Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2022
- 33 participants
- 37 discussions
All,
I've got authentication working nicely with MSCHAP, but now I'd like to
only allow users that are members of a certain AD group.
I would prefer to have this happen only when requests come from a
specific client (wireless access point). In this case the idea is to
have users only be able to get wireless access when they're in a
specific AD group.
How can I do this in freeradius?
Thanks,
Brian
7
18
Hi everyone!
I am facing a problem when freeradius reports that the limit of open
sessions has been reached. These are log entries, like "Too many open
sessions. Try increasing "max_sessions" in the EAP module configuration".
During the debugging, it was determined that some ios devices
(ipad/iphone), for a reason unknown to me, cyclically cannot complete
eap/tls authentication process. I found that these devices successfully
start communicating with the NAS (send EAP-Response/Identity). But after
receiving the (TLS Start)-message, they no longer send the (TLS
client_hello)-message, and restart the association process with the access
point and therefore open a new EAP session. If recreate a wifi connection
on such a device, it will connect successfully.
Until I find the root cause of this behavior, I would like to monitor the
number of open sessions of the radius server. But I couldn't find a
suitable way to do it. Here is what I tried:
- use the "status server" tool, but there is no suitable one among its
counters
- use tool "control-socket" and radmin but also i didn't find suitable
counter
Can you help me with this question?
Thanks!
2
4
Hello,
For some times now, Android 11 requires cert validation in WiFi
connections (see [1]).
At the same time, Android 11 also makes it much harder for end users
to import self-signed root CA (see [2]).
As I provide WiFi connectivity in BYOD environments and can't help end
users when they import certs, I choosed to test PEAP/MSCHAPv2 with
LetsEncrypt certs though I know this would be less secure than with
self-signed root CA.
I'm planning to generate and renew LetsEncrypt cert on a remote
Internet-connected host, and then copy both privkey.pem and
fullchain.pem files to Freeradius instance, as suggested by [3].
In my lab setup, I'm using a Samsung Galaxy Tab A7 Lite to test.
Though being Android 11-powered, this device also allows
Do-Not-Validate pre-Android 11 option !
When I connect to WiFi with this device, I'm using the following settings:
Identity: bar
Password: whateverneeded
CA Certificate: use system certificate
Online cert status: do not validate
Domain: the exact CN value
My lab setup includes:
- a Freeradius 3.0.21 on Debian Bullseye
- a Unifi WiFi Network 6.5.55 with WiFi AP
- a Samsung Galaxy Tab A7 Lite
- valid LetsEncrypt certs
My certs files are copied into Freeradius host as:
# ls -l /etc/freeradius/3.0/certs/letsencrypt/
total 12
-rw-r----- 1 freerad freerad 5604 27 juin 19:04 fullchain.pem
-rw------- 1 freerad freerad 1704 27 juin 19:04 privkey.pem
# openssl x509 -dates -noout -in
/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem
notBefore=May 28 17:32:21 2022 GMT
notAfter=Aug 26 17:32:20 2022 GMT
[1] https://internet-access-guide.com/android-wifi-ca-certificate-do-not-valida…
[2] https://httptoolkit.tech/blog/android-11-trust-ca-certificates/
[3] https://framebyframewifi.net/2017/01/29/use-lets-encrypt-certificates-with-…
When I connect to WiFi, this is part of freeradius -X output:
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
...
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/letsencrypt/privkey.pem"
certificate_file = "/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Please use tls_min_version and tls_max_version instead of disable_tlsv1
Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 56401
Listening on proxy address :: port 45775
Ready to process requests
(26) eap: Peer sent EAP Response (code 2) ID 1 length 141
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0xc733062dc6321fce
(26) eap: Finished EAP session with state 0xc733062dc6321fce
(26) eap: Previous EAP request found for state 0xc733062dc6321fce,
released from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(26) eap_peap: Got complete TLS record (131 bytes)
(26) eap_peap: [eaptls verify] = length included
(26) eap_peap: (other): before SSL initialization
(26) eap_peap: TLS_accept: before SSL initialization
(26) eap_peap: TLS_accept: before SSL initialization
(26) eap_peap: <<< recv TLS 1.3 [length 007e]
(26) eap_peap: TLS_accept: SSLv3/TLS read client hello
(26) eap_peap: >>> send TLS 1.2 [length 003d]
(26) eap_peap: TLS_accept: SSLv3/TLS write server hello
(26) eap_peap: >>> send TLS 1.2 [length 0fbe]
(26) eap_peap: TLS_accept: SSLv3/TLS write certificate
(26) eap_peap: >>> send TLS 1.2 [length 014d]
(26) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(26) eap_peap: >>> send TLS 1.2 [length 0004]
(26) eap_peap: TLS_accept: SSLv3/TLS write server done
(26) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(26) eap_peap: TLS - In Handshake Phase
(26) eap_peap: TLS - got 4448 bytes of data
(26) eap_peap: [eaptls process] = handled
(26) eap: Sending EAP Request (code 1) ID 2 length 1004
(26) eap: EAP session adding &reply:State = 0xc733062dc5311fce
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(26) Challenge { ... } # empty sub-section is ignored
(26) Sent Access-Challenge Id 43 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(26) EAP-Message =
0x010203ec19c000001160160303003d020000390303af5657898d92eefe5085a4ad3604bed4f0f0b48e39cd7ada954fbee1b104098800c02f000011ff01000100000b000403000102001700001603030fbe0b000fba000fb70005303082052c30820414a003020102021203734b50cf2bcbeb7c22ada836c00a3f624f300d06092a864886f70d01010b05003032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b3009060355040313025233301e170d3232303532383137333232315a170d3232303832363137333232305a301e311c301a06035504031313686f7374332e706572656e69702e636c6f756430820122300d06092a864886f70d01010105000382010f003082010a0282010100e653da7ed722cc166a21b4055852edc8973b7daa624eb8897805f735be194e49d231f0d04e2d091679c8a1f9075bf6051d24661042467c293e77827ed8de02eacf8132699f9aac89cb9471f1857c292dca4cc9d69608d7
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0xc733062dc5311fceda200d98107c2728
(26) Finished request
Waking up in 4.9 seconds.
