Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2022
- 29 participants
- 32 discussions
All,
I've got authentication working nicely with MSCHAP, but now I'd like to
only allow users that are members of a certain AD group.
I would prefer to have this happen only when requests come from a
specific client (wireless access point). In this case the idea is to
have users only be able to get wireless access when they're in a
specific AD group.
How can I do this in freeradius?
Thanks,
Brian
7
18
Hi everyone!
I am facing a problem when freeradius reports that the limit of open
sessions has been reached. These are log entries, like "Too many open
sessions. Try increasing "max_sessions" in the EAP module configuration".
During the debugging, it was determined that some ios devices
(ipad/iphone), for a reason unknown to me, cyclically cannot complete
eap/tls authentication process. I found that these devices successfully
start communicating with the NAS (send EAP-Response/Identity). But after
receiving the (TLS Start)-message, they no longer send the (TLS
client_hello)-message, and restart the association process with the access
point and therefore open a new EAP session. If recreate a wifi connection
on such a device, it will connect successfully.
Until I find the root cause of this behavior, I would like to monitor the
number of open sessions of the radius server. But I couldn't find a
suitable way to do it. Here is what I tried:
- use the "status server" tool, but there is no suitable one among its
counters
- use tool "control-socket" and radmin but also i didn't find suitable
counter
Can you help me with this question?
Thanks!
2
4
Hello,
For some times now, Android 11 requires cert validation in WiFi
connections (see [1]).
At the same time, Android 11 also makes it much harder for end users
to import self-signed root CA (see [2]).
As I provide WiFi connectivity in BYOD environments and can't help end
users when they import certs, I choosed to test PEAP/MSCHAPv2 with
LetsEncrypt certs though I know this would be less secure than with
self-signed root CA.
I'm planning to generate and renew LetsEncrypt cert on a remote
Internet-connected host, and then copy both privkey.pem and
fullchain.pem files to Freeradius instance, as suggested by [3].
In my lab setup, I'm using a Samsung Galaxy Tab A7 Lite to test.
Though being Android 11-powered, this device also allows
Do-Not-Validate pre-Android 11 option !
When I connect to WiFi with this device, I'm using the following settings:
Identity: bar
Password: whateverneeded
CA Certificate: use system certificate
Online cert status: do not validate
Domain: the exact CN value
My lab setup includes:
- a Freeradius 3.0.21 on Debian Bullseye
- a Unifi WiFi Network 6.5.55 with WiFi AP
- a Samsung Galaxy Tab A7 Lite
- valid LetsEncrypt certs
My certs files are copied into Freeradius host as:
# ls -l /etc/freeradius/3.0/certs/letsencrypt/
total 12
-rw-r----- 1 freerad freerad 5604 27 juin 19:04 fullchain.pem
-rw------- 1 freerad freerad 1704 27 juin 19:04 privkey.pem
# openssl x509 -dates -noout -in
/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem
notBefore=May 28 17:32:21 2022 GMT
notAfter=Aug 26 17:32:20 2022 GMT
[1] https://internet-access-guide.com/android-wifi-ca-certificate-do-not-valida…
[2] https://httptoolkit.tech/blog/android-11-trust-ca-certificates/
[3] https://framebyframewifi.net/2017/01/29/use-lets-encrypt-certificates-with-…
When I connect to WiFi, this is part of freeradius -X output:
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
...
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/letsencrypt/privkey.pem"
certificate_file = "/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Please use tls_min_version and tls_max_version instead of disable_tlsv1
Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 56401
Listening on proxy address :: port 45775
Ready to process requests
(26) eap: Peer sent EAP Response (code 2) ID 1 length 141
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0xc733062dc6321fce
(26) eap: Finished EAP session with state 0xc733062dc6321fce
(26) eap: Previous EAP request found for state 0xc733062dc6321fce,
released from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(26) eap_peap: Got complete TLS record (131 bytes)
(26) eap_peap: [eaptls verify] = length included
(26) eap_peap: (other): before SSL initialization
(26) eap_peap: TLS_accept: before SSL initialization
(26) eap_peap: TLS_accept: before SSL initialization
(26) eap_peap: <<< recv TLS 1.3 [length 007e]
(26) eap_peap: TLS_accept: SSLv3/TLS read client hello
(26) eap_peap: >>> send TLS 1.2 [length 003d]
(26) eap_peap: TLS_accept: SSLv3/TLS write server hello
(26) eap_peap: >>> send TLS 1.2 [length 0fbe]
(26) eap_peap: TLS_accept: SSLv3/TLS write certificate
(26) eap_peap: >>> send TLS 1.2 [length 014d]
(26) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(26) eap_peap: >>> send TLS 1.2 [length 0004]
(26) eap_peap: TLS_accept: SSLv3/TLS write server done
(26) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(26) eap_peap: TLS - In Handshake Phase
(26) eap_peap: TLS - got 4448 bytes of data
(26) eap_peap: [eaptls process] = handled
(26) eap: Sending EAP Request (code 1) ID 2 length 1004
(26) eap: EAP session adding &reply:State = 0xc733062dc5311fce
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(26) Challenge { ... } # empty sub-section is ignored
(26) Sent Access-Challenge Id 43 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(26) EAP-Message =
0x010203ec19c000001160160303003d020000390303af5657898d92eefe5085a4ad3604bed4f0f0b48e39cd7ada954fbee1b104098800c02f000011ff01000100000b000403000102001700001603030fbe0b000fba000fb70005303082052c30820414a003020102021203734b50cf2bcbeb7c22ada836c00a3f624f300d06092a864886f70d01010b05003032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b3009060355040313025233301e170d3232303532383137333232315a170d3232303832363137333232305a301e311c301a06035504031313686f7374332e706572656e69702e636c6f756430820122300d06092a864886f70d01010105000382010f003082010a0282010100e653da7ed722cc166a21b4055852edc8973b7daa624eb8897805f735be194e49d231f0d04e2d091679c8a1f9075bf6051d24661042467c293e77827ed8de02eacf8132699f9aac89cb9471f1857c292dca4cc9d69608d7
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0xc733062dc5311fceda200d98107c2728
(26) Finished request
Waking up in 4.9 seconds.
(27) Received Access-Request Id 44 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(27) User-Name = "bar"
(27) NAS-IP-Address = 192.168.1.50
(27) NAS-Identifier = "f09fc2f50d43"
(27) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(27) NAS-Port-Type = Wireless-802.11
(27) Service-Type = Framed-User
(27) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(27) Connect-Info = "CONNECT 0Mbps 802.11b"
(27) Acct-Session-Id = "2087B41CCAAC0F74"
(27) Acct-Multi-Session-Id = "C546EF77BB09F037"
(27) WLAN-Pairwise-Cipher = 1027076
(27) WLAN-Group-Cipher = 1027076
(27) WLAN-AKM-Suite = 1027073
(27) Framed-MTU = 1400
(27) EAP-Message = 0x020200061900
(27) State = 0xc733062dc5311fceda200d98107c2728
(27) Message-Authenticator = 0x39f4e95b5909f1152843a2e02fbaffde
(27) session-state: No cached attributes
(27) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(27) authorize {
(27) policy filter_username {
(27) if (&User-Name) {
(27) if (&User-Name) -> TRUE
(27) if (&User-Name) {
(27) if (&User-Name =~ / /) {
(27) if (&User-Name =~ / /) -> FALSE
(27) if (&User-Name =~ /@[^@]*@/ ) {
(27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(27) if (&User-Name =~ /\.\./ ) {
(27) if (&User-Name =~ /\.\./ ) -> FALSE
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(27) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(27) if (&User-Name =~ /\.$/) {
(27) if (&User-Name =~ /\.$/) -> FALSE
(27) if (&User-Name =~ /(a)\./) {
(27) if (&User-Name =~ /(a)\./) -> FALSE
(27) } # if (&User-Name) = notfound
(27) } # policy filter_username = notfound
(27) [preprocess] = ok
(27) [chap] = noop
(27) [mschap] = noop
(27) [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "bar", looking up realm NULL
(27) suffix: No such realm "NULL"
(27) [suffix] = noop
(27) eap: Peer sent EAP Response (code 2) ID 2 length 6
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0xc733062dc5311fce
(27) eap: Finished EAP session with state 0xc733062dc5311fce
(27) eap: Previous EAP request found for state 0xc733062dc5311fce,
released from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: Peer ACKed our handshake fragment
(27) eap_peap: [eaptls verify] = request
(27) eap_peap: [eaptls process] = handled
(27) eap: Sending EAP Request (code 1) ID 3 length 1000
(27) eap: EAP session adding &reply:State = 0xc733062dc4301fce
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(27) Challenge { ... } # empty sub-section is ignored
(27) Sent Access-Challenge Id 44 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(27) EAP-Message =
0x010303e81940cca15e2a9dd6bfa61b4d866fdcc7284c9a6a860076002979bef09e393921f056739f63a577e5be577d9c600af8f94d5d265c255dc784000001810bf0d4030000040300473045022037d7b0385f16f2b16e8903082d51bb15604c0262cd7473239d165e5ca5a858740221009c92c932de42f9d7883a89cd8ddc171d91a0f5b0d2e77b6886d1ea473f7fbe17300d06092a864886f70d01010b05000382010100731334fe1bbdc145631a0ddd0e7174e87df1da2cf6b032521bba82995c0460886e5b751c5f0b417ad32fa987caac9f61be48ec68673e33bc5a1deebe1004c5546cb3ef098495ab393bd60c614e132ad13e5fe0ca56106aeb92cf1f4e6de2f8f736bc1e94b7659439b711b931ba2174abb85ef05347b7d82f18411fe147f74939fbe311977c50c90b7c7720e890b59300fef66c0c7b84cd536cbde1aee6231f21550751613cba3ad52f48c82b2cc0de8e38764ba3c988a8cd37994500c1233288e294319b95c4600a48b3094eadf3ac1d68bf
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0xc733062dc4301fceda200d98107c2728
(27) Finished request
Waking up in 4.9 seconds.
(28) Received Access-Request Id 45 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(28) User-Name = "bar"
(28) NAS-IP-Address = 192.168.1.50
(28) NAS-Identifier = "f09fc2f50d43"
(28) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(28) NAS-Port-Type = Wireless-802.11
(28) Service-Type = Framed-User
(28) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(28) Connect-Info = "CONNECT 0Mbps 802.11b"
(28) Acct-Session-Id = "2087B41CCAAC0F74"
(28) Acct-Multi-Session-Id = "C546EF77BB09F037"
(28) WLAN-Pairwise-Cipher = 1027076
(28) WLAN-Group-Cipher = 1027076
(28) WLAN-AKM-Suite = 1027073
(28) Framed-MTU = 1400
(28) EAP-Message = 0x020300061900
(28) State = 0xc733062dc4301fceda200d98107c2728
(28) Message-Authenticator = 0x441e1d2d2df0e955fe4065c44cb93a6b
(28) session-state: No cached attributes
(28) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(28) authorize {
(28) policy filter_username {
(28) if (&User-Name) {
(28) if (&User-Name) -> TRUE
(28) if (&User-Name) {
(28) if (&User-Name =~ / /) {
(28) if (&User-Name =~ / /) -> FALSE
(28) if (&User-Name =~ /@[^@]*@/ ) {
(28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(28) if (&User-Name =~ /\.\./ ) {
(28) if (&User-Name =~ /\.\./ ) -> FALSE
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(28) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(28) if (&User-Name =~ /\.$/) {
(28) if (&User-Name =~ /\.$/) -> FALSE
(28) if (&User-Name =~ /(a)\./) {
(28) if (&User-Name =~ /(a)\./) -> FALSE
(28) } # if (&User-Name) = notfound
(28) } # policy filter_username = notfound
(28) [preprocess] = ok
(28) [chap] = noop
(28) [mschap] = noop
(28) [digest] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "bar", looking up realm NULL
(28) suffix: No such realm "NULL"
(28) [suffix] = noop
(28) eap: Peer sent EAP Response (code 2) ID 3 length 6
(28) eap: Continuing tunnel setup
(28) [eap] = ok
(28) } # authorize = ok
(28) Found Auth-Type = eap
(28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(28) authenticate {
(28) eap: Expiring EAP session with state 0xc733062dc4301fce
(28) eap: Finished EAP session with state 0xc733062dc4301fce
(28) eap: Previous EAP request found for state 0xc733062dc4301fce,
released from the list
(28) eap: Peer sent packet with method EAP PEAP (25)
(28) eap: Calling submodule eap_peap to process data
(28) eap_peap: Continuing EAP-TLS
(28) eap_peap: Peer ACKed our handshake fragment
(28) eap_peap: [eaptls verify] = request
(28) eap_peap: [eaptls process] = handled
(28) eap: Sending EAP Request (code 1) ID 4 length 1000
(28) eap: EAP session adding &reply:State = 0xc733062dc3371fce
(28) [eap] = handled
(28) } # authenticate = handled
(28) Using Post-Auth-Type Challenge
(28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(28) Challenge { ... } # empty sub-section is ignored
(28) Sent Access-Challenge Id 45 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(28) EAP-Message =
0x010403e8194001ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0xc733062dc3371fceda200d98107c2728
(28) Finished request
Waking up in 4.9 seconds.
