Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2022
- 33 participants
- 37 discussions
Hello,
I also noticed that while the server logs many properties of the X.509
certificate (both incoming and outgoing), it does not store the fields
X509v3 Certificate Policies, i.e.:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server
Authentication
X509v3 Subject Key Identifier:
48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36
X509v3 Authority Key Identifier:
keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4
X509v3 Subject Alternative Name:
DNS:tld1.eduroam.lu, DNS:tld2.eduroam.lu
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.27262.1.13.1.1
Policy: 1.3.6.1.4.1.27262.1.13.1.1.1.4
Policy: 1.3.6.1.4.1.25178.3.1.1
Policy: 1.3.6.1.4.1.25178.3.1.2
Policy: 1.3.6.1.4.1.27262.1.13.2.1.1.8
But:
(0) (TLS) Creating attributes from client certificate
(0) TLS-Client-Cert-Serial := "244f65593e791e5064b98342"
(0) TLS-Client-Cert-Expiration := "260218163105Z"
(0) TLS-Client-Cert-Valid-Since := "210219163105Z"
(0) TLS-Client-Cert-Subject :=
"/DC=net/DC=geant/DC=eduroam/C=LU/O=Fondation Restena/CN=tld1.eduroam.lu"
(0) TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0) TLS-Client-Cert-Common-Name := "tld1.eduroam.lu"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld1.eduroam.lu"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld2.eduroam.lu"
(0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication, TLS Web Server Authentication"
(0) TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36"
(0) TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.1"
... but no "TLS-Client-Cert-X509v3-Certificate-Policy"
In eduroam, we use certificate policy entries to denote "This is an
authorized eduroam server" (or ..."client", or both), so it is required
as an authz check to act on the policy OIDs present in the cert (the
ones with vendor ID 25178 above).
Greetings,
Stefan Winter
--
This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
3
2
Hello,
I'm using the latest freeradius deb packages from git repo and after
enabling the default virtual.example.com virtual host config, I get this
error:
Fri Jun 3 12:54:40 2022: Debug :
/etc/freeradius/sites-enabled/virtual.example.com[38]: Allocating fake
section "priority"
Fri Jun 3 12:54:40 2022: Debug :
/etc/freeradius/sites-enabled/virtual.example.com[38]: Evaluating rules for
priority section. Output 0x5564c1fa4d40
Fri Jun 3 12:54:40 2022: Debug : Pushed parse rule to priority section:
Access-Request {}
Fri Jun 3 12:54:40 2022: Debug : Pushed parse rule to priority section:
Accounting-Request {}
Fri Jun 3 12:54:40 2022: Debug : Pushed parse rule to priority section:
CoA-Request {}
Fri Jun 3 12:54:40 2022: Debug : Pushed parse rule to priority section:
Disconnect-Request {}
Fri Jun 3 12:54:40 2022: Debug : Pushed parse rule to priority section:
Status-Server {}
Fri Jun 3 12:54:40 2022: Debug : priority {
Fri Jun 3 12:54:40 2022: Debug : Access-Request = high
Fri Jun 3 12:54:40 2022: Debug : Accounting-Request = low
Fri Jun 3 12:54:40 2022: Debug : CoA-Request = normal
Fri Jun 3 12:54:40 2022: Debug : Disconnect-Request = low
Fri Jun 3 12:54:40 2022: Debug : Status-Server = now
Fri Jun 3 12:54:40 2022: Debug : }
Fri Jun 3 12:54:40 2022: Debug :
/etc/freeradius/sites-enabled/virtual.example.com[38]: }
Fri Jun 3 12:54:40 2022: Debug :
/etc/freeradius/sites-enabled/virtual.example.com[27]: Evaluating rules for
listen[1] section. Output 0x5564c1fa01b8
Fri Jun 3 12:54:40 2022: Error : Duplicate proto_radius instance
"virtual.example.com.radius", previous instance defined at
/etc/freeradius/sites-enabled/virtual.example.com[38]
No changes made regarding default configurations.
I've attached the full debug log.
Thanks,
Marius
--
This email has been checked for viruses by AVG.
https://www.avg.com
2
1
Hello
I want to build a policy into Freeradius v3.0.3 to give access or not to
several subnet IP.
What is the better solution ?
I must create several policy/file to check the subnet ?
Thanks for you help
Regard
2
3
Good morning,
It is my first time asking a question on the freeradius mailing list, i
excuse myself in advance of any error or bad interpretation.
I'm using a VPN named strongswan that communicates with a freeradius using
the eap-radius plugin. The radius is authenticated agaisn't a samba AD that
authentifies clients using ntlm_auth and mschapv2. It is working great.
Now, I want for the clients to get the IP address that I assign in the
users.conf file. What I did was to create an user named test1.vpn in the
LDAP, and use rightsourceip=%radius in the ipsec.conf file on strongswan. I
gave him a framed ip address like this :
"test1.vpn" Framed-IP-Address == 10.10.10.6
Fall-Through = Yes
The thing is, it doesn't work... It works great when, on the ipsec.conf
file I put rightsourceip=10.10.10.1. The client gets the right
framed-ip-address. But with %radius, I don't see the 10.10.10.6 ip address
in the radius log and it makes an error on the strongswan since the client
doesn't get a virtual IP address.