(27) Received Access-Request Id 44 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(27) User-Name = "bar"
(27) NAS-IP-Address = 192.168.1.50
(27) NAS-Identifier = "f09fc2f50d43"
(27) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(27) NAS-Port-Type = Wireless-802.11
(27) Service-Type = Framed-User
(27) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(27) Connect-Info = "CONNECT 0Mbps 802.11b"
(27) Acct-Session-Id = "2087B41CCAAC0F74"
(27) Acct-Multi-Session-Id = "C546EF77BB09F037"
(27) WLAN-Pairwise-Cipher = 1027076
(27) WLAN-Group-Cipher = 1027076
(27) WLAN-AKM-Suite = 1027073
(27) Framed-MTU = 1400
(27) EAP-Message = 0x020200061900
(27) State = 0xc733062dc5311fceda200d98107c2728
(27) Message-Authenticator = 0x39f4e95b5909f1152843a2e02fbaffde
(27) session-state: No cached attributes
(27) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(27) authorize {
(27) policy filter_username {
(27) if (&User-Name) {
(27) if (&User-Name) -> TRUE
(27) if (&User-Name) {
(27) if (&User-Name =~ / /) {
(27) if (&User-Name =~ / /) -> FALSE
(27) if (&User-Name =~ /@[^@]*@/ ) {
(27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(27) if (&User-Name =~ /\.\./ ) {
(27) if (&User-Name =~ /\.\./ ) -> FALSE
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(27) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(27) if (&User-Name =~ /\.$/) {
(27) if (&User-Name =~ /\.$/) -> FALSE
(27) if (&User-Name =~ /(a)\./) {
(27) if (&User-Name =~ /(a)\./) -> FALSE
(27) } # if (&User-Name) = notfound
(27) } # policy filter_username = notfound
(27) [preprocess] = ok
(27) [chap] = noop
(27) [mschap] = noop
(27) [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "bar", looking up realm NULL
(27) suffix: No such realm "NULL"
(27) [suffix] = noop
(27) eap: Peer sent EAP Response (code 2) ID 2 length 6
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0xc733062dc5311fce
(27) eap: Finished EAP session with state 0xc733062dc5311fce
(27) eap: Previous EAP request found for state 0xc733062dc5311fce,
released from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: Peer ACKed our handshake fragment
(27) eap_peap: [eaptls verify] = request
(27) eap_peap: [eaptls process] = handled
(27) eap: Sending EAP Request (code 1) ID 3 length 1000
(27) eap: EAP session adding &reply:State = 0xc733062dc4301fce
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(27) Challenge { ... } # empty sub-section is ignored
(27) Sent Access-Challenge Id 44 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(27) EAP-Message =
0x010303e81940cca15e2a9dd6bfa61b4d866fdcc7284c9a6a860076002979bef09e393921f056739f63a577e5be577d9c600af8f94d5d265c255dc784000001810bf0d4030000040300473045022037d7b0385f16f2b16e8903082d51bb15604c0262cd7473239d165e5ca5a858740221009c92c932de42f9d7883a89cd8ddc171d91a0f5b0d2e77b6886d1ea473f7fbe17300d06092a864886f70d01010b05000382010100731334fe1bbdc145631a0ddd0e7174e87df1da2cf6b032521bba82995c0460886e5b751c5f0b417ad32fa987caac9f61be48ec68673e33bc5a1deebe1004c5546cb3ef098495ab393bd60c614e132ad13e5fe0ca56106aeb92cf1f4e6de2f8f736bc1e94b7659439b711b931ba2174abb85ef05347b7d82f18411fe147f74939fbe311977c50c90b7c7720e890b59300fef66c0c7b84cd536cbde1aee6231f21550751613cba3ad52f48c82b2cc0de8e38764ba3c988a8cd37994500c1233288e294319b95c4600a48b3094eadf3ac1d68bf
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0xc733062dc4301fceda200d98107c2728
(27) Finished request
Waking up in 4.9 seconds.