(29) Received Access-Request Id 46 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(29) User-Name = "bar"
(29) NAS-IP-Address = 192.168.1.50
(29) NAS-Identifier = "f09fc2f50d43"
(29) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(29) NAS-Port-Type = Wireless-802.11
(29) Service-Type = Framed-User
(29) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(29) Connect-Info = "CONNECT 0Mbps 802.11b"
(29) Acct-Session-Id = "2087B41CCAAC0F74"
(29) Acct-Multi-Session-Id = "C546EF77BB09F037"
(29) WLAN-Pairwise-Cipher = 1027076
(29) WLAN-Group-Cipher = 1027076
(29) WLAN-AKM-Suite = 1027073
(29) Framed-MTU = 1400
(29) EAP-Message = 0x020400061900
(29) State = 0xc733062dc3371fceda200d98107c2728
(29) Message-Authenticator = 0x662064b545b5aa385ea1ebd63c5d881b
(29) session-state: No cached attributes
(29) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /(a)\./) {
(29) if (&User-Name =~ /(a)\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [preprocess] = ok
(29) [chap] = noop
(29) [mschap] = noop
(29) [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "bar", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) eap: Peer sent EAP Response (code 2) ID 4 length 6
(29) eap: Continuing tunnel setup
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) authenticate {
(29) eap: Expiring EAP session with state 0xc733062dc3371fce
(29) eap: Finished EAP session with state 0xc733062dc3371fce
(29) eap: Previous EAP request found for state 0xc733062dc3371fce,
released from the list
(29) eap: Peer sent packet with method EAP PEAP (25)
(29) eap: Calling submodule eap_peap to process data
(29) eap_peap: Continuing EAP-TLS
(29) eap_peap: Peer ACKed our handshake fragment
(29) eap_peap: [eaptls verify] = request
(29) eap_peap: [eaptls process] = handled
(29) eap: Sending EAP Request (code 1) ID 5 length 1000
(29) eap: EAP session adding &reply:State = 0xc733062dc2361fce
(29) [eap] = handled
(29) } # authenticate = handled
(29) Using Post-Auth-Type Challenge
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) Challenge { ... } # empty sub-section is ignored
(29) Sent Access-Challenge Id 46 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(29) EAP-Message =
0x010503e81940f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd0
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) State = 0xc733062dc2361fceda200d98107c2728
(29) Finished request
Waking up in 4.8 seconds.
(30) Received Access-Request Id 47 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(30) User-Name = "bar"
(30) NAS-IP-Address = 192.168.1.50
(30) NAS-Identifier = "f09fc2f50d43"
(30) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(30) NAS-Port-Type = Wireless-802.11
(30) Service-Type = Framed-User
(30) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(30) Connect-Info = "CONNECT 0Mbps 802.11b"
(30) Acct-Session-Id = "2087B41CCAAC0F74"
(30) Acct-Multi-Session-Id = "C546EF77BB09F037"
(30) WLAN-Pairwise-Cipher = 1027076
(30) WLAN-Group-Cipher = 1027076
(30) WLAN-AKM-Suite = 1027073
(30) Framed-MTU = 1400
(30) EAP-Message = 0x020500061900
(30) State = 0xc733062dc2361fceda200d98107c2728
(30) Message-Authenticator = 0xdb1a11eda65bfd28f2bae8a4467c4bea
(30) session-state: No cached attributes
(30) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /(a)\./) {
(30) if (&User-Name =~ /(a)\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [preprocess] = ok
(30) [chap] = noop
(30) [mschap] = noop
(30) [digest] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "bar", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) eap: Peer sent EAP Response (code 2) ID 5 length 6
(30) eap: Continuing tunnel setup
(30) [eap] = ok
(30) } # authorize = ok
(30) Found Auth-Type = eap
(30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(30) authenticate {
(30) eap: Expiring EAP session with state 0xc733062dc2361fce
(30) eap: Finished EAP session with state 0xc733062dc2361fce
(30) eap: Previous EAP request found for state 0xc733062dc2361fce,
released from the list
(30) eap: Peer sent packet with method EAP PEAP (25)
(30) eap: Calling submodule eap_peap to process data
(30) eap_peap: Continuing EAP-TLS
(30) eap_peap: Peer ACKed our handshake fragment
(30) eap_peap: [eaptls verify] = request
(30) eap_peap: [eaptls process] = handled
(30) eap: Sending EAP Request (code 1) ID 6 length 478
(30) eap: EAP session adding &reply:State = 0xc733062dc1351fce
(30) [eap] = handled
(30) } # authenticate = handled
(30) Using Post-Auth-Type Challenge
(30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(30) Challenge { ... } # empty sub-section is ignored
(30) Sent Access-Challenge Id 47 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(30) EAP-Message =
0x010601de1900676dc257c5463941cf8a5883586d99fe57e8360ef00e23aafd8897d0e35c0e9449b5b51735d22ebf4e85ef18e08592eb063b6c29230960dc45024c12183be9fb0ededc44f85898aeeabd4545a1885d66cafe10e96f82c811420dfbe9ece38600de9d10e338faa47db1d8e8498284069b2be86b4f010c38772ef9dde739160303014d0c0001490300174104182d51bb94eedf8e4d45ba672b11c1683550862e7b3cbcc4c060eeb4bb6a788ba97e3226321cf8ba7055f70228fd8fbd726b203aaecea3297f2f15e87c0e13190804010065efa44cf7b89671f95ce0791208321c652e630ca175e1c4c11946ffa99a7ecddf6f6e5bc8b7689bca97ea17a48c085474e867dc62b2102a477c4a022336e02e2e4e38d5542a7c69276d22fd961b4022e88c54c7fe6fad2d1176b734f007a2af32ae3fd62b53a6fcd2da0b78040ee68241e4435189e87093b227e4f4f9ebb3c1b3da591bd3c129f70dcd71fca22d92ceaa6318dfcf6397a92d127e2a999be84a9be8
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) State = 0xc733062dc1351fceda200d98107c2728
(30) Finished request
Waking up in 4.8 seconds.
(31) Received Access-Request Id 48 from 192.168.1.50:58452 to
192.168.1.244:1812 length 242
(31) User-Name = "bar"
(31) NAS-IP-Address = 192.168.1.50
(31) NAS-Identifier = "f09fc2f50d43"
(31) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(31) NAS-Port-Type = Wireless-802.11
(31) Service-Type = Framed-User
(31) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(31) Connect-Info = "CONNECT 0Mbps 802.11b"
(31) Acct-Session-Id = "2087B41CCAAC0F74"
(31) Acct-Multi-Session-Id = "C546EF77BB09F037"
(31) WLAN-Pairwise-Cipher = 1027076
(31) WLAN-Group-Cipher = 1027076
(31) WLAN-AKM-Suite = 1027073
(31) Framed-MTU = 1400
(31) EAP-Message = 0x020600111980000000071503030002022d
(31) State = 0xc733062dc1351fceda200d98107c2728
(31) Message-Authenticator = 0x96fa48935246587652cd6219e8243639
(31) session-state: No cached attributes
(31) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(31) authorize {
(31) policy filter_username {
(31) if (&User-Name) {
(31) if (&User-Name) -> TRUE
(31) if (&User-Name) {
(31) if (&User-Name =~ / /) {
(31) if (&User-Name =~ / /) -> FALSE
(31) if (&User-Name =~ /@[^@]*@/ ) {
(31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(31) if (&User-Name =~ /\.\./ ) {
(31) if (&User-Name =~ /\.\./ ) -> FALSE
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(31) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(31) if (&User-Name =~ /\.$/) {
(31) if (&User-Name =~ /\.$/) -> FALSE
(31) if (&User-Name =~ /(a)\./) {
(31) if (&User-Name =~ /(a)\./) -> FALSE
(31) } # if (&User-Name) = notfound
(31) } # policy filter_username = notfound
(31) [preprocess] = ok
(31) [chap] = noop
(31) [mschap] = noop
(31) [digest] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: No '@' in User-Name = "bar", looking up realm NULL
(31) suffix: No such realm "NULL"
(31) [suffix] = noop
(31) eap: Peer sent EAP Response (code 2) ID 6 length 17
(31) eap: Continuing tunnel setup
(31) [eap] = ok
(31) } # authorize = ok
(31) Found Auth-Type = eap
(31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(31) authenticate {
(31) eap: Expiring EAP session with state 0xc733062dc1351fce
(31) eap: Finished EAP session with state 0xc733062dc1351fce
(31) eap: Previous EAP request found for state 0xc733062dc1351fce,
released from the list
(31) eap: Peer sent packet with method EAP PEAP (25)
(31) eap: Calling submodule eap_peap to process data
(31) eap_peap: Continuing EAP-TLS
(31) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(31) eap_peap: Got complete TLS record (7 bytes)
(31) eap_peap: [eaptls verify] = length included
(31) eap_peap: <<< recv TLS 1.2 [length 0002]
(31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(31) eap_peap: TLS_accept: Need to read more data: error
(31) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
expired
(31) eap_peap: TLS - In Handshake Phase
(31) eap_peap: TLS - Application data.
(31) eap_peap: ERROR: TLS failed during operation
(31) eap_peap: ERROR: [eaptls process] = fail
(31) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(31) eap: Sending EAP Failure (code 4) ID 6 length 4
(31) eap: Failed in EAP select
(31) [eap] = invalid
(31) } # authenticate = invalid
(31) Failed to authenticate the user
(31) Using Post-Auth-Type Reject
(31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(31) Post-Auth-Type REJECT {
(31) attr_filter.access_reject: EXPAND %{User-Name}
(31) attr_filter.access_reject: --> bar
(31) attr_filter.access_reject: Matched entry DEFAULT at line 11
(31) [attr_filter.access_reject] = updated
(31) [eap] = noop
(31) policy remove_reply_message_if_eap {
(31) if (&reply:EAP-Message && &reply:Reply-Message) {
(31) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(31) else {
(31) [noop] = noop
(31) } # else = noop
(31) } # policy remove_reply_message_if_eap = noop
(31) } # Post-Auth-Type REJECT = updated
(31) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(31) Sending delayed response
(31) Sent Access-Reject Id 48 from 192.168.1.244:1812 to
192.168.1.50:58452 length 44
(31) EAP-Message = 0x04060004
(31) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(24) Cleaning up request packet ID 41 with timestamp +308
How can I correct this ?
Best regards
3
5
14 Oct '22
Hello everyone, and thank you for your future help in solving this problem.
I’m trying to implement, a FreeRADIUS server for a wired usage using
EAP-TTLS/PAP protocol, I’m authorizing my users based on their credentials
saved in the users file.
I’ve created my certificates (CA and server) following the recommended
guidelines.
When I test EAP-TTLS/PAP with eapol_test, i’ve got a success message, the
same goes when I authenticate on my laptop under Windows 11 OS, with
EAP-PEAP, while previously disabling « check the identity of the server… ».
And when I click on the connect button after sending my credentials, to
acknowledge my certificate is not safe, I succeed to connect.
But when I try to authenticate with EAP-TTLS/PAP, it fails when I click on «
connect », I don’t have any following response to my Access-Challenge
packets.
I know there is an article on wiki.freeradius about certificate
compatibility, but I’ve not been able to solve the problem even with it.
FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/digest
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/rfc7542
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipv4addr = 127.0.0.1
port = 1812
type = "auth"
proto = "udp"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client private-network-1 {
ipaddr = 10.101.0.20
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p1-p173-001 {
ipv4addr = 10.100.0.16
require_message_authenticator = no
secret = <<< secret >>>
shortname = "swi_nico_p173"
nas_type = "cisco"
virtual_server = "serveur_eap_ttls_pap"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p173-002 {
ipv4addr = 10.100.0.50
require_message_authenticator = no
secret = <<< secret >>>
shortname = "swi_said_edward_p173"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client test-network {
ipaddr = 10.112.0.136
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
with_alvarion_vsa_hack = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 16384
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference =
"Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
instantiate {
}
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "PROFILE=SYSTEM"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
url = http://127.0.0.1/ocsp/
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipv4addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv4addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on proxy address * port 56698
Ready to process requests
(0) Received Accounting-Request Id 60 from 10.100.0.50:1646 to
10.101.0.20:1813 length 285
(0) Acct-Session-Id = "0000006A"
(0) Cisco-AVPair = "audit-session-id=0A6400320000003BB2AB2641"
(0) User-Name = "test"
(0) Acct-Authentic = RADIUS
(0) Acct-Terminate-Cause = Lost-Carrier
(0) Cisco-AVPair = "disc-cause-ext=No Reason"
(0) Cisco-AVPair = "connect-progress=Call Up"
(0) Acct-Session-Time = 93
(0) Acct-Input-Octets = 14097
(0) Acct-Output-Octets = 19204
(0) Acct-Input-Packets = 127
(0) Acct-Output-Packets = 74
(0) Acct-Status-Type = Stop
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50006
(0) NAS-Port-Id = "GigabitEthernet0/6"
(0) Called-Station-Id = "24-01-C7-8E-84-86"
(0) Calling-Station-Id = "74-78-27-1B-F2-78"
(0) Service-Type = Framed-User
(0) NAS-IP-Address = 10.100.0.50
(0) Acct-Delay-Time = 19
(0) # Executing section preacct from file /etc/raddb/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) update request {
(0) &Tmp-String-9 := "ai:"
(0) } # update request = noop
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(0) EXPAND %{hex:&Class}
(0) -->
(0) EXPAND ^%{hex:&Tmp-String-9}
(0) --> ^61693a
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(0) else {
(0) update request {
(0) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> 0391b84a0867b3fc2bafaf4741bd212a
(0) &Acct-Unique-Session-Id := 0391b84a0867b3fc2bafaf4741bd212a
(0) } # update request = noop
(0) } # else = noop
(0) } # policy acct_unique = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) } # preacct = ok
(0) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(0) accounting {
(0) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(0) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725
(0) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.50/detail-20220725
(0) detail: EXPAND %t
(0) detail: --> Mon Jul 25 18:15:40 2022
(0) [detail] = ok
(0) [unix] = ok
(0) radutmp: EXPAND /var/log/radius/radutmp
(0) radutmp: --> /var/log/radius/radutmp
(0) radutmp: EXPAND %{User-Name}
(0) radutmp: --> test
(0) [radutmp] = ok
(0) sradutmp: EXPAND /var/log/radius/sradutmp
(0) sradutmp: --> /var/log/radius/sradutmp
(0) sradutmp: EXPAND %{User-Name}
(0) sradutmp: --> test
(0) [sradutmp] = ok
(0) [exec] = noop
(0) attr_filter.accounting_response: EXPAND %{User-Name}
(0) attr_filter.accounting_response: --> test
(0) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(0) [attr_filter.accounting_response] = updated
(0) } # accounting = updated
(0) Sent Accounting-Response Id 60 from 10.101.0.20:1813 to 10.100.0.50:1646
length 0
(0) Finished request
(0) Cleaning up request packet ID 60 with timestamp +3
Ready to process requests
(1) Received Access-Request Id 0 from 127.0.0.1:48058 to 127.0.0.1:1812
length 142
(1) User-Name = "anonymous_test"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x02a1001301616e6f6e796d6f75735f74657374
(1) Message-Authenticator = 0x63e0215c3759e15af3f8b2b777ce8370
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 161 length 19
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Auth-Type eap {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 162 length 6
(1) eap: EAP session adding &reply:State = 0x594837c159ea227a
(1) [eap] = handled
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) attr_filter.access_challenge: EXPAND %{User-Name}
(1) attr_filter.access_challenge: --> anonymous_test
(1) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(1) [attr_filter.access_challenge.post-auth] = updated
(1) [handled] = handled
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(1) } # Auth-Type eap = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(1) EAP-Message = 0x01a200061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x594837c159ea227a35f4296c6c550caa
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 1 from 127.0.0.1:48058 to 127.0.0.1:1812
length 343
(2) User-Name = "anonymous_test"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message =
0x02a200ca150016030100bf010000bb03037526679cd3ccd5346e9ffc32b3a61bc85036d03f
f978485f54af4c4c4713eef2000048c02cc030cca9cca8c0adc02bc02fc0acc023c027c00ac0
14c009c013009dc09d009cc09c003d003c0035002f009fccaac09f009ec09e006b0067003900
33c008c012000a001600ff0100004a000b000403000102000a000c000a001d0017001e001900
180016000000170000000d002600240403050306030807080808090804080a0805080b080604
01050106010303030102030201
(2) State = 0x594837c159ea227a35f4296c6c550caa
(2) Message-Authenticator = 0xa2ab78a30c2fd4c0b1e73fbaaa7c1007
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 162 length 202
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Auth-Type eap {
(2) eap: Expiring EAP session with state 0x594837c159ea227a
(2) eap: Finished EAP session with state 0x594837c159ea227a
(2) eap: Previous EAP request found for state 0x594837c159ea227a, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Got final TLS record fragment (196 bytes)
(2) eap_ttls: WARNING: Total received TLS record fragments (196 bytes), does
not equal indicated TLS record length (0 bytes)
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv TLS 1.3 [length 00bf]
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send TLS 1.2 [length 003d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send TLS 1.2 [length 08e9]
(2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(2) eap_ttls: >>> send TLS 1.2 [length 014d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(2) eap_ttls: >>> send TLS 1.2 [length 0004]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server done
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_ttls: TLS - In Handshake Phase
(2) eap_ttls: TLS - got 2699 bytes of data
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 163 length 1014
(2) eap: EAP session adding &reply:State = 0x594837c158eb227a
(2) [eap] = handled
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) EXPAND Response-Packet-Type
(2) --> Access-Challenge
(2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) attr_filter.access_challenge: EXPAND %{User-Name}
(2) attr_filter.access_challenge: --> anonymous_test
(2) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(2) [attr_filter.access_challenge.post-auth] = updated
(2) [handled] = handled
(2) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(2) } # Auth-Type eap = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(2) EAP-Message =
0x01a303f615c000000a8b160303003d020000390303ce7f5bed68f2bdab8d4c8b7ee830f975
965fb3242093f407d9b7f3798ed45b2000c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x594837c158eb227a35f4296c6c550caa
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 2 from 127.0.0.1:48058 to 127.0.0.1:1812
length 147
(3) User-Name = "anonymous_test"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x02a300061500
(3) State = 0x594837c158eb227a35f4296c6c550caa
(3) Message-Authenticator = 0x0281d393c2571ae6091802af7143b0ed
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 163 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Auth-Type eap {
(3) eap: Expiring EAP session with state 0x594837c158eb227a
(3) eap: Finished EAP session with state 0x594837c158eb227a
(3) eap: Previous EAP request found for state 0x594837c158eb227a, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 164 length 1014
(3) eap: EAP session adding &reply:State = 0x594837c15bec227a
(3) [eap] = handled
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) EXPAND Response-Packet-Type
(3) --> Access-Challenge
(3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) attr_filter.access_challenge: EXPAND %{User-Name}
(3) attr_filter.access_challenge: --> anonymous_test
(3) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(3) [attr_filter.access_challenge.post-auth] = updated
(3) [handled] = handled
(3) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(3) } # Auth-Type eap = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(3) EAP-Message =
0x01a403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91
d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8
62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b
83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
035504080c065261646975733112301006035504070c09536f6d657768657265311530130603
55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69
6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966
696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038
30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x594837c15bec227a35f4296c6c550caa
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 3 from 127.0.0.1:48058 to 127.0.0.1:1812
length 147
(4) User-Name = "anonymous_test"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x02a400061500
(4) State = 0x594837c15bec227a35f4296c6c550caa
(4) Message-Authenticator = 0x12aad93ece4c588ec719216bbaecd7fb
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 164 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Auth-Type eap {
(4) eap: Expiring EAP session with state 0x594837c15bec227a
(4) eap: Finished EAP session with state 0x594837c15bec227a
(4) eap: Previous EAP request found for state 0x594837c15bec227a, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 165 length 701
(4) eap: EAP session adding &reply:State = 0x594837c15aed227a
(4) [eap] = handled
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) EXPAND Response-Packet-Type
(4) --> Access-Challenge
(4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) attr_filter.access_challenge: EXPAND %{User-Name}
(4) attr_filter.access_challenge: --> anonymous_test
(4) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(4) [attr_filter.access_challenge.post-auth] = updated
(4) [handled] = handled
(4) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(4) } # Auth-Type eap = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(4) EAP-Message =
0x01a502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029
a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e
63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14
2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac
df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4
5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5
7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973
4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb
c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759
b33199019e7d482f8786044516160303014d0c000149030017410489b770c1cc2ded
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x594837c15aed227a35f4296c6c550caa
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 4 from 127.0.0.1:48058 to 127.0.0.1:1812
length 273
(5) User-Name = "anonymous_test"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x02a500841500160303004610000042410490f5fd271b8155492b8cd225df9a917c58da15b7
53f67fd3321719ee5bc61ec5d7dcc4344910224de589c074295c7725827083aa2533f613f392
603ac84822891403030001011603030028297482347c2337f8e1cd6ab9e31cc6bcb3d37932cb
7cf4dbf7e728729f98c928414c9b895270d9c5
(5) State = 0x594837c15aed227a35f4296c6c550caa
(5) Message-Authenticator = 0xdbe58d4e8258b430621002f6a1cde860
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 165 length 132
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Auth-Type eap {
(5) eap: Expiring EAP session with state 0x594837c15aed227a
(5) eap: Finished EAP session with state 0x594837c15aed227a
(5) eap: Previous EAP request found for state 0x594837c15aed227a, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2 [length 0046]
(5) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_ttls: <<< recv TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS read finished
(5) eap_ttls: >>> send TLS 1.2 [length 0001]
(5) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_ttls: >>> send TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS write finished
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: TLS - Connection Established
(5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_ttls: TLS-Session-Version = "TLS 1.2"
(5) eap_ttls: TLS - got 51 bytes of data
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 166 length 61
(5) eap: EAP session adding &reply:State = 0x594837c15dee227a
(5) [eap] = handled
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) EXPAND Response-Packet-Type
(5) --> Access-Challenge
(5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) attr_filter.access_challenge: EXPAND %{User-Name}
(5) attr_filter.access_challenge: --> anonymous_test
(5) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(5) [attr_filter.access_challenge.post-auth] = updated
(5) [handled] = handled
(5) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(5) } # Auth-Type eap = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(5) EAP-Message =
0x01a6003d158000000033140303000101160303002868a7ea5e693524f968d02ec14fd7cb5a
629fbd3ff3d28e4a1fee62533733003052e86c7f2303bc2c
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x594837c15dee227a35f4296c6c550caa
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 5 from 127.0.0.1:48058 to 127.0.0.1:1812
length 212
(6) User-Name = "anonymous_test"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message =
0x02a600471500170303003c297482347c2337f99ae8244b354c6918951f0f3bde4cd3a1631f
568103bb1527d53de82d2d036cc96b994d91266bfc523eab035954577cc893219d7c
(6) State = 0x594837c15dee227a35f4296c6c550caa
(6) Message-Authenticator = 0x6aa1c90905881534f18620852003faf3
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 166 length 71
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Auth-Type eap {
(6) eap: Expiring EAP session with state 0x594837c15dee227a
(6) eap: Finished EAP session with state 0x594837c15dee227a
(6) eap: Previous EAP request found for state 0x594837c15dee227a, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "test"
(6) eap_ttls: User-Password = "testing"
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) User-Name = "test"
(6) User-Password = "testing"
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Event-Timestamp = "Jul 25 2022 18:15:48 CEST"