Here are the output of radiusd -X :
(0) Received Access-Request Id 211 from 172.16.10.111:47079 to
172.16.10.111:1812 length 168
(0) User-Name = "test1.vpn"
(0) NAS-Port-Type = Virtual
(0) Service-Type = Framed-User
(0) NAS-Port = 3
(0) NAS-Port-Id = "test1.vpn"
(0) NAS-IP-Address = X.X.X.X
(0) Called-Station-Id = "X.X.X.X[4500]"
(0) Calling-Station-Id = "X.X.X.X[4500]"
(0) Acct-Session-Id = "1654086146-3"
(0) EAP-Message = 0x0200000e0174657374312e76706e
(0) NAS-Identifier = "strongSwan"
(0) Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) [files] = noop
(0) [preprocess] = ok
(0) [mschap] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x6aa216d56aa312bf
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 211 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(0) EAP-Message = 0x010100160410ff5cd34168d97f580fbfdfa92f86b05a
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x6aa216d56aa312bf987ea9fae6cd4048
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 212 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(1) User-Name = "test1.vpn"
(1) NAS-Port-Type = Virtual
(1) Service-Type = Framed-User
(1) NAS-Port = 3
(1) NAS-Port-Id = "test1.vpn"
(1) NAS-IP-Address = X.X.X.X
(1) Called-Station-Id = "X.X.X.X[4500]"
(1) Calling-Station-Id = "X.X.X.X[4500]"
(1) Acct-Session-Id = "1654086146-3"
(1) EAP-Message = 0x020100060319
(1) NAS-Identifier = "strongSwan"
(1) State = 0x6aa216d56aa312bf987ea9fae6cd4048
(1) Message-Authenticator = 0x031a4fe55f8ec1ee08d13034d8164e22
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) [files] = noop
(1) [preprocess] = ok
(1) [mschap] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [expiration] = noop
(1) [logintime] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x6aa216d56aa312bf
(1) eap: Finished EAP session with state 0x6aa216d56aa312bf
(1) eap: Previous EAP request found for state 0x6aa216d56aa312bf, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x6aa216d56ba00fbf
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 212 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x6aa216d56ba00fbf987ea9fae6cd4048
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 213 from 172.16.10.111:47079 to
172.16.10.111:1812 length 344
(2) User-Name = "test1.vpn"
(2) NAS-Port-Type = Virtual
(2) Service-Type = Framed-User
(2) NAS-Port = 3
(2) NAS-Port-Id = "test1.vpn"
(2) NAS-IP-Address = X.X.X.X
(2) Called-Station-Id = "X.X.X.X[4500]"
(2) Calling-Station-Id = "X.X.X.X[4500]"
(2) Acct-Session-Id = "1654086146-3"
(2) EAP-Message =
0x020200ac1980000000a2160303009d01000099030362975ce3469633ee61d0332929a35ae076af708048f1d1b8d8055196ee255f0700002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2) NAS-Identifier = "strongSwan"
(2) State = 0x6aa216d56ba00fbf987ea9fae6cd4048
(2) Message-Authenticator = 0x1380eb13af2c8eec169fe4a8c0f7947c
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) [files] = noop
(2) [preprocess] = ok
(2) [mschap] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 172
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x6aa216d56ba00fbf
(2) eap: Finished EAP session with state 0x6aa216d56ba00fbf
(2) eap: Previous EAP request found for state 0x6aa216d56ba00fbf, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(2) eap_peap: Got complete TLS record (162 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3 [length 009d]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 0a0e]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 024d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 3248 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x6aa216d568a10fbf
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 213 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(2) EAP-Message =
0x010303ec19c000000cb0160303003d0200003903039f516795514d2124f963a729d1c1f5046a8ec1dc38e8620e0df6721d0ecd7bb400c030000011ff01000100000b000403000102001700001603030a0e0b000a0a000a0700050930820505308202eda003020102020859501ffb058af674300d06092a864886f70d01010c05003018311630140603550403130d4c696e6b736f2056504e204341301e170d3232303532373134333135355a170d3332303532343134333135355a3018311630140603550403130d3137382e31382e36322e32323030820222300d06092a864886f70d01010105000382020f003082020a0282020100a78d1c2b41f372a12f579b055680a56749aa46f0ec6c0031b424589ca4371f4904485b011adfebb5de0b47cd85a6009f7ed0d2f8b2ed60d624322e67c6ac0d92f8044774570dddfb12512d3f354dce91b84bab8c1281abc72f7776fb0aaf3d30ad0daf0c69a07709007fb40f2aff69de1effcbe748cab7c6a889d7df5e92488e33
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x6aa216d568a10fbf987ea9fae6cd4048
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 214 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(3) User-Name = "test1.vpn"
(3) NAS-Port-Type = Virtual
(3) Service-Type = Framed-User
(3) NAS-Port = 3
(3) NAS-Port-Id = "test1.vpn"
(3) NAS-IP-Address = X.X.X.X
(3) Called-Station-Id = "X.X.X.X[4500]"
(3) Calling-Station-Id = "X.X.X.X[4500]"
(3) Acct-Session-Id = "1654086146-3"
(3) EAP-Message = 0x020300061900
(3) NAS-Identifier = "strongSwan"
(3) State = 0x6aa216d568a10fbf987ea9fae6cd4048
(3) Message-Authenticator = 0x8ec75da2a02763705c4be3fab6e7d4bd
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) [files] = noop
(3) [preprocess] = ok
(3) [mschap] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x6aa216d568a10fbf
(3) eap: Finished EAP session with state 0x6aa216d568a10fbf
(3) eap: Previous EAP request found for state 0x6aa216d568a10fbf, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1000
(3) eap: EAP session adding &reply:State = 0x6aa216d569a60fbf
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 214 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(3) EAP-Message =
0x010403e81940bebf80d34d5d2ffadfe99593245c430b0545f71e325611a471ac019a0eb1b4cc51be9e4c4c6d7173cf00d6b53abe40a709dc7013a54897189721d836b31ae0ba84666749f762e02ab0f7b47d56d4ed0985084c55389e67476016143a29513ce10e4f779ba0e79cfedc620ce3b17c114081e2081221b32789bb7a167feb276b90bd6e5ccf3963a97c3da2a7cc5bee2b19fa21a4aa2f4a0abb2699dbe10fdbd42e93a395609bab8aded14fe6829a91017a7553d91e662a960b104d715a882298b2b57a106b608d5cbf18a416f047f92f8d6edc4631a136a88a1316574dfd306656f721427222732b84808fb63b38afe9f956af9969f506dbed0be473b1004960514231c75a8daff60a37ffe26fc85dcfb077c45ef88166b71a0ede035f7c5d79a749f30c64f5ed4e03ed8436e8f08c1d460fc0bd260ec944f99d183119868e804a7f93de415baea77ff7a29672b674e735b9d9170afd483208bec971d40ec0cb8b901f37c69d44d5c4d88bb63f59744c508a
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x6aa216d569a60fbf987ea9fae6cd4048
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 215 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(4) User-Name = "test1.vpn"
(4) NAS-Port-Type = Virtual
(4) Service-Type = Framed-User
(4) NAS-Port = 3
(4) NAS-Port-Id = "test1.vpn"
(4) NAS-IP-Address = X.X.X.X
(4) Called-Station-Id = "X.X.X.X[4500]"
(4) Calling-Station-Id = "X.X.X.X[4500]"
(4) Acct-Session-Id = "1654086146-3"
(4) EAP-Message = 0x020400061900
(4) NAS-Identifier = "strongSwan"
(4) State = 0x6aa216d569a60fbf987ea9fae6cd4048