(28) Received Access-Request Id 45 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(28) User-Name = "bar"
(28) NAS-IP-Address = 192.168.1.50
(28) NAS-Identifier = "f09fc2f50d43"
(28) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(28) NAS-Port-Type = Wireless-802.11
(28) Service-Type = Framed-User
(28) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(28) Connect-Info = "CONNECT 0Mbps 802.11b"
(28) Acct-Session-Id = "2087B41CCAAC0F74"
(28) Acct-Multi-Session-Id = "C546EF77BB09F037"
(28) WLAN-Pairwise-Cipher = 1027076
(28) WLAN-Group-Cipher = 1027076
(28) WLAN-AKM-Suite = 1027073
(28) Framed-MTU = 1400
(28) EAP-Message = 0x020300061900
(28) State = 0xc733062dc4301fceda200d98107c2728
(28) Message-Authenticator = 0x441e1d2d2df0e955fe4065c44cb93a6b
(28) session-state: No cached attributes
(28) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(28) authorize {
(28) policy filter_username {
(28) if (&User-Name) {
(28) if (&User-Name) -> TRUE
(28) if (&User-Name) {
(28) if (&User-Name =~ / /) {
(28) if (&User-Name =~ / /) -> FALSE
(28) if (&User-Name =~ /@[^@]*@/ ) {
(28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(28) if (&User-Name =~ /\.\./ ) {
(28) if (&User-Name =~ /\.\./ ) -> FALSE
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(28) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(28) if (&User-Name =~ /\.$/) {
(28) if (&User-Name =~ /\.$/) -> FALSE
(28) if (&User-Name =~ /(a)\./) {
(28) if (&User-Name =~ /(a)\./) -> FALSE
(28) } # if (&User-Name) = notfound
(28) } # policy filter_username = notfound
(28) [preprocess] = ok
(28) [chap] = noop
(28) [mschap] = noop
(28) [digest] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "bar", looking up realm NULL
(28) suffix: No such realm "NULL"
(28) [suffix] = noop
(28) eap: Peer sent EAP Response (code 2) ID 3 length 6
(28) eap: Continuing tunnel setup
(28) [eap] = ok
(28) } # authorize = ok
(28) Found Auth-Type = eap
(28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(28) authenticate {
(28) eap: Expiring EAP session with state 0xc733062dc4301fce
(28) eap: Finished EAP session with state 0xc733062dc4301fce
(28) eap: Previous EAP request found for state 0xc733062dc4301fce,
released from the list
(28) eap: Peer sent packet with method EAP PEAP (25)
(28) eap: Calling submodule eap_peap to process data
(28) eap_peap: Continuing EAP-TLS
(28) eap_peap: Peer ACKed our handshake fragment
(28) eap_peap: [eaptls verify] = request
(28) eap_peap: [eaptls process] = handled
(28) eap: Sending EAP Request (code 1) ID 4 length 1000
(28) eap: EAP session adding &reply:State = 0xc733062dc3371fce
(28) [eap] = handled
(28) } # authenticate = handled
(28) Using Post-Auth-Type Challenge
(28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(28) Challenge { ... } # empty sub-section is ignored
(28) Sent Access-Challenge Id 45 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(28) EAP-Message =
0x010403e8194001ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0xc733062dc3371fceda200d98107c2728
(28) Finished request
Waking up in 4.9 seconds.
(29) Received Access-Request Id 46 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(29) User-Name = "bar"
(29) NAS-IP-Address = 192.168.1.50
(29) NAS-Identifier = "f09fc2f50d43"
(29) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(29) NAS-Port-Type = Wireless-802.11
(29) Service-Type = Framed-User
(29) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(29) Connect-Info = "CONNECT 0Mbps 802.11b"
(29) Acct-Session-Id = "2087B41CCAAC0F74"
(29) Acct-Multi-Session-Id = "C546EF77BB09F037"
(29) WLAN-Pairwise-Cipher = 1027076
(29) WLAN-Group-Cipher = 1027076
(29) WLAN-AKM-Suite = 1027073
(29) Framed-MTU = 1400
(29) EAP-Message = 0x020400061900
(29) State = 0xc733062dc3371fceda200d98107c2728
(29) Message-Authenticator = 0x662064b545b5aa385ea1ebd63c5d881b
(29) session-state: No cached attributes
(29) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /(a)\./) {
(29) if (&User-Name =~ /(a)\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [preprocess] = ok
(29) [chap] = noop
(29) [mschap] = noop
(29) [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "bar", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) eap: Peer sent EAP Response (code 2) ID 4 length 6
(29) eap: Continuing tunnel setup
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) authenticate {
(29) eap: Expiring EAP session with state 0xc733062dc3371fce
(29) eap: Finished EAP session with state 0xc733062dc3371fce
(29) eap: Previous EAP request found for state 0xc733062dc3371fce,
released from the list
(29) eap: Peer sent packet with method EAP PEAP (25)
(29) eap: Calling submodule eap_peap to process data
(29) eap_peap: Continuing EAP-TLS
(29) eap_peap: Peer ACKed our handshake fragment
(29) eap_peap: [eaptls verify] = request
(29) eap_peap: [eaptls process] = handled
(29) eap: Sending EAP Request (code 1) ID 5 length 1000
(29) eap: EAP session adding &reply:State = 0xc733062dc2361fce
(29) [eap] = handled
(29) } # authenticate = handled
(29) Using Post-Auth-Type Challenge
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) Challenge { ... } # empty sub-section is ignored
(29) Sent Access-Challenge Id 46 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(29) EAP-Message =
0x010503e81940f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd0
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) State = 0xc733062dc2361fceda200d98107c2728
(29) Finished request
Waking up in 4.8 seconds.