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) [eap] = noop
(6) files: users: Matched entry test at line 1
(6) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(6) files: --> tu as reussi avec et en etant test
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = updated
(6) } # authorize = updated
(6) Found Auth-Type = PAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6) [pap] = ok
(6) } # Auth-Type PAP = ok
(6) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(6) post-auth {
(6) if (0) {
(6) if (0) -> FALSE
(6) } # post-auth = noop
(6) Login OK: [test] (from client localhost port 0 cli 02-00-00-00-00-01
via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) Reply-Message = "tu as reussi avec et en etant test"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap: Sending EAP Success (code 3) ID 166 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(6) } # Auth-Type eap = ok
(6) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(6) post-auth {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(6) update {
(6) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(6) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(6) } # update = noop
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # post-auth = noop
(6) Login OK: [anonymous_test] (from client localhost port 0 cli
02-00-00-00-00-01)
(6) Sent Access-Accept Id 5 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0
(6) MS-MPPE-Recv-Key =
0xe14135f14a872f650673a7f048b96e42d97e94269c4c9c764cc8957057a9f70a
(6) MS-MPPE-Send-Key =
0x196c96bc3d4308ae0bd2fe7ba2292a4008232c68960bbc67658a13bb966e74fd
(6) EAP-Message = 0x03a60004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) User-Name = "anonymous_test"
(6) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 0 with timestamp +11
(2) Cleaning up request packet ID 1 with timestamp +11
(3) Cleaning up request packet ID 2 with timestamp +11
(4) Cleaning up request packet ID 3 with timestamp +11
(5) Cleaning up request packet ID 4 with timestamp +11
(6) Cleaning up request packet ID 5 with timestamp +11
Ready to process requests
(7) Received Access-Request Id 181 from 10.100.0.50:1645 to 10.101.0.20:1812
length 204
(7) User-Name = "anonymous"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1500
(7) Called-Station-Id = "24-01-C7-8E-84-86"
(7) Calling-Station-Id = "74-78-27-1B-F2-78"
(7) EAP-Message = 0x0201000e01616e6f6e796d6f7573
(7) Message-Authenticator = 0x55c09e83405ccf67b9c08d1e70ac4b1d
(7) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(7) NAS-Port-Type = Ethernet
(7) NAS-Port = 50006
(7) NAS-Port-Id = "GigabitEthernet0/6"
(7) NAS-IP-Address = 10.100.0.50
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 14
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Auth-Type eap {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Initiating new TLS session
(7) eap_ttls: [eaptls start] = request
(7) eap: Sending EAP Request (code 1) ID 2 length 6
(7) eap: EAP session adding &reply:State = 0x1aff00fb1afd150b
(7) [eap] = handled
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) EXPAND Response-Packet-Type
(7) --> Access-Challenge
(7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) attr_filter.access_challenge: EXPAND %{User-Name}
(7) attr_filter.access_challenge: --> anonymous
(7) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(7) [attr_filter.access_challenge.post-auth] = updated
(7) [handled] = handled
(7) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(7) } # Auth-Type eap = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 181 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(7) EAP-Message = 0x010200061520
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x1aff00fb1afd150bdec157b3b6aa7742
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 182 from 10.100.0.50:1645 to 10.101.0.20:1812
length 380
(8) User-Name = "anonymous"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1500
(8) Called-Station-Id = "24-01-C7-8E-84-86"
(8) Calling-Station-Id = "74-78-27-1B-F2-78"
(8) EAP-Message =
0x020200ac1580000000a2160303009d01000099030362dec1cb4de29748aa3f666036d19548
5065509be2151045e5ff5ad25a8dc96f00002ac02cc02bc030c02f009f009ec024c023c028c0
27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a
00080006001d00170018000b00020100000d001a001808040805080604010501020104030503
02030202060106030023000000170000ff01000100
(8) Message-Authenticator = 0xf4be43381cba5bcb881815edb82aaedc
(8) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50006
(8) NAS-Port-Id = "GigabitEthernet0/6"
(8) State = 0x1aff00fb1afd150bdec157b3b6aa7742
(8) NAS-IP-Address = 10.100.0.50
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 2 length 172
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Auth-Type eap {
(8) eap: Expiring EAP session with state 0x1aff00fb1afd150b
(8) eap: Finished EAP session with state 0x1aff00fb1afd150b
(8) eap: Previous EAP request found for state 0x1aff00fb1afd150b, released
from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: Continuing EAP-TLS
(8) eap_ttls: Peer indicated complete TLS record size will be 162 bytes
(8) eap_ttls: Got complete TLS record (162 bytes)
(8) eap_ttls: [eaptls verify] = length included
(8) eap_ttls: (other): before SSL initialization
(8) eap_ttls: TLS_accept: before SSL initialization
(8) eap_ttls: TLS_accept: before SSL initialization
(8) eap_ttls: <<< recv TLS 1.3 [length 009d]
(8) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(8) eap_ttls: >>> send TLS 1.2 [length 003d]
(8) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(8) eap_ttls: >>> send TLS 1.2 [length 08e9]
(8) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(8) eap_ttls: >>> send TLS 1.2 [length 014d]
(8) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(8) eap_ttls: >>> send TLS 1.2 [length 0004]
(8) eap_ttls: TLS_accept: SSLv3/TLS write server done
(8) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(8) eap_ttls: TLS - In Handshake Phase
(8) eap_ttls: TLS - got 2699 bytes of data
(8) eap_ttls: [eaptls process] = handled
(8) eap: Sending EAP Request (code 1) ID 3 length 1014
(8) eap: EAP session adding &reply:State = 0x1aff00fb1bfc150b
(8) [eap] = handled
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) EXPAND Response-Packet-Type
(8) --> Access-Challenge
(8) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) attr_filter.access_challenge: EXPAND %{User-Name}
(8) attr_filter.access_challenge: --> anonymous
(8) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(8) [attr_filter.access_challenge.post-auth] = updated
(8) [handled] = handled
(8) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(8) } # Auth-Type eap = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 182 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(8) EAP-Message =
0x010303f615c000000a8b160303003d020000390303dc012d9023dc1e70f151f05ebf2e358c
66de5ac2dc909c71b3ff934c6deeb0bb00c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x1aff00fb1bfc150bdec157b3b6aa7742
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 183 from 10.100.0.50:1645 to 10.101.0.20:1812
length 214
(9) User-Name = "anonymous"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1500
(9) Called-Station-Id = "24-01-C7-8E-84-86"
(9) Calling-Station-Id = "74-78-27-1B-F2-78"
(9) EAP-Message = 0x020300061500
(9) Message-Authenticator = 0x27fa8829f5e4cbd6c0703ff10396bd50
(9) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50006
(9) NAS-Port-Id = "GigabitEthernet0/6"
(9) State = 0x1aff00fb1bfc150bdec157b3b6aa7742
(9) NAS-IP-Address = 10.100.0.50
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 3 length 6
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Auth-Type eap {
(9) eap: Expiring EAP session with state 0x1aff00fb1bfc150b
(9) eap: Finished EAP session with state 0x1aff00fb1bfc150b
(9) eap: Previous EAP request found for state 0x1aff00fb1bfc150b, released
from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: Continuing EAP-TLS
(9) eap_ttls: Peer ACKed our handshake fragment
(9) eap_ttls: [eaptls verify] = request
(9) eap_ttls: [eaptls process] = handled
(9) eap: Sending EAP Request (code 1) ID 4 length 1014
(9) eap: EAP session adding &reply:State = 0x1aff00fb18fb150b
(9) [eap] = handled
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) EXPAND Response-Packet-Type
(9) --> Access-Challenge
(9) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) attr_filter.access_challenge: EXPAND %{User-Name}
(9) attr_filter.access_challenge: --> anonymous
(9) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(9) [attr_filter.access_challenge.post-auth] = updated
(9) [handled] = handled
(9) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(9) } # Auth-Type eap = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) Sent Access-Challenge Id 183 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(9) EAP-Message =
0x010403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91
d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8
62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b
83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
035504080c065261646975733112301006035504070c09536f6d657768657265311530130603
55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69
6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966
696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038
30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x1aff00fb18fb150bdec157b3b6aa7742
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 184 from 10.100.0.50:1645 to
10.101.0.20:1812 length 214
(10) User-Name = "anonymous"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1500
(10) Called-Station-Id = "24-01-C7-8E-84-86"
(10) Calling-Station-Id = "74-78-27-1B-F2-78"
(10) EAP-Message = 0x020400061500
(10) Message-Authenticator = 0xc343c114dc97c30f335f153612ee98ba
(10) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(10) NAS-Port-Type = Ethernet
(10) NAS-Port = 50006
(10) NAS-Port-Id = "GigabitEthernet0/6"
(10) State = 0x1aff00fb18fb150bdec157b3b6aa7742
(10) NAS-IP-Address = 10.100.0.50
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 4 length 6
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Auth-Type eap {
(10) eap: Expiring EAP session with state 0x1aff00fb18fb150b
(10) eap: Finished EAP session with state 0x1aff00fb18fb150b
(10) eap: Previous EAP request found for state 0x1aff00fb18fb150b, released
from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: Continuing EAP-TLS
(10) eap_ttls: Peer ACKed our handshake fragment
(10) eap_ttls: [eaptls verify] = request
(10) eap_ttls: [eaptls process] = handled
(10) eap: Sending EAP Request (code 1) ID 5 length 701
(10) eap: EAP session adding &reply:State = 0x1aff00fb19fa150b
(10) [eap] = handled
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) EXPAND Response-Packet-Type
(10) --> Access-Challenge
(10) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) attr_filter.access_challenge: EXPAND %{User-Name}
(10) attr_filter.access_challenge: --> anonymous
(10) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(10) [attr_filter.access_challenge.post-auth] = updated
(10) [handled] = handled
(10) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(10) } # Auth-Type eap = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) Sent Access-Challenge Id 184 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(10) EAP-Message =
0x010502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029
a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e
63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14
2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac
df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4
5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5
7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973
4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb
c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759
b33199019e7d482f8786044516160303014d0c0001490300174104ea71ea5eb3ce16
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x1aff00fb19fa150bdec157b3b6aa7742
(10) Finished request
Waking up in 4.8 seconds.
(11) Received Access-Request Id 185 from 10.100.0.50:1645 to
10.101.0.20:1812 length 344
(11) User-Name = "anonymous"
(11) Service-Type = Framed-User
(11) Framed-MTU = 1500
(11) Called-Station-Id = "24-01-C7-8E-84-86"
(11) Calling-Station-Id = "74-78-27-1B-F2-78"
(11) EAP-Message =
0x0205008815800000007e16030300461000004241041bafe37c8a64c35895a588b20bcfdef3
d2b1464ce4d5ae1c8e8e920de9406dc98f4a94b63bcd85a4cbbe35b06823f7cb4f7f6b7cb9ba
6c3f93273bbad00a32a214030300010116030300280000000000000000b2756332a6d5dece72
43e156997beb79b6e0890ac8bdf90da6ada1e3a02371ce
(11) Message-Authenticator = 0x12631f913feb4471ab0fca288c0638f1
(11) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50006
(11) NAS-Port-Id = "GigabitEthernet0/6"
(11) State = 0x1aff00fb19fa150bdec157b3b6aa7742
(11) NAS-IP-Address = 10.100.0.50
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 5 length 136
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Auth-Type eap {
(11) eap: Expiring EAP session with state 0x1aff00fb19fa150b
(11) eap: Finished EAP session with state 0x1aff00fb19fa150b
(11) eap: Previous EAP request found for state 0x1aff00fb19fa150b, released
from the list
(11) eap: Peer sent packet with method EAP TTLS (21)
(11) eap: Calling submodule eap_ttls to process data
(11) eap_ttls: Authenticate
(11) eap_ttls: Continuing EAP-TLS
(11) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(11) eap_ttls: Got complete TLS record (126 bytes)
(11) eap_ttls: [eaptls verify] = length included
(11) eap_ttls: TLS_accept: SSLv3/TLS write server done
(11) eap_ttls: <<< recv TLS 1.2 [length 0046]
(11) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(11) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(11) eap_ttls: <<< recv TLS 1.2 [length 0010]
(11) eap_ttls: TLS_accept: SSLv3/TLS read finished
(11) eap_ttls: >>> send TLS 1.2 [length 0001]
(11) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(11) eap_ttls: >>> send TLS 1.2 [length 0010]
(11) eap_ttls: TLS_accept: SSLv3/TLS write finished
(11) eap_ttls: (other): SSL negotiation finished successfully
(11) eap_ttls: TLS - Connection Established
(11) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) eap_ttls: TLS-Session-Version = "TLS 1.2"
(11) eap_ttls: TLS - got 51 bytes of data
(11) eap_ttls: [eaptls process] = handled
(11) eap: Sending EAP Request (code 1) ID 6 length 61
(11) eap: EAP session adding &reply:State = 0x1aff00fb1ef9150b
(11) [eap] = handled
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) EXPAND Response-Packet-Type
(11) --> Access-Challenge
(11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) attr_filter.access_challenge: EXPAND %{User-Name}
(11) attr_filter.access_challenge: --> anonymous
(11) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(11) [attr_filter.access_challenge.post-auth] = updated
(11) [handled] = handled
(11) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(11) } # Auth-Type eap = handled
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) session-state: Saving cached attributes
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) Sent Access-Challenge Id 185 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(11) EAP-Message =
0x0106003d158000000033140303000101160303002890e19eed4974783059ef0d676e70aab3
470cc68cadd1254943ddd9bbe1307ceed06dc7a28a15b4b1
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x1aff00fb1ef9150bdec157b3b6aa7742
(11) Finished request
Waking up in 4.8 seconds.