(4) Message-Authenticator = 0xe26fd6d586c478db00a6786eb735c999
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) [files] = noop
(4) [preprocess] = ok
(4) [mschap] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x6aa216d569a60fbf
(4) eap: Finished EAP session with state 0x6aa216d569a60fbf
(4) eap: Previous EAP request found for state 0x6aa216d569a60fbf, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 1000
(4) eap: EAP session adding &reply:State = 0x6aa216d56ea70fbf
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 215 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(4) EAP-Message =
0x010503e819407082cf40cfcee0f3f12cba3aef5822670128cd6f911798eef08198423886ccf7755c826cdcbe3a99ce66a9eae20d46d7161e7b750203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414add6132f6bb457e0c198d140aba7a264e4dc0d8d300d06092a864886f70d01010c05000382020100902e25abac2dddd6ca56f04588ea1f33d011b08f31e625c387b2230a2f9f378387f2929f02a0e839e8ba589f3fa07aa97df211ce02ce75ca2eeff80a09234bc54ce1cb8be75c16b2356d36c1d4ad6bde1b5c8921a1e03d412bfd280c3cabe5b734bd209d9f8182cf64fd4ecf87ab4e677b6c9c70d10f25f6f2772a611a31fcb3e74a800142a211c766841ad6540913ba8c7b39025308a651829d2dfac79d8dac002e21bf72bd73ccf17774b31e0cd3fde6c927cfea62ed17982d4203aa7ab706fc7883dde5321895ae65e63ff503804f12ff80a8075e0f1f9b169d8a1adae22d
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x6aa216d56ea70fbf987ea9fae6cd4048
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 216 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(5) User-Name = "test1.vpn"
(5) NAS-Port-Type = Virtual
(5) Service-Type = Framed-User
(5) NAS-Port = 3
(5) NAS-Port-Id = "test1.vpn"
(5) NAS-IP-Address = X.X.X.X
(5) Called-Station-Id = "X.X.X.X[4500]"
(5) Calling-Station-Id = "X.X.X.X[4500]"
(5) Acct-Session-Id = "1654086146-3"
(5) EAP-Message = 0x020500061900
(5) NAS-Identifier = "strongSwan"
(5) State = 0x6aa216d56ea70fbf987ea9fae6cd4048
(5) Message-Authenticator = 0xeffc14397e2e2698bbe4717d2ad673d3
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) [files] = noop
(5) [preprocess] = ok
(5) [mschap] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x6aa216d56ea70fbf
(5) eap: Finished EAP session with state 0x6aa216d56ea70fbf
(5) eap: Previous EAP request found for state 0x6aa216d56ea70fbf, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment
(5) eap_peap: [eaptls verify] = request
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 272
(5) eap: EAP session adding &reply:State = 0x6aa216d56fa40fbf
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 216 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(5) EAP-Message =
0x010601101900b95388bf01bc568759d1bcedf399ac35756b2d9ec895c9bbf292cf9cda06422caa91d5ca45ab2b398afb223f946eb59b87855cc7785d21da7388857fe19c71cfddf3e529084da9fbaa5256780b893e76c7627c04a7a8cc73ab61b513a14673f7409dcdf0964badc5cc38b57011876d1ad8bd7a15435aefd05db948107f67da21e45679981950d18eafb02569be67a55b948744cf534598eac71778266dc937c43fd0bb64298d3b30f62299eca9de35fe60517131a19d76ea51648aec407756961b287dcb87e5e9a2674bc24af93f9777d57fa2d31759dc351d2821f731bad747e1231da13f909929fb1ed79ddbf9a1352606b860a0180fe6363d117e2bb45eb1f616030300040e000000
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x6aa216d56fa40fbf987ea9fae6cd4048
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 217 from 172.16.10.111:47079 to
172.16.10.111:1812 length 308
(6) User-Name = "test1.vpn"
(6) NAS-Port-Type = Virtual
(6) Service-Type = Framed-User
(6) NAS-Port = 3
(6) NAS-Port-Id = "test1.vpn"
(6) NAS-IP-Address = X.X.X.X
(6) Called-Station-Id = "X.X.X.X[4500]"
(6) Calling-Station-Id = "X.X.X.X[4500]"
(6) Acct-Session-Id = "1654086146-3"
(6) EAP-Message =
0x0206008819800000007e160303004610000042410402341187576763b91077af4fe0f7c05ab045f71ae0111bc7115da8543b730178500de82d67b06be13e3090850e22f014616bbe165f8e789c65e9796cde9ba77d14030300010116030300280000000000000000ef71b7cb6cc71ec0faa37e0680343b19996d8a7578f2057c965f450002579e68
(6) NAS-Identifier = "strongSwan"
(6) State = 0x6aa216d56fa40fbf987ea9fae6cd4048
(6) Message-Authenticator = 0x7083d87098fb258fbf0258463f6b3dd1
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) [files] = noop
(6) [preprocess] = ok
(6) [mschap] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x6aa216d56fa40fbf
(6) eap: Finished EAP session with state 0x6aa216d56fa40fbf
(6) eap: Previous EAP request found for state 0x6aa216d56fa40fbf, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(6) eap_peap: Got complete TLS record (126 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: TLS_accept: SSLv3/TLS write server done
(6) eap_peap: <<< recv TLS 1.2 [length 0046]
(6) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_peap: <<< recv TLS 1.2 [length 0010]
(6) eap_peap: TLS_accept: SSLv3/TLS read finished
(6) eap_peap: >>> send TLS 1.2 [length 0001]
(6) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_peap: >>> send TLS 1.2 [length 0010]
(6) eap_peap: TLS_accept: SSLv3/TLS write finished
(6) eap_peap: (other): SSL negotiation finished successfully
(6) eap_peap: TLS - Connection Established
(6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_peap: TLS-Session-Version = "TLS 1.2"
(6) eap_peap: TLS - got 51 bytes of data
(6) eap_peap: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 7 length 57
(6) eap: EAP session adding &reply:State = 0x6aa216d56ca50fbf
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) session-state: Saving cached attributes
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 217 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(6) EAP-Message =
0x0107003919001403030001011603030028af9cbe4ad48a36eff3a6bdf4ef810aa3e994e6a355bb852f5ca35e72b2783ab141de53d1460b8f14
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x6aa216d56ca50fbf987ea9fae6cd4048
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 218 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(7) User-Name = "test1.vpn"
(7) NAS-Port-Type = Virtual
(7) Service-Type = Framed-User
(7) NAS-Port = 3
(7) NAS-Port-Id = "test1.vpn"
(7) NAS-IP-Address = X.X.X.X
(7) Called-Station-Id = "X.X.X.X[4500]"
(7) Calling-Station-Id = "X.X.X.X[4500]"
(7) Acct-Session-Id = "1654086146-3"
(7) EAP-Message = 0x020700061900
(7) NAS-Identifier = "strongSwan"
(7) State = 0x6aa216d56ca50fbf987ea9fae6cd4048
(7) Message-Authenticator = 0x839536bbc3f30d7434ad9d19cc1c99dd
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) [files] = noop
(7) [preprocess] = ok
(7) [mschap] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6aa216d56ca50fbf
(7) eap: Finished EAP session with state 0x6aa216d56ca50fbf
(7) eap: Previous EAP request found for state 0x6aa216d56ca50fbf, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap: [eaptls verify] = success
(7) eap_peap: [eaptls process] = success
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 8 length 40
(7) eap: EAP session adding &reply:State = 0x6aa216d56daa0fbf
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 218 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(7) EAP-Message =
0x010800281900170303001daf9cbe4ad48a36f0f7e90ea4889d1ec61bd088cf1fa3b7c7d6b699dddb