(30) Received Access-Request Id 47 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(30) User-Name = "bar"
(30) NAS-IP-Address = 192.168.1.50
(30) NAS-Identifier = "f09fc2f50d43"
(30) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(30) NAS-Port-Type = Wireless-802.11
(30) Service-Type = Framed-User
(30) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(30) Connect-Info = "CONNECT 0Mbps 802.11b"
(30) Acct-Session-Id = "2087B41CCAAC0F74"
(30) Acct-Multi-Session-Id = "C546EF77BB09F037"
(30) WLAN-Pairwise-Cipher = 1027076
(30) WLAN-Group-Cipher = 1027076
(30) WLAN-AKM-Suite = 1027073
(30) Framed-MTU = 1400
(30) EAP-Message = 0x020500061900
(30) State = 0xc733062dc2361fceda200d98107c2728
(30) Message-Authenticator = 0xdb1a11eda65bfd28f2bae8a4467c4bea
(30) session-state: No cached attributes
(30) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /(a)\./) {
(30) if (&User-Name =~ /(a)\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [preprocess] = ok
(30) [chap] = noop
(30) [mschap] = noop
(30) [digest] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "bar", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) eap: Peer sent EAP Response (code 2) ID 5 length 6
(30) eap: Continuing tunnel setup
(30) [eap] = ok
(30) } # authorize = ok
(30) Found Auth-Type = eap
(30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(30) authenticate {
(30) eap: Expiring EAP session with state 0xc733062dc2361fce
(30) eap: Finished EAP session with state 0xc733062dc2361fce
(30) eap: Previous EAP request found for state 0xc733062dc2361fce,
released from the list
(30) eap: Peer sent packet with method EAP PEAP (25)
(30) eap: Calling submodule eap_peap to process data
(30) eap_peap: Continuing EAP-TLS
(30) eap_peap: Peer ACKed our handshake fragment
(30) eap_peap: [eaptls verify] = request
(30) eap_peap: [eaptls process] = handled
(30) eap: Sending EAP Request (code 1) ID 6 length 478
(30) eap: EAP session adding &reply:State = 0xc733062dc1351fce
(30) [eap] = handled
(30) } # authenticate = handled
(30) Using Post-Auth-Type Challenge
(30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(30) Challenge { ... } # empty sub-section is ignored
(30) Sent Access-Challenge Id 47 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(30) EAP-Message =
0x010601de1900676dc257c5463941cf8a5883586d99fe57e8360ef00e23aafd8897d0e35c0e9449b5b51735d22ebf4e85ef18e08592eb063b6c29230960dc45024c12183be9fb0ededc44f85898aeeabd4545a1885d66cafe10e96f82c811420dfbe9ece38600de9d10e338faa47db1d8e8498284069b2be86b4f010c38772ef9dde739160303014d0c0001490300174104182d51bb94eedf8e4d45ba672b11c1683550862e7b3cbcc4c060eeb4bb6a788ba97e3226321cf8ba7055f70228fd8fbd726b203aaecea3297f2f15e87c0e13190804010065efa44cf7b89671f95ce0791208321c652e630ca175e1c4c11946ffa99a7ecddf6f6e5bc8b7689bca97ea17a48c085474e867dc62b2102a477c4a022336e02e2e4e38d5542a7c69276d22fd961b4022e88c54c7fe6fad2d1176b734f007a2af32ae3fd62b53a6fcd2da0b78040ee68241e4435189e87093b227e4f4f9ebb3c1b3da591bd3c129f70dcd71fca22d92ceaa6318dfcf6397a92d127e2a999be84a9be8
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) State = 0xc733062dc1351fceda200d98107c2728
(30) Finished request
Waking up in 4.8 seconds.
(31) Received Access-Request Id 48 from 192.168.1.50:58452 to
192.168.1.244:1812 length 242
(31) User-Name = "bar"
(31) NAS-IP-Address = 192.168.1.50
(31) NAS-Identifier = "f09fc2f50d43"
(31) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(31) NAS-Port-Type = Wireless-802.11
(31) Service-Type = Framed-User
(31) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(31) Connect-Info = "CONNECT 0Mbps 802.11b"
(31) Acct-Session-Id = "2087B41CCAAC0F74"
(31) Acct-Multi-Session-Id = "C546EF77BB09F037"
(31) WLAN-Pairwise-Cipher = 1027076
(31) WLAN-Group-Cipher = 1027076
(31) WLAN-AKM-Suite = 1027073
(31) Framed-MTU = 1400
(31) EAP-Message = 0x020600111980000000071503030002022d
(31) State = 0xc733062dc1351fceda200d98107c2728
(31) Message-Authenticator = 0x96fa48935246587652cd6219e8243639
(31) session-state: No cached attributes
(31) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(31) authorize {
(31) policy filter_username {
(31) if (&User-Name) {
(31) if (&User-Name) -> TRUE
(31) if (&User-Name) {
(31) if (&User-Name =~ / /) {
(31) if (&User-Name =~ / /) -> FALSE
(31) if (&User-Name =~ /@[^@]*@/ ) {
(31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(31) if (&User-Name =~ /\.\./ ) {
(31) if (&User-Name =~ /\.\./ ) -> FALSE
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(31) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(31) if (&User-Name =~ /\.$/) {
(31) if (&User-Name =~ /\.$/) -> FALSE
(31) if (&User-Name =~ /(a)\./) {
(31) if (&User-Name =~ /(a)\./) -> FALSE
(31) } # if (&User-Name) = notfound
(31) } # policy filter_username = notfound
(31) [preprocess] = ok
(31) [chap] = noop
(31) [mschap] = noop
(31) [digest] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: No '@' in User-Name = "bar", looking up realm NULL
(31) suffix: No such realm "NULL"
(31) [suffix] = noop
(31) eap: Peer sent EAP Response (code 2) ID 6 length 17
(31) eap: Continuing tunnel setup
(31) [eap] = ok
(31) } # authorize = ok
(31) Found Auth-Type = eap
(31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(31) authenticate {
(31) eap: Expiring EAP session with state 0xc733062dc1351fce
(31) eap: Finished EAP session with state 0xc733062dc1351fce
(31) eap: Previous EAP request found for state 0xc733062dc1351fce,
released from the list
(31) eap: Peer sent packet with method EAP PEAP (25)
(31) eap: Calling submodule eap_peap to process data
(31) eap_peap: Continuing EAP-TLS
(31) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(31) eap_peap: Got complete TLS record (7 bytes)
(31) eap_peap: [eaptls verify] = length included
(31) eap_peap: <<< recv TLS 1.2 [length 0002]
(31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(31) eap_peap: TLS_accept: Need to read more data: error
(31) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
expired
(31) eap_peap: TLS - In Handshake Phase
(31) eap_peap: TLS - Application data.