(7) Cleaning up request packet ID 181 with timestamp +35
(8) Cleaning up request packet ID 182 with timestamp +35
(9) Cleaning up request packet ID 183 with timestamp +35
(10) Cleaning up request packet ID 184 with timestamp +35
(11) Cleaning up request packet ID 185 with timestamp +35
Ready to process requests
(12) Received Access-Request Id 186 from 10.100.0.50:1645 to
10.101.0.20:1812 length 194
(12) User-Name = "test"
(12) Service-Type = Framed-User
(12) Framed-MTU = 1500
(12) Called-Station-Id = "24-01-C7-8E-84-86"
(12) Calling-Station-Id = "74-78-27-1B-F2-78"
(12) EAP-Message = 0x020100090174657374
(12) Message-Authenticator = 0x5064878bed8665909256b735e175b2d4
(12) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(12) NAS-Port-Type = Ethernet
(12) NAS-Port = 50006
(12) NAS-Port-Id = "GigabitEthernet0/6"
(12) NAS-IP-Address = 10.100.0.50
(12) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /(a)\./) {
(12) if (&User-Name =~ /(a)\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "test", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 1 length 9
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Auth-Type eap {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_ttls to process data
(12) eap_ttls: Initiating new TLS session
(12) eap_ttls: [eaptls start] = request
(12) eap: Sending EAP Request (code 1) ID 2 length 6
(12) eap: EAP session adding &reply:State = 0x5709dc2c570bc95d
(12) [eap] = handled
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) EXPAND Response-Packet-Type
(12) --> Access-Challenge
(12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) attr_filter.access_challenge: EXPAND %{User-Name}
(12) attr_filter.access_challenge: --> test
(12) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(12) [attr_filter.access_challenge.post-auth] = updated
(12) [handled] = handled
(12) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(12) } # Auth-Type eap = handled
(12) Using Post-Auth-Type Challenge
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Challenge { ... } # empty sub-section is ignored
(12) Sent Access-Challenge Id 186 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(12) EAP-Message = 0x010200061520
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0x5709dc2c570bc95d080b76220813d0d4
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 187 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(13) User-Name = "test"
(13) Service-Type = Framed-User
(13) Framed-MTU = 1500
(13) Called-Station-Id = "24-01-C7-8E-84-86"
(13) Calling-Station-Id = "74-78-27-1B-F2-78"
(13) EAP-Message = 0x020200060319
(13) Message-Authenticator = 0xde3e82b04cacf9575f36bb5d7da5a570
(13) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(13) NAS-Port-Type = Ethernet
(13) NAS-Port = 50006
(13) NAS-Port-Id = "GigabitEthernet0/6"
(13) State = 0x5709dc2c570bc95d080b76220813d0d4
(13) NAS-IP-Address = 10.100.0.50
(13) session-state: No cached attributes
(13) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /(a)\./) {
(13) if (&User-Name =~ /(a)\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "test", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 2 length 6
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) } # authorize = updated
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Auth-Type eap {
(13) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(13) eap: Finished EAP session with state 0x5709dc2c570bc95d
(13) eap: Previous EAP request found for state 0x5709dc2c570bc95d, released
from the list
(13) eap: Peer sent packet with method EAP NAK (3)
(13) eap: Found mutually acceptable type PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Initiating new TLS session
(13) eap_peap: [eaptls start] = request
(13) eap: Sending EAP Request (code 1) ID 3 length 6
(13) eap: EAP session adding &reply:State = 0x5709dc2c560ac55d
(13) [eap] = handled
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) EXPAND Response-Packet-Type
(13) --> Access-Challenge
(13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) attr_filter.access_challenge: EXPAND %{User-Name}
(13) attr_filter.access_challenge: --> test
(13) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(13) [attr_filter.access_challenge.post-auth] = updated
(13) [handled] = handled
(13) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(13) } # Auth-Type eap = handled
(13) Using Post-Auth-Type Challenge
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Challenge { ... } # empty sub-section is ignored
(13) Sent Access-Challenge Id 187 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(13) EAP-Message = 0x010300061920
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0x5709dc2c560ac55d080b76220813d0d4
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 188 from 10.100.0.50:1645 to
10.101.0.20:1812 length 375
(14) User-Name = "test"
(14) Service-Type = Framed-User
(14) Framed-MTU = 1500
(14) Called-Station-Id = "24-01-C7-8E-84-86"
(14) Calling-Station-Id = "74-78-27-1B-F2-78"
(14) EAP-Message =
0x020300ac1980000000a2160303009d01000099030362dec1e8bb336220b36115a2f152d4ff
bda23da4d62a4b3a3dd2d90243cfb65500002ac02cc02bc030c02f009f009ec024c023c028c0
27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a
00080006001d00170018000b00020100000d001a001808040805080604010501020104030503
02030202060106030023000000170000ff01000100
(14) Message-Authenticator = 0x723199c45f61b638f39acfd1af4ef706
(14) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(14) NAS-Port-Type = Ethernet
(14) NAS-Port = 50006
(14) NAS-Port-Id = "GigabitEthernet0/6"
(14) State = 0x5709dc2c560ac55d080b76220813d0d4
(14) NAS-IP-Address = 10.100.0.50
(14) session-state: No cached attributes
(14) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /(a)\./) {
(14) if (&User-Name =~ /(a)\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "test", looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 3 length 172
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Auth-Type eap {
(14) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(14) eap: Finished EAP session with state 0x5709dc2c560ac55d
(14) eap: Previous EAP request found for state 0x5709dc2c560ac55d, released
from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(14) eap_peap: Got complete TLS record (162 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: (other): before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: <<< recv TLS 1.3 [length 009d]
(14) eap_peap: TLS_accept: SSLv3/TLS read client hello
(14) eap_peap: >>> send TLS 1.2 [length 003d]
(14) eap_peap: TLS_accept: SSLv3/TLS write server hello
(14) eap_peap: >>> send TLS 1.2 [length 08e9]
(14) eap_peap: TLS_accept: SSLv3/TLS write certificate
(14) eap_peap: >>> send TLS 1.2 [length 014d]
(14) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(14) eap_peap: >>> send TLS 1.2 [length 0004]
(14) eap_peap: TLS_accept: SSLv3/TLS write server done
(14) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(14) eap_peap: TLS - In Handshake Phase
(14) eap_peap: TLS - got 2699 bytes of data
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 4 length 1014
(14) eap: EAP session adding &reply:State = 0x5709dc2c550dc55d
(14) [eap] = handled
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) EXPAND Response-Packet-Type
(14) --> Access-Challenge
(14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) attr_filter.access_challenge: EXPAND %{User-Name}
(14) attr_filter.access_challenge: --> test
(14) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(14) [attr_filter.access_challenge.post-auth] = updated
(14) [handled] = handled
(14) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(14) } # Auth-Type eap = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Challenge { ... } # empty sub-section is ignored
(14) Sent Access-Challenge Id 188 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(14) EAP-Message =
0x010403f619c000000a8b160303003d020000390303e63773a6f4e7998fe2174245b1361d9d
6235d691817e1c0537491a129c815c5e00c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x5709dc2c550dc55d080b76220813d0d4
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 189 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(15) User-Name = "test"
(15) Service-Type = Framed-User
(15) Framed-MTU = 1500
(15) Called-Station-Id = "24-01-C7-8E-84-86"
(15) Calling-Station-Id = "74-78-27-1B-F2-78"
(15) EAP-Message = 0x020400061900
(15) Message-Authenticator = 0x5c6dceb7d89b74812695116e8c825b77
(15) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(15) NAS-Port-Type = Ethernet
(15) NAS-Port = 50006
(15) NAS-Port-Id = "GigabitEthernet0/6"
(15) State = 0x5709dc2c550dc55d080b76220813d0d4
(15) NAS-IP-Address = 10.100.0.50
(15) session-state: No cached attributes
(15) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /(a)\./) {
(15) if (&User-Name =~ /(a)\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) [mschap] = noop
(15) [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "test", looking up realm NULL
(15) suffix: No such realm "NULL"
(15) [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 4 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Auth-Type eap {
(15) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(15) eap: Finished EAP session with state 0x5709dc2c550dc55d
(15) eap: Previous EAP request found for state 0x5709dc2c550dc55d, released
from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer ACKed our handshake fragment
(15) eap_peap: [eaptls verify] = request
(15) eap_peap: [eaptls process] = handled
(15) eap: Sending EAP Request (code 1) ID 5 length 1010
(15) eap: EAP session adding &reply:State = 0x5709dc2c540cc55d
(15) [eap] = handled
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) EXPAND Response-Packet-Type
(15) --> Access-Challenge
(15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) attr_filter.access_challenge: EXPAND %{User-Name}
(15) attr_filter.access_challenge: --> test
(15) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(15) [attr_filter.access_challenge.post-auth] = updated
(15) [handled] = handled
(15) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(15) } # Auth-Type eap = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Challenge { ... } # empty sub-section is ignored
(15) Sent Access-Challenge Id 189 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(15) EAP-Message =
0x010503f219402191b630136f9c3efec0d255f3b83b044d67821de971742e781d91d550b267
675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd862dd0004
fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b83f0300d
06092a864886f70d01010b0500308193310b3009060355040613024652310f300d0603550408
0c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c
0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578
616d706c652e6f72673126302406035504030c1d4578616d706c652043657274696669636174
6520417574686f72697479301e170d3232303630373133353631355a170d3232303830363133
353631355a308193310b3009060355040613024652310f300d06035504080c06526164697573
3112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x5709dc2c540cc55d080b76220813d0d4
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 190 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(16) User-Name = "test"
(16) Service-Type = Framed-User
(16) Framed-MTU = 1500
(16) Called-Station-Id = "24-01-C7-8E-84-86"
(16) Calling-Station-Id = "74-78-27-1B-F2-78"
(16) EAP-Message = 0x020500061900
(16) Message-Authenticator = 0x338407f535f332f0091f8b6a8546c39a
(16) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(16) NAS-Port-Type = Ethernet
(16) NAS-Port = 50006
(16) NAS-Port-Id = "GigabitEthernet0/6"
(16) State = 0x5709dc2c540cc55d080b76220813d0d4
(16) NAS-IP-Address = 10.100.0.50
(16) session-state: No cached attributes
(16) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /(a)\./) {
(16) if (&User-Name =~ /(a)\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "test", looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 5 length 6
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Auth-Type eap {
(16) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(16) eap: Finished EAP session with state 0x5709dc2c540cc55d
(16) eap: Previous EAP request found for state 0x5709dc2c540cc55d, released
from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: Peer ACKed our handshake fragment
(16) eap_peap: [eaptls verify] = request
(16) eap_peap: [eaptls process] = handled
(16) eap: Sending EAP Request (code 1) ID 6 length 697
(16) eap: EAP session adding &reply:State = 0x5709dc2c530fc55d
(16) [eap] = handled
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) EXPAND Response-Packet-Type
(16) --> Access-Challenge
(16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) attr_filter.access_challenge: EXPAND %{User-Name}
(16) attr_filter.access_challenge: --> test
(16) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(16) [attr_filter.access_challenge.post-auth] = updated
(16) [handled] = handled
(16) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(16) } # Auth-Type eap = handled
(16) Using Post-Auth-Type Challenge
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Challenge { ... } # empty sub-section is ignored
(16) Sent Access-Challenge Id 190 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(16) EAP-Message =
0x010602b919001d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625
687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c30
0d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d142dea0f64
ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabacdf1f473b
35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee45ad98a87
9609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f57a3c4654
49fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb9734ad96157
81be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdbc7942c0d
7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759b3319901
9e7d482f8786044516160303014d0c00014903001741045122cc6a47b169b7a16ff1
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x5709dc2c530fc55d080b76220813d0d4
(16) Finished request
Waking up in 4.8 seconds.
