d190 msgid 1 all 1
radiusd:232612:1650387581.137731:Tue Apr 19 11:59:41 2022: ** ld 0x230d190 Connections:
radiusd:232612:1650387581.137752:Tue Apr 19 11:59:41 2022: * host: csurf-dot1x-dc1.csurflab.local port: 3269 (default)
radiusd:232612:1650387581.137770:Tue Apr 19 11:59:41 2022: refcnt: 2 status: Connected
radiusd:232612:1650387581.137797:Tue Apr 19 11:59:41 2022: last used: Tue Apr 19 11:59:41 2022
radiusd:232612:1650387581.137815:Tue Apr 19 11:59:41 2022:
radiusd:232612:1650387581.137842:Tue Apr 19 11:59:41 2022:
radiusd:232612:1650387581.137861:Tue Apr 19 11:59:41 2022: ** ld 0x230d190 Outstanding Requests:
radiusd:232612:1650387581.137879:Tue Apr 19 11:59:41 2022: * msgid 1, origid 1, status InProgress
radiusd:232612:1650387581.137893:Tue Apr 19 11:59:41 2022: outstanding referrals 0, parent count 0
radiusd:232612:1650387581.137911:Tue Apr 19 11:59:41 2022: ld 0x230d190 request count 1 (abandoned 0)
radiusd:232612:1650387581.137928:Tue Apr 19 11:59:41 2022: ** ld 0x230d190 Response Queue:
radiusd:232612:1650387581.137943:Tue Apr 19 11:59:41 2022: Empty
radiusd:232612:1650387581.137960:Tue Apr 19 11:59:41 2022: ld 0x230d190 response count 0
radiusd:232612:1650387581.137976:Tue Apr 19 11:59:41 2022: ldap_chkResponseList ld 0x230d190 msgid 1 all 1
radiusd:232612:1650387581.137990:Tue Apr 19 11:59:41 2022: ldap_chkResponseList returns ld 0x230d190 NULL
radiusd:232612:1650387581.138007:Tue Apr 19 11:59:41 2022: ldap_int_select
radiusd:232612:1650387581.139158:Tue Apr 19 11:59:41 2022: read1msg: ld 0x230d190 msgid 1 all 1
radiusd:232612:1650387581.139254:Tue Apr 19 11:59:41 2022: read1msg: ld 0x230d190 msgid 1 message type bind
radiusd:232612:1650387581.139284:Tue Apr 19 11:59:41 2022: read1msg: ld 0x230d190 0 new referrals
radiusd:232612:1650387581.139314:Tue Apr 19 11:59:41 2022: read1msg: mark request completed, ld 0x230d190 msgid 1
radiusd:232612:1650387581.139337:Tue Apr 19 11:59:41 2022: request done: ld 0x230d190 msgid 1
radiusd:232612:1650387581.139357:Tue Apr 19 11:59:41 2022: res_errno: 0, res_error: <>, res_matched: <>
radiusd:232612:1650387581.139378:Tue Apr 19 11:59:41 2022: ldap_free_request (origid 1, msgid 1)
radiusd:232612:1650387581.139404:Tue Apr 19 11:59:41 2022: ldap_parse_result
radiusd:232612:1650387581.139428:Tue Apr 19 11:59:41 2022: ldap_msgfree
radiusd:232612:1650387581.139444:Tue Apr 19 11:59:41 2022: [ldap.CSURFLAB] Bind was successful
radiusd:232612:1650387581.139464:Tue Apr 19 11:59:41 2022: [ldap.CSURFLAB] performing search in dc=CSURFLAB,dc=LOCAL, with filter (|(userPrincipalName=anonymous(a)csurflab.local)(sAMAccountName=testuser1)<mailto:userPrincipalName=anonymous@csurflab.local)(sAMAccountName=testuser1)>)
radiusd:232612:1650387581.139521:Tue Apr 19 11:59:41 2022: ldap_search
These are the configurations from FR3 (not working):
[root@csurf-dot1x-ca2 dot1x]# cat /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/ldap/ldap_enc__CSURFLAB
ldap ldap__CSURFLAB {
server = "csurf-dot1x-dc1.csurflab.local"
port = 3269
identity = Administrator(a)csurflab.local<mailto:Administrator@csurflab.local>
password = a51a7127ea9bd74b0c46e0dfb41237235a7b8d385483975e9aee4427d16b09581fa
base_dn = "dc=CSURFLAB,dc=LOCAL"
#enable_krb5_with_ccache = "/usr/local/forescout/plugin/dot1x/fs_radius/var/run/radiusd/krb5_ccache.CSURFLAB.LOCAL"
#krb5_ccache_init_cmd = "/usr/bin/fstool dot1x_kinit -d CSURFLAB"
sasl {
#mech = 'GSSAPI'
}
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}:-%{User-Name}})"