(31) eap_peap: ERROR: TLS failed during operation
(31) eap_peap: ERROR: [eaptls process] = fail
(31) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(31) eap: Sending EAP Failure (code 4) ID 6 length 4
(31) eap: Failed in EAP select
(31) [eap] = invalid
(31) } # authenticate = invalid
(31) Failed to authenticate the user
(31) Using Post-Auth-Type Reject
(31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(31) Post-Auth-Type REJECT {
(31) attr_filter.access_reject: EXPAND %{User-Name}
(31) attr_filter.access_reject: --> bar
(31) attr_filter.access_reject: Matched entry DEFAULT at line 11
(31) [attr_filter.access_reject] = updated
(31) [eap] = noop
(31) policy remove_reply_message_if_eap {
(31) if (&reply:EAP-Message && &reply:Reply-Message) {
(31) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(31) else {
(31) [noop] = noop
(31) } # else = noop
(31) } # policy remove_reply_message_if_eap = noop
(31) } # Post-Auth-Type REJECT = updated
(31) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(31) Sending delayed response
(31) Sent Access-Reject Id 48 from 192.168.1.244:1812 to
192.168.1.50:58452 length 44
(31) EAP-Message = 0x04060004
(31) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(24) Cleaning up request packet ID 41 with timestamp +308
How can I correct this ?
Best regards
3
5
Hello Alan, how are you? I ran some tests as fast as I could.
Now it's giving the following message:
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
checkrad: Unknown NAS 2804:444:1:1::2, not checking
NAS 2804:444:1:1::2 was added normally:
rlm_sql (sql): Adding client 2804:444:1:1::2 (R1.ITU) to global clients list
rlm_sql (2804:444:1:1::2): Client "R1.ITU" (sql) added
Authentication normally takes place with IPv6. The problem is with checkrad.
Below is the Access-Request package and the freeradius -X command output.
Could you help please?
Thank you!
Fabricio Viana
root@li1268-188:/# freeradius -v
radiusd: FreeRADIUS Version 3.0.24 (git #83d87a2), for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.24
(0) Received Access-Request Id 142 from [2804:444:1:1::2]:33926 to [2600:4a00::f132:91a4:f567:34fd]:1812 length 185
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15813747
(0) NAS-Port-Type = Ethernet
(0) User-Name = "joseph.test"
(0) Calling-Station-Id = "AA:BB:B6:41:33:AA"
(0) Called-Station-Id = "pppoe-server-olt02"
(0) NAS-Port-Id = "ether3.501-PPPoE-OLT02"
(0) CHAP-Challenge = 0x388b23cbdc8d67936f09a731c70acf6e
(0) CHAP-Password = 0x018003bc3835139074138c89d63370276a
(0) NAS-Identifier = "R1.ITU"
(0) NAS-IPv6-Address = 2804:444:1:1::2
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) {
(0) EXPAND %{Cisco-AVPair[*]}
(0) -->
(0) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) -> FALSE
(0) elsif (ERX-Dhcp-Mac-Addr =~ /^([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/) {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) else {
(0) update request {
(0) EXPAND %{toupper:%{Calling-Station-Id}}
(0) --> AA:BB:B6:41:33:AA
(0) Calling-Station-Id := AA:BB:B6:41:33:AA
(0) } # update request = noop
(0) } # else = noop
(0) if (!control:Cleartext-Password){
(0) if (!control:Cleartext-Password) -> TRUE
(0) if (!control:Cleartext-Password) {
(0) update control {
(0) Cleartext-Password := "no_user_found_radiusnet"
(0) } # update control = noop
(0) } # if (!control:Cleartext-Password) = noop
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'joseph.test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'joseph.test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "ellen8858"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'joseph.test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'joseph.test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'joseph.test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'joseph.test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '2BLO' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '2BLO' ORDER BY id
(0) sql: Group "2BLO": Conditional check items matched
(0) sql: Group "2BLO": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '2BLO' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '2BLO' ORDER BY id
(0) sql: Group "2BLO": Merging reply items
(0) sql: Mikrotik-Rate-Limit = "100k/100k"
(0) sql: WISPr-Bandwidth-Max-Down = 100000
(0) sql: WISPr-Bandwidth-Max-Up = 100000
(0) sql: Framed-Pool = "pool_bloqueados"
(0) sql: Mikrotik-Address-List = "bloqueados"
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "joseph.test" authenticated successfully
(0) [chap] = ok
(0) if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group){
(0) if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group) -> FALSE
(0) if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group){
(0) if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group) -> FALSE
(0) if (request:Service-Type == Framed-User && reply:Mikrotik-Group){
(0) if (request:Service-Type == Framed-User && reply:Mikrotik-Group) -> FALSE
(0) if (reject && Framed-Protocol == PPP) {
(0) if (reject && Framed-Protocol == PPP) -> FALSE
(0) if (invalid && Framed-Protocol == PPP) {
(0) if (invalid && Framed-Protocol == PPP) -> FALSE
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /etc/freeradius/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
checkrad: Unknown NAS 2804:444:1:1::2, not checking
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) } # session = ok
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{Calling-Station-Id}')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'joseph.test', '0x018003bc3835139074138c89d63370276a', 'Access-Reject', UTC_TIMESTAMP(), '2804:444:1:1::2', 'AA:BB:B6:41:33:AA')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'joseph.test', '0x018003bc3835139074138c89d63370276a', 'Access-Reject', UTC_TIMESTAMP(), '2804:444:1:1::2', 'AA:BB:B6:41:33:AA')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> joseph.test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
FreeRADIUS Version 3.0.24
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/sqlippool_v4
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/sqlippool
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/sql
including configuration file /etc/freeradius/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/ddns_exec
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/sqlippool_v6
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries_v6.conf
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/digest
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/accounting
/etc/freeradius/policy.d/accounting[42]: Reference "${IDRADIUSSERVER}" not found