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x6aa216d56daa0fbf987ea9fae6cd4048
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 219 from 172.16.10.111:47079 to
172.16.10.111:1812 length 217
(8) User-Name = "test1.vpn"
(8) NAS-Port-Type = Virtual
(8) Service-Type = Framed-User
(8) NAS-Port = 3
(8) NAS-Port-Id = "test1.vpn"
(8) NAS-IP-Address = X.X.X.X
(8) Called-Station-Id = "X.X.X.X[4500]"
(8) Calling-Station-Id = "X.X.X.X[4500]"
(8) Acct-Session-Id = "1654086146-3"
(8) EAP-Message =
0x0208002d190017030300220000000000000001153f9416a443657a5ff5eae96e278c16f1ea3e471bf3e6745738
(8) NAS-Identifier = "strongSwan"
(8) State = 0x6aa216d56daa0fbf987ea9fae6cd4048
(8) Message-Authenticator = 0xa4ddd3745d4a15c98227f8f81b897453
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) [files] = noop
(8) [preprocess] = ok
(8) [mschap] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 45
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x6aa216d56daa0fbf
(8) eap: Finished EAP session with state 0x6aa216d56daa0fbf
(8) eap: Previous EAP request found for state 0x6aa216d56daa0fbf, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity - test1.vpn
(8) eap_peap: Got inner identity 'test1.vpn'
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e
(8) eap_peap: Setting User-Name to test1.vpn
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "test1.vpn"
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x0208000e0174657374312e76706e
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "test1.vpn"
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [mschap] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 14
(8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Peer sent packet with method EAP Identity (1)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Issuing Challenge
(8) eap: Sending EAP Request (code 1) ID 9 length 43
(8) eap: EAP session adding &reply:State = 0xb5af7c78b5a66689
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message =
0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xb5af7c78b5a66689306ef54310c66f70
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message =
0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message =
0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 9 length 74
(8) eap: EAP session adding &reply:State = 0x6aa216d562ab0fbf
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 219 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(8) EAP-Message =
0x0109004a1900170303003faf9cbe4ad48a36f1d629f5421ac4bd1824440e73056b065a53331c3e0a92dc863006c61a4e3c5b2fd79ec0d2a0560e60915e009f9a35362e1cae48cd0ced91
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x6aa216d562ab0fbf987ea9fae6cd4048
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 220 from 172.16.10.111:47079 to
172.16.10.111:1812 length 271
(9) User-Name = "test1.vpn"
(9) NAS-Port-Type = Virtual
(9) Service-Type = Framed-User
(9) NAS-Port = 3
(9) NAS-Port-Id = "test1.vpn"
(9) NAS-IP-Address = X.X.X.X
(9) Called-Station-Id = "X.X.X.X[4500]"
(9) Calling-Station-Id = "X.X.X.X[4500]"
(9) Acct-Session-Id = "1654086146-3"
(9) EAP-Message =
0x02090063190017030300580000000000000002f0c4c37ddbcba1c1e20a93357294aea5ad42b3ee3213a8669f1a63385ed6ca36ac718fa232c6b16b8cb665c475065e3efe5c09616bc2fe15fbef55fbc01bcd59a69df14f9e98a138ad31732fa8a60845
(9) NAS-Identifier = "strongSwan"
(9) State = 0x6aa216d562ab0fbf987ea9fae6cd4048
(9) Message-Authenticator = 0x224b063c7046c016feef7eead14ad30e
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) [files] = noop
(9) [preprocess] = ok
(9) [mschap] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 99
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xb5af7c78b5a66689
(9) eap: Finished EAP session with state 0x6aa216d562ab0fbf
(9) eap: Previous EAP request found for state 0x6aa216d562ab0fbf, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message =
0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e
(9) eap_peap: Setting User-Name to test1.vpn
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message =
0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "test1.vpn"
(9) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70
(9) Virtual server inner-tunnel received request
(9) EAP-Message =
0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "test1.vpn"
(9) State = 0xb5af7c78b5a66689306ef54310c66f70
(9) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [mschap] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 68
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [files] = noop
(9) [expiration] = noop
(9) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0xb5af7c78b5a66689
(9) eap: Finished EAP session with state 0xb5af7c78b5a66689
(9) eap: Previous EAP request found for state 0xb5af7c78b5a66689, released
from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(9) eap_mschapv2: authenticate {
(9) mschap: Creating challenge hash with username: test1.vpn
(9) mschap: Client is using MS-CHAPv2
(9) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
--username=%{mschap:User-Name} --domain=BRANCHET
--challenge=%{mschap:Challenge:-01} --nt-response=%{mschap:NT-Response:-00}:
(9) mschap: EXPAND --username=%{mschap:User-Name}
(9) mschap: --> --username=test1.vpn
(9) mschap: Creating challenge hash with username: test1.vpn
(9) mschap: EXPAND --challenge=%{mschap:Challenge:-01}
(9) mschap: --> --challenge=578147340978c207
(9) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(9) mschap: -->
--nt-response=9b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224
(9) mschap: Program returned code (0) and output 'NT_KEY:
6F5564CE191F31EAC91AE7DAFA4E36FE'
(9) mschap: Adding MS-CHAPv2 MPPE keys
(9) eap_mschapv2: [mschap] = ok
(9) eap_mschapv2: } # authenticate = ok
(9) eap_mschapv2: MSCHAP Success
(9) eap: Sending EAP Request (code 1) ID 10 length 51
(9) eap: EAP session adding &reply:State = 0xb5af7c78b4a56689
(9) [eap] = handled
(9) } # authenticate = handled
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) EAP-Message =
0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xb5af7c78b4a56689306ef54310c66f70
(9) eap_peap: Got tunneled reply code 11
(9) eap_peap: EAP-Message =
0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70
(9) eap_peap: Got tunneled reply RADIUS code 11
(9) eap_peap: EAP-Message =
0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70
(9) eap_peap: Got tunneled Access-Challenge
(9) eap: Sending EAP Request (code 1) ID 10 length 82
(9) eap: EAP session adding &reply:State = 0x6aa216d563a80fbf
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) session-state: Saving cached attributes
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 220 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(9) EAP-Message =
0x010a005219001703030047af9cbe4ad48a36f200cc2406e608e52bf7ca0116a6a6ad1c82837ff257670d9493de1d036022b1d203ec1b0ae8eafe1f394197f42c44488b5c18f803c8044e550e72240fd51805
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x6aa216d563a80fbf987ea9fae6cd4048
(9) Finished request
Waking up in 4.7 seconds.