(17) Received Access-Request Id 191 from 10.100.0.50:1645 to
10.101.0.20:1812 length 339
(17) User-Name = "test"
(17) Service-Type = Framed-User
(17) Framed-MTU = 1500
(17) Called-Station-Id = "24-01-C7-8E-84-86"
(17) Calling-Station-Id = "74-78-27-1B-F2-78"
(17) EAP-Message =
0x0206008819800000007e160303004610000042410446771ce3728af651ce38b33f2dbad2de
2ec1398220b2deca4e147610a28845f811a15650a23e9c2d6cda8703a81d827e6d5c3335a7ad
ed1f9348bed6398856db140303000101160303002800000000000000006467b41f8f49082292
2783c45df9e0ab3f5f3ee2d6b27ac824a0291d83fc0cbb
(17) Message-Authenticator = 0x9881bcce42caeb449d1792b76c542650
(17) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(17) NAS-Port-Type = Ethernet
(17) NAS-Port = 50006
(17) NAS-Port-Id = "GigabitEthernet0/6"
(17) State = 0x5709dc2c530fc55d080b76220813d0d4
(17) NAS-IP-Address = 10.100.0.50
(17) session-state: No cached attributes
(17) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /(a)\./) {
(17) if (&User-Name =~ /(a)\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) [mschap] = noop
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "test", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 6 length 136
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Auth-Type eap {
(17) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(17) eap: Finished EAP session with state 0x5709dc2c530fc55d
(17) eap: Previous EAP request found for state 0x5709dc2c530fc55d, released
from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(17) eap_peap: Got complete TLS record (126 bytes)
(17) eap_peap: [eaptls verify] = length included
(17) eap_peap: TLS_accept: SSLv3/TLS write server done
(17) eap_peap: <<< recv TLS 1.2 [length 0046]
(17) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(17) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(17) eap_peap: <<< recv TLS 1.2 [length 0010]
(17) eap_peap: TLS_accept: SSLv3/TLS read finished
(17) eap_peap: >>> send TLS 1.2 [length 0001]
(17) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(17) eap_peap: >>> send TLS 1.2 [length 0010]
(17) eap_peap: TLS_accept: SSLv3/TLS write finished
(17) eap_peap: (other): SSL negotiation finished successfully
(17) eap_peap: TLS - Connection Established
(17) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) eap_peap: TLS-Session-Version = "TLS 1.2"
(17) eap_peap: TLS - got 51 bytes of data
(17) eap_peap: [eaptls process] = handled
(17) eap: Sending EAP Request (code 1) ID 7 length 57
(17) eap: EAP session adding &reply:State = 0x5709dc2c520ec55d
(17) [eap] = handled
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) EXPAND Response-Packet-Type
(17) --> Access-Challenge
(17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) attr_filter.access_challenge: EXPAND %{User-Name}
(17) attr_filter.access_challenge: --> test
(17) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(17) [attr_filter.access_challenge.post-auth] = updated
(17) [handled] = handled
(17) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(17) } # Auth-Type eap = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Challenge { ... } # empty sub-section is ignored
(17) session-state: Saving cached attributes
(17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) TLS-Session-Version = "TLS 1.2"
(17) Sent Access-Challenge Id 191 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(17) EAP-Message =
0x01070039190014030300010116030300285bc3632e6b443560a1c7f7fcfd4d4dce83eb70b6
a001d27389578382a78d0283e43c7e8969d6f3ba
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x5709dc2c520ec55d080b76220813d0d4
(17) Finished request
Waking up in 4.8 seconds.
(18) Received Access-Request Id 192 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(18) User-Name = "test"
(18) Service-Type = Framed-User
(18) Framed-MTU = 1500
(18) Called-Station-Id = "24-01-C7-8E-84-86"
(18) Calling-Station-Id = "74-78-27-1B-F2-78"
(18) EAP-Message = 0x020700061900
(18) Message-Authenticator = 0x33689c92606612b6d8b208e12717fd08
(18) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(18) NAS-Port-Type = Ethernet
(18) NAS-Port = 50006
(18) NAS-Port-Id = "GigabitEthernet0/6"
(18) State = 0x5709dc2c520ec55d080b76220813d0d4
(18) NAS-IP-Address = 10.100.0.50
(18) Restoring &session-state
(18) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(18) &session-state:TLS-Session-Version = "TLS 1.2"
(18) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /(a)\./) {
(18) if (&User-Name =~ /(a)\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) [mschap] = noop
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "test", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 7 length 6
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Auth-Type eap {
(18) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(18) eap: Finished EAP session with state 0x5709dc2c520ec55d
(18) eap: Previous EAP request found for state 0x5709dc2c520ec55d, released
from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(18) eap_peap: [eaptls verify] = success
(18) eap_peap: [eaptls process] = success
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state TUNNEL ESTABLISHED
(18) eap: Sending EAP Request (code 1) ID 8 length 40
(18) eap: EAP session adding &reply:State = 0x5709dc2c5101c55d
(18) [eap] = handled
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) EXPAND Response-Packet-Type
(18) --> Access-Challenge
(18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) attr_filter.access_challenge: EXPAND %{User-Name}
(18) attr_filter.access_challenge: --> test
(18) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(18) [attr_filter.access_challenge.post-auth] = updated
(18) [handled] = handled
(18) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(18) } # Auth-Type eap = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Challenge { ... } # empty sub-section is ignored
(18) session-state: Saving cached attributes
(18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) TLS-Session-Version = "TLS 1.2"
(18) Sent Access-Challenge Id 192 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(18) EAP-Message =
0x010800281900170303001d5bc3632e6b443561fcf82593fda17abbf449f59d02196666fae6
9cf929
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x5709dc2c5101c55d080b76220813d0d4
(18) Finished request
Waking up in 2.1 seconds.
(19) Received Access-Request Id 193 from 10.100.0.50:1645 to
10.101.0.20:1812 length 243
(19) User-Name = "test"
(19) Service-Type = Framed-User
(19) Framed-MTU = 1500
(19) Called-Station-Id = "24-01-C7-8E-84-86"
(19) Calling-Station-Id = "74-78-27-1B-F2-78"
(19) EAP-Message =
0x020800281900170303001d0000000000000001f4b75ef3c9c70e7de845b7ad53435ce649bc
e97bd6
(19) Message-Authenticator = 0xdd6a472f02ab76bc724223ac8592f303
(19) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(19) NAS-Port-Type = Ethernet
(19) NAS-Port = 50006
(19) NAS-Port-Id = "GigabitEthernet0/6"
(19) State = 0x5709dc2c5101c55d080b76220813d0d4
(19) NAS-IP-Address = 10.100.0.50
(19) Restoring &session-state
(19) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /(a)\./) {
(19) if (&User-Name =~ /(a)\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) [mschap] = noop
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "test", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 8 length 40
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Auth-Type eap {
(19) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(19) eap: Finished EAP session with state 0x5709dc2c5101c55d
(19) eap: Previous EAP request found for state 0x5709dc2c5101c55d, released
from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(19) eap_peap: Identity - test
(19) eap_peap: Got inner identity 'test'
(19) eap_peap: Setting default EAP type for tunneled EAP session
(19) eap_peap: Got tunneled request
(19) eap_peap: EAP-Message = 0x020800090174657374
(19) eap_peap: Setting User-Name to test
(19) eap_peap: Sending tunneled request to inner-tunnel
(19) eap_peap: EAP-Message = 0x020800090174657374
(19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_peap: User-Name = "test"
(19) Virtual server inner-tunnel received request
(19) EAP-Message = 0x020800090174657374
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "test"
(19) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(19) server inner-tunnel {
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /(a)\./) {
(19) if (&User-Name =~ /(a)\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [chap] = noop
(19) [mschap] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "test", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) update control {
(19) &Proxy-To-Realm := LOCAL
(19) } # update control = noop
(19) eap: Peer sent EAP Response (code 2) ID 8 length 9
(19) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(19) authenticate {
(19) eap: Peer sent packet with method EAP Identity (1)
(19) eap: Calling submodule eap_mschapv2 to process data
(19) eap_mschapv2: Issuing Challenge
(19) eap: Sending EAP Request (code 1) ID 9 length 43
(19) eap: EAP session adding &reply:State = 0xc8f1f8bdc8f8e24d
(19) [eap] = handled
(19) } # authenticate = handled
(19) } # server inner-tunnel
(19) Virtual server sending reply
(19) EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled reply code 11
(19) eap_peap: EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled reply RADIUS code 11
(19) eap_peap: EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled Access-Challenge
(19) eap: Sending EAP Request (code 1) ID 9 length 74
(19) eap: EAP session adding &reply:State = 0x5709dc2c5000c55d
(19) [eap] = handled
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) EXPAND Response-Packet-Type
(19) --> Access-Challenge
(19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) attr_filter.access_challenge: EXPAND %{User-Name}
(19) attr_filter.access_challenge: --> test
(19) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(19) [attr_filter.access_challenge.post-auth] = updated
(19) [handled] = handled
(19) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(19) } # Auth-Type eap = handled
(19) Using Post-Auth-Type Challenge
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Challenge { ... } # empty sub-section is ignored
(19) session-state: Saving cached attributes
(19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) TLS-Session-Version = "TLS 1.2"
(19) Sent Access-Challenge Id 193 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(19) EAP-Message =
0x0109004a1900170303003f5bc3632e6b4435625e5c5051af7c363be95d4ee4f3f3b7ac445d
1ecac6abc90cb5263d48732e332fae270276b7d924f672cc1b74d6916b68c2e03e7ebe1975
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x5709dc2c5000c55d080b76220813d0d4
(19) Finished request
Waking up in 2.0 seconds.
(20) Received Access-Request Id 194 from 10.100.0.50:1645 to
10.101.0.20:1812 length 297
(20) User-Name = "test"
(20) Service-Type = Framed-User
(20) Framed-MTU = 1500
(20) Called-Station-Id = "24-01-C7-8E-84-86"
(20) Calling-Station-Id = "74-78-27-1B-F2-78"
(20) EAP-Message =
0x0209005e19001703030053000000000000000267df274f7aba3c388821a73daf611375d9d7
2eef18a2029801924010afde0f8c56c84035beb392c5d720651c2253091340fa76a3f6a37152
3b42fb59bacd4ff5ff77aa734d8f4abc3bfe4c
(20) Message-Authenticator = 0xdd9df03d48297b3c9942e21f2b832e07
(20) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(20) NAS-Port-Type = Ethernet
(20) NAS-Port = 50006
(20) NAS-Port-Id = "GigabitEthernet0/6"
(20) State = 0x5709dc2c5000c55d080b76220813d0d4
(20) NAS-IP-Address = 10.100.0.50
(20) Restoring &session-state
(20) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(20) &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /(a)\./) {
(20) if (&User-Name =~ /(a)\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) [mschap] = noop
(20) [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "test", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 9 length 94
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Auth-Type eap {
(20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(20) eap: Finished EAP session with state 0x5709dc2c5000c55d
(20) eap: Previous EAP request found for state 0x5709dc2c5000c55d, released
from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: [eaptls verify] = ok
(20) eap_peap: Done initial handshake
(20) eap_peap: [eaptls process] = ok
(20) eap_peap: Session established. Decoding tunneled attributes
(20) eap_peap: PEAP state phase2
(20) eap_peap: EAP method MSCHAPv2 (26)
(20) eap_peap: Got tunneled request
(20) eap_peap: EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) eap_peap: Setting User-Name to test
(20) eap_peap: Sending tunneled request to inner-tunnel
(20) eap_peap: EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(20) eap_peap: User-Name = "test"
(20) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(20) Virtual server inner-tunnel received request
(20) EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) FreeRADIUS-Proxied-To = 127.0.0.1
(20) User-Name = "test"
(20) State = 0xc8f1f8bdc8f8e24d226d055121876240
(20) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(20) server inner-tunnel {
(20) session-state: No cached attributes
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /(a)\./) {
(20) if (&User-Name =~ /(a)\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [chap] = noop
(20) [mschap] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "test", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) update control {
(20) &Proxy-To-Realm := LOCAL
(20) } # update control = noop
(20) eap: Peer sent EAP Response (code 2) ID 9 length 63
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) files: users: Matched entry test at line 1
(20) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(20) files: --> tu as reussi avec et en etant test
(20) [files] = ok
(20) [expiration] = noop
(20) [logintime] = noop
(20) pap: WARNING: Auth-Type already set. Not setting to PAP
(20) [pap] = noop
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(20) authenticate {
(20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(20) eap: Finished EAP session with state 0xc8f1f8bdc8f8e24d
(20) eap: Previous EAP request found for state 0xc8f1f8bdc8f8e24d, released
from the list
(20) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(20) eap: Calling submodule eap_mschapv2 to process data
(20) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(20) eap_mschapv2: authenticate {
(20) mschap: Found Cleartext-Password, hashing to create NT-Password
(20) mschap: Creating challenge hash with username: test
(20) mschap: Client is using MS-CHAPv2
(20) mschap: Adding MS-CHAPv2 MPPE keys
(20) eap_mschapv2: [mschap] = ok
(20) eap_mschapv2: } # authenticate = ok
(20) eap_mschapv2: MSCHAP Success
(20) eap: Sending EAP Request (code 1) ID 10 length 51
(20) eap: EAP session adding &reply:State = 0xc8f1f8bdc9fbe24d
(20) [eap] = handled
(20) } # authenticate = handled
(20) } # server inner-tunnel
(20) Virtual server sending reply
(20) Reply-Message = "tu as reussi avec et en etant test"
(20) EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled reply code 11
(20) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(20) eap_peap: EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled reply RADIUS code 11
(20) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(20) eap_peap: EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled Access-Challenge
(20) eap: Sending EAP Request (code 1) ID 10 length 82
(20) eap: EAP session adding &reply:State = 0x5709dc2c5f03c55d
(20) [eap] = handled
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) EXPAND Response-Packet-Type
(20) --> Access-Challenge
(20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) attr_filter.access_challenge: EXPAND %{User-Name}
(20) attr_filter.access_challenge: --> test
(20) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(20) [attr_filter.access_challenge.post-auth] = updated
(20) [handled] = handled
(20) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(20) } # Auth-Type eap = handled
(20) Using Post-Auth-Type Challenge
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Challenge { ... } # empty sub-section is ignored
(20) session-state: Saving cached attributes
(20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) TLS-Session-Version = "TLS 1.2"
(20) Sent Access-Challenge Id 194 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(20) EAP-Message =
0x010a0052190017030300475bc3632e6b443563bfdb8a34b1d033e80abaed0886740e922409
cc823028e6c31f02665c568a46c5f021df9853700a6be0d1b2248b9520ffad2833cdfccb681b
bfefac58b6c6e8
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x5709dc2c5f03c55d080b76220813d0d4
(20) Finished request
Waking up in 2.0 seconds.