/etc/freeradius/policy.d/accounting[54]: Reference "${IDRADIUSSERVER}" not found
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/control
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/freeradius.env
including configuration file /etc/freeradius/ddns.env
main {
security {
user = "root"
group = "root"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/var/scriptsradius/callcheckrad.sh"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_sqlippool
# Loading module "sqlippool_v4" from file /etc/freeradius/mods-enabled/sqlippool_v4
sqlippool sqlippool_v4 {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) AND banned = 0 ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "sqlippool" from file /etc/freeradius/mods-enabled/sqlippool
sqlippool {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
ipv6 = yes
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) AND banned = 0 ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "192.0.2.2"
port = 3306
login = "radius_user"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}' AND acctstarttime <= UTC_TIMESTAMP()"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}' AND acctstarttime <= UTC_TIMESTAMP()"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6prefix, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', UTC_TIMESTAMP(), UTC_TIMESTAMP(), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Prefix}', '%{Delegated-IPv6-Prefix}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = UTC_TIMESTAMP(), acctinterval = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', framedipv6prefix = '%{Framed-IPv6-Prefix}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctstoptime = NULL, nasportid = '%{NAS-Port-Id}', calledstationid = '%{Called-Station-Id}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' OR AcctUniqueId = '%{Segundo-AcctUnique-Id}' OR AcctUniqueId = '%{Terceiro-AcctUnique-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{Calling-Station-Id}')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "ddns_del" from file /etc/freeradius/mods-enabled/ddns_exec
exec ddns_del {
wait = yes
program = "/var/scriptsradius/ddns.php del %{User-Name} %{Framed-IP-Address}"
input_pairs = "request"
shell_escape = no
}
# Loading module "ddns_add" from file /etc/freeradius/mods-enabled/ddns_exec
exec ddns_add {
wait = yes
program = "/var/scriptsradius/ddns.php add %{User-Name} %{Framed-IP-Address}"
input_pairs = "request"
shell_escape = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loading module "sqlippool_v6" from file /etc/freeradius/mods-enabled/sqlippool_v6
sqlippool sqlippool_v6 {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
ipv6 = yes
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippoolv6 WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippoolv6 SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippoolv6 WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippoolv6 SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippoolv6 SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôoùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOÙÛÜY"
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
instantiate {
}
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "sqlippool_v4" from file /etc/freeradius/mods-enabled/sqlippool_v4
# Instantiating module "sql" from file /etc/freeradius/mods-enabled/sql
rlm_sql_mysql: libmysql version: 5.7.35
mysql {
tls {
tls_required = no
check_cert = no
check_cert_cn = no
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 2804:444:1:1::2 (R1.ITU) to global clients list
rlm_sql (2804:444:1:1::2): Client "R1.ITU" (sql) added
rlm_sql (sql): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
# Instantiating module "sqlippool" from file /etc/freeradius/mods-enabled/sqlippool
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "sqlippool_v6" from file /etc/freeradius/mods-enabled/sqlippool_v6
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 38092
Listening on proxy address :: port 58617
Ready to process requests
2
3
Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not permitted (1)"
by CpServiceSPb 11 Sep '22
by CpServiceSPb 11 Sep '22
11 Sep '22
I use Freeradius 3.0.21 on Ubuntu 18.04 x64 LTS.
It is started under freerad:freerad, acts as DHCP as well listen to 0.0.0.0
IP and accept broadcast on one of two interfaces and listen to
192.168.0.254 and not accept broadcast on other one interface.
During DHCP conversation with clients using broadcast accepting (IP
0.0.0.0) interface, the following message is got and DHCP don' t assign to
the client:
"Failed adding ARP entry: Failed to add entry in ARP cache: Operation not
permitted (1)"
I don' t want to launch Freeradius under either root user or root/admin
group.
What is the best solution to avoid the error under freerad:freerad and move
on ?
4
7
Hello Every body ,
I am working on Hotspot management System for Cloud Version , the authentication is done successfully and accounting also , but I am trying to send disconnect packet from my radius server to mikrotik , which doesn't have a Public IP
I am using this command
echo user-name=Ziad55 | radclient -x 10.10.0.103:1700 disconnect kskhfim2v
the Nas IP address is 10.10.0.103 and I enabled the Incoming Packet in Mikrotik's radius config
but I get this result
Sent Disconnect-Request Id 112 from 0.0.0.0:53800 to 127.0.0.1:1700 length 28
User-Name = "Ziad55"
Sent Disconnect-Request Id 112 from 0.0.0.0:53800 to 127.0.0.1:1700 length 28
User-Name = "Ziad55"
Sent Disconnect-Request Id 112 from 0.0.0.0:53800 to 127.0.0.1:1700 length 28
User-Name = "Ziad55"
(0) No reply from server for ID 112 socket 3
can u help me please to solve this issue ? it is not possible to get Public IP address
[1562314050593]
3
2
Hi Together,
we finally got the issue and for the anyone else, how will face the issue, the fix is quite simple. Update your TPM Firmware!
In fact, during the authentication the client is sending a signature which only includes nulls. The packet itself is intact, sizes of the packets are valid and the signature algorithm is also well. The only thing that's not in the tls authentication is a signature. :
````
(4) eap_tls: <<< recv TLS 1.2 (type: 0016) [length 0108] handshake_type: 0f, alert_level: 00, alert_description: 00
0f000104 TLS handshake certificate_verify len 0x000104 = 260
0804 signature algorithm: rsa_pss_rsae_sha256
0100 signature size: 0x0100 = 256
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 00000000000000000000
00000000000000000000 000000000000
````
That's also the reason why some of our clients are able to authenticate and some not, with the key, stored in TPM.