(10) Received Access-Request Id 221 from 172.16.10.111:47079 to
172.16.10.111:1812 length 209
(10) User-Name = "test1.vpn"
(10) NAS-Port-Type = Virtual
(10) Service-Type = Framed-User
(10) NAS-Port = 3
(10) NAS-Port-Id = "test1.vpn"
(10) NAS-IP-Address = X.X.X.X
(10) Called-Station-Id = "X.X.X.X[4500]"
(10) Calling-Station-Id = "X.X.X.X[4500]"
(10) Acct-Session-Id = "1654086146-3"
(10) EAP-Message =
0x020a00251900170303001a00000000000000036997b7ebc43aa9f223d249567570b31c76a8
(10) NAS-Identifier = "strongSwan"
(10) State = 0x6aa216d563a80fbf987ea9fae6cd4048
(10) Message-Authenticator = 0xa363ba931cbea130a76c5684496de326
(10) Restoring &session-state
(10) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) [files] = noop
(10) [preprocess] = ok
(10) [mschap] = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 37
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xb5af7c78b4a56689
(10) eap: Finished EAP session with state 0x6aa216d563a80fbf
(10) eap: Previous EAP request found for state 0x6aa216d563a80fbf, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state phase2
(10) eap_peap: EAP method MSCHAPv2 (26)
(10) eap_peap: Got tunneled request
(10) eap_peap: EAP-Message = 0x020a00061a03
(10) eap_peap: Setting User-Name to test1.vpn
(10) eap_peap: Sending tunneled request to inner-tunnel
(10) eap_peap: EAP-Message = 0x020a00061a03
(10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_peap: User-Name = "test1.vpn"
(10) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70
(10) Virtual server inner-tunnel received request
(10) EAP-Message = 0x020a00061a03
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "test1.vpn"
(10) State = 0xb5af7c78b4a56689306ef54310c66f70
(10) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(10) server inner-tunnel {
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [mschap] = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 6
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [files] = noop
(10) [expiration] = noop
(10) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap: Expiring EAP session with state 0xb5af7c78b4a56689
(10) eap: Finished EAP session with state 0xb5af7c78b4a56689
(10) eap: Previous EAP request found for state 0xb5af7c78b4a56689, released
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap: Sending EAP Success (code 3) ID 10 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10) MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae
(10) MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "test1.vpn"
(10) eap_peap: Got tunneled reply code 2
(10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) eap_peap: MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae
(10) eap_peap: MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d
(10) eap_peap: EAP-Message = 0x030a0004
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: User-Name = "test1.vpn"
(10) eap_peap: Got tunneled reply RADIUS code 2
(10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) eap_peap: MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae
(10) eap_peap: MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d
(10) eap_peap: EAP-Message = 0x030a0004
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: User-Name = "test1.vpn"
(10) eap_peap: Tunneled authentication was successful
(10) eap_peap: SUCCESS
(10) eap: Sending EAP Request (code 1) ID 11 length 46
(10) eap: EAP session adding &reply:State = 0x6aa216d560a90fbf
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) session-state: Saving cached attributes
(10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) TLS-Session-Version = "TLS 1.2"
(10) Sent Access-Challenge Id 221 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(10) EAP-Message =
0x010b002e19001703030023af9cbe4ad48a36f35cb384eb93f8c567b161c1bd7d269ba5882c40b425d5243b03aaad
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x6aa216d560a90fbf987ea9fae6cd4048
(10) Finished request
Waking up in 4.7 seconds.
(11) Received Access-Request Id 222 from 172.16.10.111:47079 to
172.16.10.111:1812 length 218
(11) User-Name = "test1.vpn"
(11) NAS-Port-Type = Virtual
(11) Service-Type = Framed-User
(11) NAS-Port = 3
(11) NAS-Port-Id = "test1.vpn"
(11) NAS-IP-Address =X.X.X.X
(11) Called-Station-Id = "X.X.X.X[4500]"
(11) Calling-Station-Id = "X.X.X.X[4500]"
(11) Acct-Session-Id = "1654086146-3"
(11) EAP-Message =
0x020b002e190017030300230000000000000004c7753a144d7875cf1f9f774ec59202fa053603eb1b3e706bb2e274
(11) NAS-Identifier = "strongSwan"
(11) State = 0x6aa216d560a90fbf987ea9fae6cd4048
(11) Message-Authenticator = 0x167bcc052f0017f11a83525b00cf4925
(11) Restoring &session-state
(11) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) [files] = noop
(11) [preprocess] = ok
(11) [mschap] = noop
(11) eap: Peer sent EAP Response (code 2) ID 11 length 46
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0x6aa216d560a90fbf
(11) eap: Finished EAP session with state 0x6aa216d560a90fbf
(11) eap: Previous EAP request found for state 0x6aa216d560a90fbf, released
from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: [eaptls verify] = ok
(11) eap_peap: Done initial handshake
(11) eap_peap: [eaptls process] = ok
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state send tlv success
(11) eap_peap: Received EAP-TLV response
(11) eap_peap: Success
(11) eap: Sending EAP Success (code 3) ID 11 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(11) post-auth {
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) } # post-auth = noop
(11) Sent Access-Accept Id 222 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(11) MS-MPPE-Recv-Key =
0xfbbfa1eb5d9e5f987d2f628b5ff6b79a3640ff3a061dd1feaf86725d22d772f4
(11) MS-MPPE-Send-Key =
0x8417c69e87eaf761ea94f5348adb9f0d5101b513fe918c81a5953b73997c04a6
(11) EAP-Message = 0x030b0004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "test1.vpn"
(11) Finished request
Waking up in 4.7 seconds.