(21) Received Access-Request Id 195 from 10.100.0.50:1645 to
10.101.0.20:1812 length 240
(21) User-Name = "test"
(21) Service-Type = Framed-User
(21) Framed-MTU = 1500
(21) Called-Station-Id = "24-01-C7-8E-84-86"
(21) Calling-Station-Id = "74-78-27-1B-F2-78"
(21) EAP-Message =
0x020a00251900170303001a0000000000000003b7e4977bb2c798f1390f20f4c06d08798279
(21) Message-Authenticator = 0xc450ef4dd19f37f7ff7136f788d710b0
(21) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(21) NAS-Port-Type = Ethernet
(21) NAS-Port = 50006
(21) NAS-Port-Id = "GigabitEthernet0/6"
(21) State = 0x5709dc2c5f03c55d080b76220813d0d4
(21) NAS-IP-Address = 10.100.0.50
(21) Restoring &session-state
(21) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(21) &session-state:TLS-Session-Version = "TLS 1.2"
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /(a)\./) {
(21) if (&User-Name =~ /(a)\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) [mschap] = noop
(21) [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "test", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) eap: Peer sent EAP Response (code 2) ID 10 length 37
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Auth-Type eap {
(21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(21) eap: Finished EAP session with state 0x5709dc2c5f03c55d
(21) eap: Previous EAP request found for state 0x5709dc2c5f03c55d, released
from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Continuing EAP-TLS
(21) eap_peap: [eaptls verify] = ok
(21) eap_peap: Done initial handshake
(21) eap_peap: [eaptls process] = ok
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state phase2
(21) eap_peap: EAP method MSCHAPv2 (26)
(21) eap_peap: Got tunneled request
(21) eap_peap: EAP-Message = 0x020a00061a03
(21) eap_peap: Setting User-Name to test
(21) eap_peap: Sending tunneled request to inner-tunnel
(21) eap_peap: EAP-Message = 0x020a00061a03
(21) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(21) eap_peap: User-Name = "test"
(21) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(21) Virtual server inner-tunnel received request
(21) EAP-Message = 0x020a00061a03
(21) FreeRADIUS-Proxied-To = 127.0.0.1
(21) User-Name = "test"
(21) State = 0xc8f1f8bdc9fbe24d226d055121876240
(21) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(21) server inner-tunnel {
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /(a)\./) {
(21) if (&User-Name =~ /(a)\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [chap] = noop
(21) [mschap] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "test", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) update control {
(21) &Proxy-To-Realm := LOCAL
(21) } # update control = noop
(21) eap: Peer sent EAP Response (code 2) ID 10 length 6
(21) eap: No EAP Start, assuming it's an on-going EAP conversation
(21) [eap] = updated
(21) files: users: Matched entry test at line 1
(21) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(21) files: --> tu as reussi avec et en etant test
(21) [files] = ok
(21) [expiration] = noop
(21) [logintime] = noop
(21) pap: WARNING: Auth-Type already set. Not setting to PAP
(21) [pap] = noop
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(21) authenticate {
(21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(21) eap: Finished EAP session with state 0xc8f1f8bdc9fbe24d
(21) eap: Previous EAP request found for state 0xc8f1f8bdc9fbe24d, released
from the list
(21) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(21) eap: Calling submodule eap_mschapv2 to process data
(21) eap: Sending EAP Success (code 3) ID 10 length 4
(21) eap: Freeing handler
(21) [eap] = ok
(21) } # authenticate = ok
(21) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(21) post-auth {
(21) if (0) {
(21) if (0) -> FALSE
(21) } # post-auth = noop
(21) Login OK: [test] (from client swi_said_edward_p173 port 0 via TLS
tunnel)
(21) } # server inner-tunnel
(21) Virtual server sending reply
(21) Reply-Message = "tu as reussi avec et en etant test"
(21) MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) EAP-Message = 0x030a0004
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) User-Name = "test"
(21) eap_peap: Got tunneled reply code 2
(21) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) eap_peap: EAP-Message = 0x030a0004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: User-Name = "test"
(21) eap_peap: Got tunneled reply RADIUS code 2
(21) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) eap_peap: EAP-Message = 0x030a0004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: User-Name = "test"
(21) eap_peap: Tunneled authentication was successful
(21) eap_peap: SUCCESS
(21) eap: Sending EAP Request (code 1) ID 11 length 46
(21) eap: EAP session adding &reply:State = 0x5709dc2c5e02c55d
(21) [eap] = handled
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) EXPAND Response-Packet-Type
(21) --> Access-Challenge
(21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) attr_filter.access_challenge: EXPAND %{User-Name}
(21) attr_filter.access_challenge: --> test
(21) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(21) [attr_filter.access_challenge.post-auth] = updated
(21) [handled] = handled
(21) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(21) } # Auth-Type eap = handled
(21) Using Post-Auth-Type Challenge
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Challenge { ... } # empty sub-section is ignored
(21) session-state: Saving cached attributes
(21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) TLS-Session-Version = "TLS 1.2"
(21) Sent Access-Challenge Id 195 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(21) EAP-Message =
0x010b002e190017030300235bc3632e6b443564d2723008ae0ef670403b61176bfb8668e1ff
44cb3c02f7217871f0
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x5709dc2c5e02c55d080b76220813d0d4
(21) Finished request
Waking up in 2.0 seconds.
(22) Received Access-Request Id 196 from 10.100.0.50:1645 to
10.101.0.20:1812 length 249
(22) User-Name = "test"
(22) Service-Type = Framed-User
(22) Framed-MTU = 1500
(22) Called-Station-Id = "24-01-C7-8E-84-86"
(22) Calling-Station-Id = "74-78-27-1B-F2-78"
(22) EAP-Message =
0x020b002e19001703030023000000000000000445fbfc432839d0f47cc453ff5500e022d602
41ef8e33106eda0936
(22) Message-Authenticator = 0x7ca959931442315cd10d49eb490df5db
(22) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(22) NAS-Port-Type = Ethernet
(22) NAS-Port = 50006
(22) NAS-Port-Id = "GigabitEthernet0/6"
(22) State = 0x5709dc2c5e02c55d080b76220813d0d4
(22) NAS-IP-Address = 10.100.0.50
(22) Restoring &session-state
(22) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(22) &session-state:TLS-Session-Version = "TLS 1.2"
(22) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /(a)\./) {
(22) if (&User-Name =~ /(a)\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [chap] = noop
(22) [mschap] = noop
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "test", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 11 length 46
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Auth-Type eap {
(22) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(22) eap: Finished EAP session with state 0x5709dc2c5e02c55d
(22) eap: Previous EAP request found for state 0x5709dc2c5e02c55d, released
from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: [eaptls verify] = ok
(22) eap_peap: Done initial handshake
(22) eap_peap: [eaptls process] = ok
(22) eap_peap: Session established. Decoding tunneled attributes
(22) eap_peap: PEAP state send tlv success
(22) eap_peap: Received EAP-TLV response
(22) eap_peap: Success
(22) eap: Sending EAP Success (code 3) ID 11 length 4
(22) eap: Freeing handler
(22) [eap] = ok
(22) if (handled && (Response-Packet-Type == Access-Challenge)) {
(22) if (handled && (Response-Packet-Type == Access-Challenge)) ->
FALSE
(22) } # Auth-Type eap = ok
(22) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(22) post-auth {
(22) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(22) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(22) update {
(22) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(22) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(22) } # update = noop
(22) [exec] = noop
(22) policy remove_reply_message_if_eap {
(22) if (&reply:EAP-Message && &reply:Reply-Message) {
(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(22) else {
(22) [noop] = noop
(22) } # else = noop
(22) } # policy remove_reply_message_if_eap = noop
(22) } # post-auth = noop
(22) Login OK: [test] (from client swi_said_edward_p173 port 50006 cli
74-78-27-1B-F2-78)
(22) Sent Access-Accept Id 196 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(22) MS-MPPE-Recv-Key =
0xb3963e8d4a98a9a2b83fc3463f4aee62e926bbe31e9fab554887fbef5efce59d
(22) MS-MPPE-Send-Key =
0xe659945053c03ec5ae6b8b0ceef6fa83d90c3718f2a69f013f86f3870e5349ed
(22) EAP-Message = 0x030b0004
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) User-Name = "test"
(22) Finished request
Waking up in 2.0 seconds.
(23) Received Accounting-Request Id 61 from 10.100.0.50:1646 to
10.101.0.20:1813 length 217
(23) Acct-Session-Id = "0000006D"
(23) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(23) User-Name = "test"
(23) Cisco-AVPair = "connect-progress=Call Up"
(23) Acct-Authentic = RADIUS
(23) Acct-Status-Type = Start
(23) NAS-Port-Type = Ethernet
(23) NAS-Port = 50006
(23) NAS-Port-Id = "GigabitEthernet0/6"
(23) Called-Station-Id = "24-01-C7-8E-84-86"
(23) Calling-Station-Id = "74-78-27-1B-F2-78"
(23) Service-Type = Framed-User
(23) NAS-IP-Address = 10.100.0.50
(23) Acct-Delay-Time = 0
(23) # Executing section preacct from file /etc/raddb/sites-enabled/default
(23) preacct {
(23) [preprocess] = ok
(23) policy acct_unique {
(23) update request {
(23) &Tmp-String-9 := "ai:"
(23) } # update request = noop
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(23) EXPAND %{hex:&Class}
(23) -->
(23) EXPAND ^%{hex:&Tmp-String-9}
(23) --> ^61693a
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(23) else {
(23) update request {
(23) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(23) --> ec3bf2e33c3293d656fc4362227660f2
(23) &Acct-Unique-Session-Id := ec3bf2e33c3293d656fc4362227660f2
(23) } # update request = noop
(23) } # else = noop
(23) } # policy acct_unique = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "test", looking up realm NULL
(23) suffix: No such realm "NULL"
(23) [suffix] = noop
(23) [files] = noop
(23) } # preacct = ok
(23) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(23) accounting {
(23) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(23) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725
(23) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.50/detail-20220725
(23) detail: EXPAND %t
(23) detail: --> Mon Jul 25 18:16:45 2022
(23) [detail] = ok
(23) [unix] = ok
(23) radutmp: EXPAND /var/log/radius/radutmp
(23) radutmp: --> /var/log/radius/radutmp
(23) radutmp: EXPAND %{User-Name}
(23) radutmp: --> test
(23) [radutmp] = ok
(23) sradutmp: EXPAND /var/log/radius/sradutmp
(23) sradutmp: --> /var/log/radius/sradutmp
(23) sradutmp: EXPAND %{User-Name}
(23) sradutmp: --> test
(23) [sradutmp] = ok
(23) [exec] = noop
(23) attr_filter.accounting_response: EXPAND %{User-Name}
(23) attr_filter.accounting_response: --> test
(23) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(23) [attr_filter.accounting_response] = updated
(23) } # accounting = updated
(23) Sent Accounting-Response Id 61 from 10.101.0.20:1813 to
10.100.0.50:1646 length 0
(23) Finished request
(23) Cleaning up request packet ID 61 with timestamp +68
Waking up in 0.8 seconds.
(12) Cleaning up request packet ID 186 with timestamp +64
(13) Cleaning up request packet ID 187 with timestamp +64
(14) Cleaning up request packet ID 188 with timestamp +64
(15) Cleaning up request packet ID 189 with timestamp +64
(16) Cleaning up request packet ID 190 with timestamp +64
(17) Cleaning up request packet ID 191 with timestamp +64
Waking up in 2.7 seconds.
(18) Cleaning up request packet ID 192 with timestamp +67
(19) Cleaning up request packet ID 193 with timestamp +67
(20) Cleaning up request packet ID 194 with timestamp +67
(21) Cleaning up request packet ID 195 with timestamp +67
(22) Cleaning up request packet ID 196 with timestamp +67
Ready to process requests
3
7
Hello Alan, how are you? I ran some tests as fast as I could.
Now it's giving the following message:
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
checkrad: Unknown NAS 2804:444:1:1::2, not checking
NAS 2804:444:1:1::2 was added normally:
rlm_sql (sql): Adding client 2804:444:1:1::2 (R1.ITU) to global clients list
rlm_sql (2804:444:1:1::2): Client "R1.ITU" (sql) added
Authentication normally takes place with IPv6. The problem is with checkrad.
Below is the Access-Request package and the freeradius -X command output.
Could you help please?
Thank you!