Intel ships end customer TPM updater, STM as we know not. We also don't have clients with Infineon chips but they should also ship updates to the end customer.
FYI: This was a team operation and thanks to all that helped here.
Regards,
Lineconnnect
<quote author='Users mailing list'>
2 months later, a quick update on this topic (apologies, I may have
broken the threading as I don't have a copy of the original e-mails any
more!), just so there's an online reference here for anyone encountering
the same error.
Turns out I was wrong about it being Windows and OpenSSL getting muddled
over TLS 1.2 vs. 1.3...
To recap: Windows 10 clients, corporate WiFi network using EAP-TLS to
RADIUS with machine certificate (SCEP) authentication only.
Error in Freeradius logs:
(6) eap_tls: ERROR: TLS Alert write:fatal:decrypt error
tls: TLS_accept: Error in error
(6) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
(6) eap_tls: ERROR: error:0407E086:rsa
routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
(6) eap_tls: ERROR: error:1417B07B:SSL
routines:tls_process_cert_verify:bad signature
(6) eap_tls: ERROR: System call (I/O) error (-1)
(6) eap_tls: ERROR: TLS receive handshake failed during operation
(6) eap_tls: ERROR: [eaptls process] = fail
After encountering the error on a few machines again, even with
"tls_max_version" set, I delved into the guts of Windows again, and
found the error (which isn't helpful or descriptive) was actually caused
because:
* Some machine certificates had were stored/managed by the "Microsoft
Platform Crypto Provider" (TPM-backed)
* Built-in security measures control access to keys in that CSP, and it
cannot be used non-interactively
* Windows WiFi profile was set to auto-join (non-interactive)
* Windows couldn't get the key, so $deity knows what signature it was
sending
* OpenSSL rightly got confused
The solution:
Ensure machine certificate keys are stored in the "Microsoft Software
Key Storage Provider" (or another CSP/KSP that permits non-interactive
use).
All is well again, and I'm close to shutting down NPS :-)
--
Peter Bance
Information Security Adviser
Alan DeKok wrote:
> A final update on this, in case anyone here's interested (or to "wrap
> up" for anyone stumbling across this thread online) - I fixed it, and
> Windows clients are now happily joining WiFi. It's a beautiful thing to
> behold :-)
>
> In the end, I had to force OpenSSL on FreeRADIUS to stop offering
> TLS1.3 ciphers using the mods/eap config:
>
> tls_max_version = "1.2"
Good to hear.
> It seems there may be a bug in OpenSSL 1.1.1 such that even though the
> negotiation resulted in a TLS 1.2 session, the weird back-port of TLS
> 1.3 ciphers into TLS 1.2 confused things (a lot), and it tried checking
> for TLS 1.3 style signatures inappropriately.
Weird, but OK. It's OpenSSL :(
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
</quote>
Quoted from:
http://freeradius.1045715.n5.nabble.com/RE-EAP-TLS-Signature-Check-Failure-…
_____________________________________
Sent from http://freeradius.1045715.n5.nabble.com
3
4
Sorry for being vague, but for now I am not sure where problem is and
how to debug.
Debian box with debian radius packages.
There is old phone (Samsung Wave) which was configured to use PEAP0 to
connect to wifi.
/etc/freeradius/3.0/mods-config/files/authorize contains
[...]
theta Cleartext-Password := "...redacted...."
[...]
This cofiguration works with:
3.0.25+dfsg-1+b2 version of package
but after install 3.2.0+dfsg-1
authentication cannot end
Tue Jun 28 06:24:23 2022 : Debug: (51) } # Post-Auth-Type REJECT = updated
Tue Jun 28 06:24:23 2022 : Auth: (51) Login incorrect (eap1: rlm_eap (eap1): Aborting! More than 50 roundtrips made in session with state 0x41d5024f73881b73): [theta] (from client ni port 4 cli 00-26-37-AF-E2-AC)
Any hints what I can check/debug (apart taking look into source code?)
Of course I can provide logs, but they are quite huge.
KJ
--
http://wolnelektury.pl/wesprzyj/teraz/
4
13
Hello,
We are trying to configure LDAP group membership to work to avoid repeated
calls to Active Directory.