(12) Received Accounting-Request Id 223 from 172.16.10.111:42384 to
172.16.10.111:1813 length 140
(12) Acct-Status-Type = Start
(12) Acct-Session-Id = "1654086146-3"
(12) NAS-Port-Type = Virtual
(12) Service-Type = Framed-User
(12) NAS-Port = 3
(12) NAS-Port-Id = "test1.vpn"
(12) NAS-IP-Address =X.X.X.X
(12) Called-Station-Id = "X.X.X.X[4500]"
(12) Calling-Station-Id = "X.X.X.X[4500]"
(12) User-Name = "test1.vpn"
(12) NAS-Identifier = "strongSwan"
(12) # Executing section preacct from file /etc/raddb/sites-enabled/default
(12) preacct {
(12) [files] = noop
(12) [preprocess] = ok
(12) policy acct_unique {
(12) update request {
(12) &Tmp-String-9 := "ai:"
(12) } # update request = noop
(12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(12) EXPAND %{hex:&Class}
(12) -->
(12) EXPAND ^%{hex:&Tmp-String-9}
(12) --> ^61693a
(12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(12) else {
(12) update request {
(12) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(12) --> a6b8d5646c70fd58db892395d8013f10
(12) &Acct-Unique-Session-Id := a6b8d5646c70fd58db892395d8013f10
(12) } # update request = noop
(12) } # else = noop
(12) } # policy acct_unique = noop
(12) } # preacct = ok
(12) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(12) accounting {
(12) attr_filter.accounting_response: EXPAND %{User-Name}
(12) attr_filter.accounting_response: --> test1.vpn
(12) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(12) [attr_filter.accounting_response] = updated
(12) } # accounting = updated
(12) Sent Accounting-Response Id 223 from 172.16.10.111:1813 to
172.16.10.111:42384 length 0
(12) Finished request
(12) Cleaning up request packet ID 223 with timestamp +6
Waking up in 4.7 seconds.
(13) Received Accounting-Request Id 224 from 172.16.10.111:42384 to
172.16.10.111:1813 length 176
(13) Acct-Status-Type = Stop
(13) Acct-Session-Id = "1654086146-3"
(13) NAS-Port-Type = Virtual
(13) Service-Type = Framed-User
(13) NAS-Port = 3
(13) NAS-Port-Id = "test1.vpn"
(13) NAS-IP-Address =X.X.X.X
(13) Called-Station-Id = "X.X.X.X[4500]"
(13) Calling-Station-Id = "X.X.X.X[4500]"
(13) User-Name = "test1.vpn"
(13) Acct-Output-Octets = 0
(13) Acct-Output-Packets = 0
(13) Acct-Input-Octets = 0
(13) Acct-Input-Packets = 0
(13) Acct-Session-Time = 0
(13) Acct-Terminate-Cause = User-Request
(13) NAS-Identifier = "strongSwan"
(13) # Executing section preacct from file /etc/raddb/sites-enabled/default
(13) preacct {
(13) [files] = noop
(13) [preprocess] = ok
(13) policy acct_unique {
(13) update request {
(13) &Tmp-String-9 := "ai:"
(13) } # update request = noop
(13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(13) EXPAND %{hex:&Class}
(13) -->
(13) EXPAND ^%{hex:&Tmp-String-9}
(13) --> ^61693a
(13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(13) else {
(13) update request {
(13) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(13) --> a6b8d5646c70fd58db892395d8013f10
(13) &Acct-Unique-Session-Id := a6b8d5646c70fd58db892395d8013f10
(13) } # update request = noop
(13) } # else = noop
(13) } # policy acct_unique = noop
(13) } # preacct = ok
(13) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(13) accounting {
(13) attr_filter.accounting_response: EXPAND %{User-Name}
(13) attr_filter.accounting_response: --> test1.vpn
(13) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(13) [attr_filter.accounting_response] = updated
(13) } # accounting = updated
(13) Sent Accounting-Response Id 224 from 172.16.10.111:1813 to
172.16.10.111:42384 length 0
(13) Finished request
(13) Cleaning up request packet ID 224 with timestamp +6
Waking up in 4.7 seconds.
(0) Cleaning up request packet ID 211 with timestamp +5
(1) Cleaning up request packet ID 212 with timestamp +5
(2) Cleaning up request packet ID 213 with timestamp +5
(3) Cleaning up request packet ID 214 with timestamp +5
(4) Cleaning up request packet ID 215 with timestamp +5
(5) Cleaning up request packet ID 216 with timestamp +5
(6) Cleaning up request packet ID 217 with timestamp +5
(7) Cleaning up request packet ID 218 with timestamp +5
(8) Cleaning up request packet ID 219 with timestamp +5
Waking up in 0.1 seconds.
(9) Cleaning up request packet ID 220 with timestamp +5
(10) Cleaning up request packet ID 221 with timestamp +6
(11) Cleaning up request packet ID 222 with timestamp +6
Ready to process requests
I replaced the public IP address with X.X.X.X.
Thanks in advance for any tips, or leads. Have a wonderful day.
3
5
Hi,
I'm giving dynamic_home_servers a try. I didn't get very far though:
- started with the default shipped config
- enabled sites-enabled/control-socket
- enabled dynamic=true and the default directory
- added one single entry in the directory, with filename "testrealm.lu":
home_server testrealm.lu {
# ipv6addr = "2001:db8::6"
ipaddr = "192.168.20.5"
proto = udp
secret = "radsec"
}
- started FreeRADIUS, looked at the following error:
including configuration file
/home/stefan/RESTENA/freeradius-build/etc/raddb/home_servers/testrealm.lu
home_server testrealm.lu {
ipaddr = 192.168.20.5
port = 0
proto = "udp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
Failed reading home_server from
/home/stefan/RESTENA/freeradius-build/etc/raddb/home_servers/testrealm.lu
- Dynamic home_server 'testrealm.lu' cannot have 'server' or 'auth+acct'
So the configuration is parsed correctly, but then... I didn't specify
"auth+acct" (and if I do, same error); nor do I know what is meant with
"server" (and switching between ipaddr and ipv6addr didn't change
anything)? Adding a port = 1812 doesn't change anything either.