Fabricio Viana
root@li1268-188:/# freeradius -v
radiusd: FreeRADIUS Version 3.0.24 (git #83d87a2), for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.24
(0) Received Access-Request Id 142 from [2804:444:1:1::2]:33926 to [2600:4a00::f132:91a4:f567:34fd]:1812 length 185
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15813747
(0) NAS-Port-Type = Ethernet
(0) User-Name = "joseph.test"
(0) Calling-Station-Id = "AA:BB:B6:41:33:AA"
(0) Called-Station-Id = "pppoe-server-olt02"
(0) NAS-Port-Id = "ether3.501-PPPoE-OLT02"
(0) CHAP-Challenge = 0x388b23cbdc8d67936f09a731c70acf6e
(0) CHAP-Password = 0x018003bc3835139074138c89d63370276a
(0) NAS-Identifier = "R1.ITU"
(0) NAS-IPv6-Address = 2804:444:1:1::2
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) {
(0) EXPAND %{Cisco-AVPair[*]}
(0) -->
(0) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) -> FALSE
(0) elsif (ERX-Dhcp-Mac-Addr =~ /^([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/) {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) else {
(0) update request {
(0) EXPAND %{toupper:%{Calling-Station-Id}}
(0) --> AA:BB:B6:41:33:AA
(0) Calling-Station-Id := AA:BB:B6:41:33:AA
(0) } # update request = noop
(0) } # else = noop
(0) if (!control:Cleartext-Password){
(0) if (!control:Cleartext-Password) -> TRUE
(0) if (!control:Cleartext-Password) {
(0) update control {
(0) Cleartext-Password := "no_user_found_radiusnet"
(0) } # update control = noop
(0) } # if (!control:Cleartext-Password) = noop
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'joseph.test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'joseph.test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "ellen8858"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'joseph.test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'joseph.test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'joseph.test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'joseph.test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '2BLO' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '2BLO' ORDER BY id
(0) sql: Group "2BLO": Conditional check items matched
(0) sql: Group "2BLO": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '2BLO' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '2BLO' ORDER BY id
(0) sql: Group "2BLO": Merging reply items
(0) sql: Mikrotik-Rate-Limit = "100k/100k"
(0) sql: WISPr-Bandwidth-Max-Down = 100000
(0) sql: WISPr-Bandwidth-Max-Up = 100000
(0) sql: Framed-Pool = "pool_bloqueados"
(0) sql: Mikrotik-Address-List = "bloqueados"
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "joseph.test" authenticated successfully
(0) [chap] = ok
(0) if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group){
(0) if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group) -> FALSE
(0) if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group){
(0) if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group) -> FALSE
(0) if (request:Service-Type == Framed-User && reply:Mikrotik-Group){
(0) if (request:Service-Type == Framed-User && reply:Mikrotik-Group) -> FALSE
(0) if (reject && Framed-Protocol == PPP) {
(0) if (reject && Framed-Protocol == PPP) -> FALSE
(0) if (invalid && Framed-Protocol == PPP) {
(0) if (invalid && Framed-Protocol == PPP) -> FALSE
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /etc/freeradius/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
checkrad: Unknown NAS 2804:444:1:1::2, not checking
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) } # session = ok
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{Calling-Station-Id}')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'joseph.test', '0x018003bc3835139074138c89d63370276a', 'Access-Reject', UTC_TIMESTAMP(), '2804:444:1:1::2', 'AA:BB:B6:41:33:AA')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'joseph.test', '0x018003bc3835139074138c89d63370276a', 'Access-Reject', UTC_TIMESTAMP(), '2804:444:1:1::2', 'AA:BB:B6:41:33:AA')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> joseph.test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
FreeRADIUS Version 3.0.24
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/sqlippool_v4
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/sqlippool
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/sql
including configuration file /etc/freeradius/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/ddns_exec
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/sqlippool_v6
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries_v6.conf
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/digest
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/accounting
/etc/freeradius/policy.d/accounting[42]: Reference "${IDRADIUSSERVER}" not found
/etc/freeradius/policy.d/accounting[54]: Reference "${IDRADIUSSERVER}" not found
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/control
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/freeradius.env
including configuration file /etc/freeradius/ddns.env
main {
security {
user = "root"
group = "root"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/var/scriptsradius/callcheckrad.sh"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_sqlippool
# Loading module "sqlippool_v4" from file /etc/freeradius/mods-enabled/sqlippool_v4
sqlippool sqlippool_v4 {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) AND banned = 0 ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "sqlippool" from file /etc/freeradius/mods-enabled/sqlippool
sqlippool {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
ipv6 = yes
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) AND banned = 0 ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "192.0.2.2"
port = 3306
login = "radius_user"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}' AND acctstarttime <= UTC_TIMESTAMP()"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}' AND acctstarttime <= UTC_TIMESTAMP()"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6prefix, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', UTC_TIMESTAMP(), UTC_TIMESTAMP(), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Prefix}', '%{Delegated-IPv6-Prefix}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = UTC_TIMESTAMP(), acctinterval = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', framedipv6prefix = '%{Framed-IPv6-Prefix}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctstoptime = NULL, nasportid = '%{NAS-Port-Id}', calledstationid = '%{Called-Station-Id}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' OR AcctUniqueId = '%{Segundo-AcctUnique-Id}' OR AcctUniqueId = '%{Terceiro-AcctUnique-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{Calling-Station-Id}')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "ddns_del" from file /etc/freeradius/mods-enabled/ddns_exec
exec ddns_del {
wait = yes
program = "/var/scriptsradius/ddns.php del %{User-Name} %{Framed-IP-Address}"
input_pairs = "request"
shell_escape = no
}
# Loading module "ddns_add" from file /etc/freeradius/mods-enabled/ddns_exec
exec ddns_add {
wait = yes
program = "/var/scriptsradius/ddns.php add %{User-Name} %{Framed-IP-Address}"
input_pairs = "request"
shell_escape = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loading module "sqlippool_v6" from file /etc/freeradius/mods-enabled/sqlippool_v6
sqlippool sqlippool_v6 {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
ipv6 = yes
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippoolv6 WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippoolv6 SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippoolv6 WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippoolv6 SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippoolv6 SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôoùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOÙÛÜY"
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
instantiate {
}
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "sqlippool_v4" from file /etc/freeradius/mods-enabled/sqlippool_v4
# Instantiating module "sql" from file /etc/freeradius/mods-enabled/sql
rlm_sql_mysql: libmysql version: 5.7.35
mysql {
tls {
tls_required = no
check_cert = no
check_cert_cn = no
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 2804:444:1:1::2 (R1.ITU) to global clients list
rlm_sql (2804:444:1:1::2): Client "R1.ITU" (sql) added
rlm_sql (sql): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
# Instantiating module "sqlippool" from file /etc/freeradius/mods-enabled/sqlippool
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "sqlippool_v6" from file /etc/freeradius/mods-enabled/sqlippool_v6
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 38092
Listening on proxy address :: port 58617
Ready to process requests
2
3
Freeradius DHCP and "Failed adding ARP entry: Failed to add entry in ARP cache: Operation not permitted (1)"
by CpServiceSPb 11 Sep '22
by CpServiceSPb 11 Sep '22
11 Sep '22
I use Freeradius 3.0.21 on Ubuntu 18.04 x64 LTS.
It is started under freerad:freerad, acts as DHCP as well listen to 0.0.0.0
IP and accept broadcast on one of two interfaces and listen to
192.168.0.254 and not accept broadcast on other one interface.
During DHCP conversation with clients using broadcast accepting (IP
0.0.0.0) interface, the following message is got and DHCP don' t assign to
the client:
"Failed adding ARP entry: Failed to add entry in ARP cache: Operation not
permitted (1)"
I don' t want to launch Freeradius under either root user or root/admin
group.
What is the best solution to avoid the error under freerad:freerad and move
on ?
4
7
Hello Every body ,
I am working on Hotspot management System for Cloud Version , the authentication is done successfully and accounting also , but I am trying to send disconnect packet from my radius server to mikrotik , which doesn't have a Public IP
I am using this command
echo user-name=Ziad55 | radclient -x 10.10.0.103:1700 disconnect kskhfim2v
the Nas IP address is 10.10.0.103 and I enabled the Incoming Packet in Mikrotik's radius config
but I get this result
Sent Disconnect-Request Id 112 from 0.0.0.0:53800 to 127.0.0.1:1700 length 28
User-Name = "Ziad55"
Sent Disconnect-Request Id 112 from 0.0.0.0:53800 to 127.0.0.1:1700 length 28
User-Name = "Ziad55"
Sent Disconnect-Request Id 112 from 0.0.0.0:53800 to 127.0.0.1:1700 length 28
User-Name = "Ziad55"
(0) No reply from server for ID 112 socket 3
can u help me please to solve this issue ? it is not possible to get Public IP address
[1562314050593]
3
2
Hello,
sorry for using the ML for business purposes. It's been days I've been
trying to contact somebody from NeworkRadius but nobody replies to emails
nor picks up the phone.
What would be the best way to get in contact with them?
Thanks,
Alex
4
4
Re: EAP-TLS failure with Freeradius 3.2.0 : Failed reading from OpenSSL: ../ssl/record/rec_layer_s3.c[1528]:error:14094438
by Alan DeKok 28 Jul '22
by Alan DeKok 28 Jul '22
28 Jul '22
Don't send messages to my private email address. I read the list, and that's good enough.
Also read the instructions at http://wiki.freeradius.org/list-help
I have no idea why so many people refuse to follow the documentation. W don't need to see "radiusd -Xxxx" or anything else. Just "radiusd -X". You get told this in the "welcome" message when you join the list.
Can you explain why you're not following the documentation? i.e. the first message you post to the list tells us that you didn't read the docs, or you have no intention of following the documentation. Why is that useful? All it does is convince people that there's no point in answering your questions, because you'll just ignore any answer.
And read the debug messages you post to the list. This isn't a FreeRADIUS issue. FreeRADIUS is telling you that the problem is the peer. i.e. the client machine. It's not following the specifications correctly.
Go ask Google why their software is broken. No amount of poking FreeRADIUS will fix the Android phone.
Alan DeKok.
1
0
EAP-TLS failure with Freeradius 3.2.0 : Failed reading from OpenSSL: ../ssl/record/rec_layer_s3.c[1528]:error:14094438
by Arvinder Singh 28 Jul '22
by Arvinder Singh 28 Jul '22
28 Jul '22
Hi Alan,
When using FreeRadius 3.2.0, using EAP-TLS I am seeing below errors,
"
Tue Jul 26 16:46:02 2022 : Debug: (4) eap_tls: (TLS) EAP Done initial handshake
Tue Jul 26 16:46:02 2022 : Debug: (4) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
Tue Jul 26 16:46:02 2022 : Debug: (4) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
Tue Jul 26 16:46:02 2022 : ERROR: (4) eap_tls: (TLS) Alert read:fatal:internal error
Tue Jul 26 16:46:02 2022 : Debug: (4) eap_tls: (TLS) Server : Need to read more data: error
Tue Jul 26 16:46:02 2022 : ERROR: (4) eap_tls: (TLS) Failed reading from OpenSSL: ../ssl/record/rec_layer_s3.c[1528]:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Tue Jul 26 16:46:02 2022 : Debug: (4) eap_tls: (TLS) In Handshake Phase
Tue Jul 26 16:46:02 2022 : Debug: (4) eap_tls: (TLS) Application data.
Tue Jul 26 16:46:02 2022 : ERROR: (4) eap_tls: (TLS) Cannot continue, as the peer is misbehaving.
Tue Jul 26 16:46:02 2022 : ERROR: (4) eap_tls: [eaptls process] = fail
Tue Jul 26 16:46:02 2022 : ERROR: (4) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed
Tue Jul 26 16:46:02 2022 : Debug: (4) eap: Sending EAP Failure (code 4) ID 46 length 4
Tue Jul 26 16:46:02 2022 : Debug: (4) eap: Failed in EAP select
Tue Jul 26 16:46:02 2022 : Debug: (4) modsingle[authenticate]: returned from eap (rlm_eap)
Tue Jul 26 16:46:02 2022 : Debug: (4) [eap] = invalid
Tue Jul 26 16:46:02 2022 : Debug: (4) } # authenticate = invalid
Tue Jul 26 16:46:02 2022 : Debug: (4) Failed to authenticate the user
Tue Jul 26 16:46:02 2022 : Debug: (4) Using Post-Auth-Type Reject
"
I am using Android 12 clients and Netgear WiFi Access Point. EAP-PEAP is working perfectly fine for me.
I am using the default test certificates, ca.pem and user(a)example.org.pem<mailto:user@example.org.pem>
I am unable to debug further as these errors seems to be OpenSSL related. Any guidance fir resolution is appreciated.
Attached are the logs from the Radius server.
Best regards,
Arvinder Singh
Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this message in error, please contact the sender and delete it from your computer.
1
0