}
group {
base_dn = "${..base_dn}"
membership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
membership_attribute = memberOf
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
ldap_debug = 0x8887
chase_referrals = no
rebind = no
res_timeout = 4
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
tls_mode = yes
ca_file = /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/certs/ad_ca.pem
ca_path = /etc/openldap/certs
require_cert = "allow"
}
# Forescout: Uncomment for global catalog port over TLS
tls_mode = yes
pool {
start = 0
min = 0
max = 5
spare = 5
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
And working configuration from FR2:
[root@csurf-d1x-ca1-b ~]# cat /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/ldap/ldap_enc.CSURFLAB
# -*- text -*-
#
# $Id: 5538b945a8298024bdd5b31f8fdce912dbbc39b9 $
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See raddb/sites-available/default for reference to the
# ldap module in the authorize and authenticate sections.
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap ldap.CSURFLAB {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "csurf-dot1x-dc1.csurflab.local"
identity = Administrator(a)csurflab.local<mailto:Administrator@csurflab.local>
password = a02bc81b407a7bc21b11f4acc38635114a2896ab9e2d8d960b9b3560e612497b3ea
basedn = "dc=CSURFLAB,dc=LOCAL"
filter = "(|(userPrincipalName=%{%{User-Name}:-%{Stripped-User-Name}:-%{mschap:User-Name}:-None}@csurflab.local)(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}:-%{User-Name}:-None}))"
#base_filter = "(objectclass=radiusprofile)"
# Enable krb5 authentication using given credential cache
#enable_krb5_with_ccache = "/var/run/radiusd/krb5_ccache"
#
# A script to init krb5 credentials if needed, it will be
# invoked with conf arguments: ccache principal password
#krb5_ccache_init_cmd = "/usr/my_kinit_script"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# How many times the connection can be used before
# being re-established. This is useful for things
# like load balancers, which may exhibit sticky
# behaviour without it. (0) is unlimited.
max_uses = 0
# Port to connect on, defaults to 389. Setting this to
# 636 will enable LDAPS if start_tls = no
# able to be used.
port = 3269
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls = no
cacertfile = /usr/local/forescout/plugin/dot1x/fs_radius/etc/raddb/certs/ad_ca.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
require_cert = "allow"
}
# Forescout: Uncomment for global catalog port over TLS
tls_mode = yes
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.S…
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
chase_referrals =
rebind =
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
ldap_debug = 0x8887
#
# Keepalive configuration. This MAY NOT be supported by your
# LDAP library. If these configuration entries appear in the
# output of "radiusd -X", then they are supported. Otherwise,
# they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
Thanks,
Xin L. Huang, FSCA
Software Engineer
ForeScout Technologies, Inc.
xin.huang(a)forescout.com<mailto:xin.huang@forescout.com>
m: 617.549.9754
WARNING - CONFIDENTIAL INFORMATION:
________________________________
This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Forescout email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails ("spam"). If you have any concerns about this process, please contact us privacy(a)forescout.com.
2
1