When I read in the docs that these should be "normal" home_server
definitions, I wonder... they are seemingly not quite that normal?
Greetings,
Stefan Winter
--
This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
2
12
Hi, we’ve set up freeradius 3.0 in order to authenticate users through an
LDAP server, also users are assigned different VLAN depending on gidNumber
ldap attribute. We have 2 enabled sites ‘default’ and ‘inner-tunnel’
Those are the relevant parts of our setup:
sites-enabled/default
post-auth {
if (LDAP-Group == 10000 ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-ID = 20
}
}
if (LDAP-Group == 10001 ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-ID = 40
}
}
[….]
}
mods-enabled/ldap
user {
[…]
filter =
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))"
[…]
}
I’ve ignored most parts of the configuration because they are mostly
default configuration. This have been working for several years with no
relevant issues, but now we’ve noticed an issue that would like to correct:
Windows clients sends ‘anonymous’ as anonymous identity when connecting to
wifi after wake up, so outer identity is set to ‘anonymous’ and post-auth
section of ‘default’ site gets the outer identity instead of the real one,
so the LDAP search is based on ‘anonymous’, user is not found so no
LDAP-Group, so no correct VLAN is assigned to that client. This also
happens if someone enters “anonymous” as anonymous identity when connecting.
Here’s a Access-Request part of a log ending with Access-Accept, but with
wrong assigned VLAN.
(29) Received Access-Request Id 43 from 192.168.0.19:38666 to
192.168.10.100:1812 length 306
(29) User-Name = "anonymous"
(29) NAS-IP-Address = 192.168.0.19
(29) NAS-Identifier = "fa92bf24addf"
(29) Called-Station-Id = "FA-92-BF-24-AD-DF:LLEDONER"
(29) NAS-Port-Type = Wireless-802.11
(29) Service-Type = Framed-User
(29) Calling-Station-Id = "D0-C5-D3-5A-3E-A9"
(29) Connect-Info = "CONNECT 0Mbps 802.11b"
(29) Acct-Session-Id = "AFE698CF77042B3D"
(29) Acct-Multi-Session-Id = "7A7B1A2476F7F9DE"
(29) WLAN-Pairwise-Cipher = 1027076
(29) WLAN-Group-Cipher = 1027076
(29) WLAN-AKM-Suite = 1027073
(29) Framed-MTU = 1400
(29) EAP-Message =
0x021e004b158000000041170303003c00000000000000010eb9490a83ceab9db4773eec8b6ebf9a98789e9d07b5f4c3a2653bd425ea8133893eedba6b2e0e5050f6987735a41ba601545c91
(29) State = 0x8492598d818c4c92471f232c19036cae
(29) Message-Authenticator = 0x4c9003e6cc19547d42d86a1df23d1a76
(29) session-state: No cached attributes
(29) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /(a)\./) {
(29) if (&User-Name =~ /(a)\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [preprocess] = ok
(29) [chap] = noop
(29) [mschap] = noop
(29) [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) eap: Peer sent EAP Response (code 2) ID 30 length 75
(29) eap: Continuing tunnel setup
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) authenticate {
(29) eap: Expiring EAP session with state 0x8492598d818c4c92
(29) eap: Finished EAP session with state 0x8492598d818c4c92
(29) eap: Previous EAP request found for state 0x8492598d818c4c92, released
from the list
(29) eap: Peer sent packet with method EAP TTLS (21)
(29) eap: Calling submodule eap_ttls to process data
(29) eap_ttls: Authenticate
(29) eap_ttls: Continuing EAP-TLS
(29) eap_ttls: Peer indicated complete TLS record size will be 65 bytes
(29) eap_ttls: Got complete TLS record (65 bytes)
(29) eap_ttls: [eaptls verify] = length included
(29) eap_ttls: [eaptls process] = ok
(29) eap_ttls: Session established. Proceeding to decode tunneled
attributes
(29) eap_ttls: Got tunneled request
(29) eap_ttls: User-Name = "mroig"
(29) eap_ttls: User-Password = “******”
(29) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(29) eap_ttls: Sending tunneled request
(29) Virtual server inner-tunnel received request
(29) User-Name = "mroig"
(29) User-Password = “******”
(29) FreeRADIUS-Proxied-To = 127.0.0.1
(29) NAS-IP-Address = 192.168.0.19
(29) NAS-Identifier = "fa92bf24addf"
(29) Called-Station-Id = "FA-92-BF-24-AD-DF:LLEDONER"
(29) NAS-Port-Type = Wireless-802.11
(29) Service-Type = Framed-User
(29) Calling-Station-Id = "D0-C5-D3-5A-3E-A9"
(29) Connect-Info = "CONNECT 0Mbps 802.11b"
(29) Acct-Session-Id = "AFE698CF77042B3D"
(29) Acct-Multi-Session-Id = "7A7B1A2476F7F9DE"
(29) WLAN-Pairwise-Cipher = 1027076
(29) WLAN-Group-Cipher = 1027076
(29) WLAN-AKM-Suite = 1027073
(29) Framed-MTU = 1400
(29) Event-Timestamp = "May 26 2022 09:44:29 CEST"
(29) server inner-tunnel {
(29) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /(a)\./) {
(29) if (&User-Name =~ /(a)\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [chap] = noop
(29) [mschap] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "mroig", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) update control {
(29) &Proxy-To-Realm := LOCAL
(29) } # update control = noop
(29) eap: No EAP-Message, not doing EAP
(29) [eap] = noop
(29) [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(29) ldap: EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))
(29) ldap: --> (&(uid=mroig)(|(businessCategory=1)(businessCategory=2)))
(29) ldap: Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with
filter "(&(uid=mroig)(|(businessCategory=1)(businessCategory=2)))", scope
"sub"
(29) ldap: Waiting for search result...