90% of work is done:
FR 3.0.25
### Recording a list of groups:
(6) ldap: Adding cacheable user object memberships
(6) ldap: &control:LDAP-Cached-Membership += "network_engineering-inf-eng"
(6) ldap: &control:LDAP-Cached-Membership += "ad_jira-developers"
(6) ldap: &control:LDAP-Cached-Membership += "engineering"
(6) ldap: &control:LDAP-Cached-Membership += "ad_jira-administrators"
(6) ldap: &control:LDAP-Cached-Membership += "infrastructure-eng"
(6) ldap: &control:LDAP-Cached-Membership += "ad_employees"
(6) ldap: &control:LDAP-Cached-Membership += "no-phc-infra"
(6) ldap: &control:LDAP-Cached-Membership += "networks-inf-eng"
### Caching it:
(6) cache: Creating new cache entry
(6) cache: &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'network_engineering-inf-eng'
(6) cache: &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'ad_jira-developers'
(6) cache: &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'engineering'
(6) cache: &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'ad_jira-administrators'
(6) cache: &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'infrastructure-eng'
(6) cache: &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'ad_employees'
(6) cache: &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'no-phc-infra'
(6) cache: &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'networks-inf-eng'
(6) cache: EXPAND Cache last updated at %t
(6) cache: --> Cache last updated at Thu Jun 30 18:55:55 2022
(6) cache: &reply:Reply-Message += Cache last updated at Thu Jun 30
18:55:55 2022
(6) cache: EXPAND %{randstr:ssssssssssssssssssssssssssssssss}
(6) cache: --> Oae2Ugjv9rHP5rxlxNP64mal.P4ggAC4
(6) cache: &reply:Class :=
0x4f61653255676a76397248503572786c784e5036346d616c2e50346767414334
(6) cache: Merging cache entry into request
(6) cache: &request:LDAP-Cached-Membership +=
"network_engineering-inf-eng"
(6) cache: &request:LDAP-Cached-Membership += "ad_jira-developers"
(6) cache: &request:LDAP-Cached-Membership += "engineering"
(6) cache: &request:LDAP-Cached-Membership += "ad_jira-administrators"
(6) cache: &request:LDAP-Cached-Membership += "infrastructure-eng"
(6) cache: &request:LDAP-Cached-Membership += "ad_employees"
(6) cache: &request:LDAP-Cached-Membership += "no-phc-infra"
(6) cache: &request:LDAP-Cached-Membership += "networks-inf-eng"
(6) cache: &reply:Reply-Message += "Cache last updated at Thu Jun 30
18:55:55 2022"
(6) cache: &reply:Class :=
0x4f61653255676a76397248503572786c784e5036346d616c2e50346767414334
(6) cache: Committed entry, TTL 10 seconds
#### Verifying that LDAP-Cached-Membership[*] contains all the groups:
(8) EXPAND Attribute contains: %{LDAP-Cached-Membership[*]}
(8) --> Attribute contains:
network_engineering-inf-eng,ad_jira-developers,engineering,ad_jira-administrators,infrastructure-eng,ad_employees,no-phc-infra,networks-inf-eng
(8) Reply-Message += Attribute contains:
network_engineering-inf-eng,ad_jira-developers,engineering,ad_jira-administrators,infrastructure-eng,ad_employees,no-phc-infra,networks-inf-eng
(8) } # update reply = noop
### In Post-Auth section, when evaluating policies, I can't match any of
the values stored in the LDAP-Cached-Membership[*].
(8) cache: Found entry for "xxxxxxx"
(8) [cache] = ok
(8) if (notfound) {
(8) if (notfound) -> FALSE
(8) elsif (ok) {
(8) elsif (ok) -> TRUE
(8) elsif (ok) {
(8) if (LDAP-Cached-Membership[*] =~ /.*networks-inf-eng.*/) {
(8) if (LDAP-Cached-Membership[*] =~ /.*networks-inf-eng.*/) ->
FALSE
(8) elsif (LDAP-Cached-Membership[*] =~ /.*corporate_it-inf-eng.*/)
{
(8) elsif (LDAP-Cached-Membership[*] =~ /.*corporate_it-inf-eng.*/)
-> FALSE
(8) elsif (LDAP-Cached-Membership[*] =~ /.*security-eng.*/) {
(8) elsif (LDAP-Cached-Membership[*] =~ /.*security-eng.*/) ->
FALSE
(8) elsif (LDAP-Cached-Membership[*] =~
/.*workplace_services-peo.*/) {
(8) elsif (LDAP-Cached-Membership[*] =~
/.*workplace_services-peo.*/) -> FALSE
(8) elsif (LDAP-Cached-Membership[*] =~ /.*infrastructure-eng./) {
(8) elsif (LDAP-Cached-Membership[*] =~ /.*infrastructure-eng./)
-> FALSE
(8) elsif (LDAP-Cached-Membership[*] =~ /.*engineering.*/) {
(8) elsif (LDAP-Cached-Membership[*] =~ /.*engineering.*/) -> FALSE
(8) elsif (LDAP-Cached-Membership[*] =~ /.*finance.*/) {
(8) elsif (LDAP-Cached-Membership[*] =~ /.*finance.*/) -> FALSE
(8) elsif (LDAP-Cached-Membership[*] =~ /.*people.*/) {
(8) elsif (LDAP-Cached-Membership[*] =~ /.*people.*/) -> FALSE
(8) elsif (LDAP-Cached-Membership[*] =~ /.*ad_contractors.*/) {
(8) elsif (LDAP-Cached-Membership[*] =~ /.*ad_contractors.*/) ->
FALSE
(8) elsif (LDAP-Cached-Membership[*] =~ /.*ad_employees.*/) {
(8) elsif (LDAP-Cached-Membership[*] =~ /.*ad_employees.*/) ->
FALSE
(8) } # elsif (ok) = ok
Appreciate your help in pointing me in the right direction.
Thank you
2
3
30 Jun '22
Hi!
One of my users has an Android 11 smartphone and it no longer let you
insecurely connect to enterprise WiFi networks. In the option "CA
certificate" There is no "Do not validate" option. So I'm looking for
a solution. How can I create a certificate for this user? My
Freeradius server is running on linux.
--
Regards;
Thiago M.
--
www.itaueira.com
<http://www.google.com/url?q=http%3A%2F%2Fwww.itaueira.com.br&sa=D&sntz=1&us…>
facebook/melaoRei
<https://www.google.com/url?q=https%3A%2F%2Fwww.facebook.com%2Fmelaorei%2F&s…>
f/ItaueiraTurmadaMonica
<https://www.google.com/url?q=https%3A%2F%2Fwww.facebook.com%2FItaueiraTurma…>
f/ItaueiraMelon
<https://www.google.com/url?q=https%3A%2F%2Fwww.facebook.com%2Fitaueiramelon…>
Esta mensagem é endereçada exclusivamente ao seu destinatário e poderá
conter informações confidenciais.
O uso não autorizado de tais informações
é proibido e estará sujeito às penalidades cabíveis.
*This message is
intended exclusively for its addressee and may contain information that is
confidential. *
*Unauthorized use of such information is prohibited and
subject to applicable penalties.*
4
4