(29) ldap: User object found at DN
"uid=mroig,ou=Gent,ou=lledoner,dc=nigul,dc=coop"
(29) ldap: Processing user attributes
(29) ldap: control:NT-Password :=
0x4431443741394445383432423837443141333545433343363734323637323033
rlm_ldap (ldap): Released connection (2)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(29) [ldap] = updated
(29) if (noop && User-Password) {
(29) if (noop && User-Password) -> FALSE
(29) [expiration] = noop
(29) [logintime] = noop
(29) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(29) [pap] = updated
(29) } # authorize = updated
(29) Found Auth-Type = PAP
(29) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(29) Auth-Type PAP {
(29) pap: Login attempt with password
(29) pap: Comparing with "known-good" NT-Password
(29) pap: User authenticated successfully
(29) [pap] = ok
(29) } # Auth-Type PAP = ok
(29) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(29) post-auth {
(29) if (0) {
(29) if (0) -> FALSE
(29) } # post-auth = noop
(29) } # server inner-tunnel
(29) Virtual server sending reply
(29) eap_ttls: Got tunneled Access-Accept
(29) eap: Sending EAP Success (code 3) ID 30 length 4
(29) eap: Freeing handler
(29) [eap] = ok
(29) } # authenticate = ok
(29) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(29) post-auth {
(29) if (LDAP-Group == 10000 ) {
(29) Searching for user in group "10000"
rlm_ldap (ldap): Reserved connection (3)
(29) EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))
(29) -->
(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))
(29) Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with
filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))",
scope "sub"
(29) Waiting for search result...
(29) Search returned no results
rlm_ldap (ldap): Released connection (3)
(29) if (LDAP-Group == 10000 ) -> FALSE
(29) if (LDAP-Group == 10001 ) {
(29) Searching for user in group "10001"
rlm_ldap (ldap): Reserved connection (4)
(29) EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))
(29) -->
(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))
(29) Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with
filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))",
scope "sub"
(29) Waiting for search result...
(29) Search returned no results
rlm_ldap (ldap): Released connection (4)
(29) if (LDAP-Group == 10001 ) -> FALSE
(29) if (LDAP-Group == 10032 ) {
(29) Searching for user in group "10032"
rlm_ldap (ldap): Reserved connection (0)
(29) EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))
(29) -->
(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))
(29) Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with
filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))",
scope "sub"
(29) Waiting for search result...
(29) Search returned no results
rlm_ldap (ldap): Released connection (0)
(29) if (LDAP-Group == 10032 ) -> FALSE
(29) update {
(29) No attributes updated
(29) } # update = noop
(29) [exec] = noop
(29) policy remove_reply_message_if_eap {
(29) if (&reply:EAP-Message && &reply:Reply-Message) {
(29) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(29) else {
(29) [noop] = noop
(29) } # else = noop
(29) } # policy remove_reply_message_if_eap = noop
(29) } # post-auth = noop
(29) Sent Access-Accept Id 43 from 192.168.10.100:1812 to 192.168.0.19:38666
length 0
(29) MS-MPPE-Recv-Key =
0x9d69d88a6eec283428461d5b448a1895c01d1f9fabd804b184bc0e435328efad
(29) MS-MPPE-Send-Key =
0x097545e078f9a72d69f885fa90ee1b65e7d0016fcf04a8f87281cf9242240f42
(29) EAP-Message = 0x031e0004
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) User-Name = "anonymous"
(29) Finished request
With a little research I’ve found several places that discusses this
matter, but none one them offers a solution for us. What we tried is:
In sites-enabled/inner-tunnel we set if (0) to if (1) here:
# Instead of "use_tunneled_reply", change this "if (0)" to an
# "if (1)".
#
if (1) {
#
# These attributes are for the inner-tunnel only,
# and MUST NOT be copied to the outer reply.
#
update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
}
#
# Copy the inner reply attributes to the outer
# session-state list. The post-auth policy will take
# care of copying the outer session-state list to the
# outer reply.
#
update {
&outer.session-state: += &reply:
}
}
This didn’t solve the issue.
Also tried to add in same section post-auth:
udate reply {
User-Name := &request:User-Name
}
Neither solved the issue.
So, as you see, we need a little help to make freeradius use the real
identity every time it does the LDAP search to get the correct gidNumber,
so we can assign the correct VLAN to the client.
Thanks a lot.
--
*Informació sobre protecció de dades: El responsable del tractament de les
dades personals del destinatari és el remitent de la present comunicació.
Aquestes dades són tractades per a la satisfacció del nostre interès
legítim per a la gestió de contactes i el manteniment de comunicacions
recíproques per qüestions derivades de la nostra activitat. Aquestes dades
seran conservades mentre siguin útils per a la finalitat indicada, i, en
tot cas, durant els terminis legals i per al temps necessari per atendre a
possibles responsabilitats nascudes del tractament. Els interessats tenen
dret a sol·licitar l'accés a les seves dades personals, la seva
rectificació, supressió o portabilitat, la limitació del seu tractament, a
oposar-se al tractament, així com a presentar una reclamació davant una
autoritat de control.*
_Aquest missatge i els seus documents adjunts són
confidencials. Si vostè no és el destinatari, per favor posi-ho en
coneixement del remitent i elimini aquesta comunicació i els documents
adjunts del seu sistema, sense reproduir ni comunicar els seus continguts.
La transmissió de correu electrònic no garanteix que sigui segur o lliure
d'error, per la qual cosa, declinem qualsevol responsabilitat sobre aquest
tema._
2
2
Re: FreeRADIUS and Active Directory: Access-Reject (RHEL/CentOS 8)
by White, Daniel E. (GSFC-770.0)[AEGIS] 01 Jun '22
by White, Daniel E. (GSFC-770.0)[AEGIS] 01 Jun '22
01 Jun '22
BUMP !
Does anyone have FreeRADIUS on RHEL/CentOS 8 working with LDAP/Active Directory as its back end ?
On 5/25/22, 13:12, "Freeradius-Users on behalf of White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users" <freeradius-users-bounces+daniel.e.white=nasa.gov(a)lists.freeradius.org on behalf of freeradius-users(a)lists.freeradius.org> wrote:
Here are the important parts:
RHEL 8.5
Trying to talk to Active Directory with LDAP
My Microsoft SME says AD will never hand back a password.
How do I get RADIUS to hand the password to AD ?
(0) Received Access-Request Id 70 from 127.0.0.1:53801 to 127.0.0.1:1812 length 74
(0) User-Name = "demo"
(0) User-Password = <<User Password>>
(0) NAS-IP-Address = <<local host IP>>
(0) NAS-Port = 0
(0) Message-Authenticator = 0x590d9fc4e81ec118e32a67ad6fea50ca
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "demo", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (sAMAccountName=demo)
(0) ldap: Performing search in "OU=USERS,DC=dc1,DC=dc2,DC=dc3,DC=dc4" with filter "(sAMAccountName=demo)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "CN=Demo,OU=USERGROUP,OU=USERS,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://AD-DC-1:389 ldap://AD-DC-2:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> demo
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 70 from 127.0.0.1:1812 to 127.0.0.1:53801 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 70 with timestamp +7
Ready to process requests
2
1