Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2022
- 35 participants
- 40 discussions
There is Ubuntu 18.04 LTS x64 noGUI with kernel 5.4.0-124.
I built deb packages from sources using deb rules downloaded
freeradius_3.2.0+dfsg-1.debian.tar.xz
<http://archive.ubuntu.com/ubuntu/pool/main/f/freeradius/freeradius_3.2.0+df…>
Having done some changes, and created some patches I successfully built
Freeradius of 3.2.0 version as well as launched successfully on my system.
But there are some different points in comparison with 3.0.25 one.
1. If Freeradius is launched from freerad user (non-root) and interface/IP
binding is set up, ,error is got:
Failed binding to interface eth0: Operation not permitted
Error: /etc/freeradius/sites-enabled/default[59]: Error binding to port for
192.168.0.254 port 1812
Uncommenting of
#AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST
CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
didn' t solve the situation.
Run setcap cap_net_admin=ei /usr/bin/freeradius
didn' t solve the situation.
Changing of User=freerad to User=root in freeradius.service solved this.
During this, user in radiusd.conf wasn' t touched at all, that is it
remained freerad.
At the time freeradius is shown as launched from freerad user.
Is this correct ?
Or what way is the right one to solve this situation ?
2. There is /usr/sbin/freeradius -f in the processes list, not simply
/usr/sbin/freeradius as was with the previous version (for example 3.0.21) .
As follows, pid file is not created.
Is this correct ?
3. File cache_eap absence among available modules as it was with previous
versions.
Is it correct ?
4. What is the best value for "key' in the ippool module for pxe and common
dhcp clients ?
With value "%{NAS-IP_Address} %{NAS-Port}" IP addresses sometimes are not
assigned at all to clients.
Why, I don' t understand.
Deleting the DB, restarting Freeradius and repeated requests (for example
ipconfig /renew) temporarily helped me with it.
2
1
Hi guys!
I’m new to Freeradius and to mail-lists also. I’ve found an archive of this mail-list (http://lists.freeradius.org/pipermail/freeradius-users/) but have no idea how can I find there previous questions already answered – in order to not duplicate questions.
Is there duch a way? Except one, where I dhoupd unpack eache zip-file and look inside.
---------------------------------------
Best regards,
Alexander Semenyuk
3
2
hello,
in freeradius 3.2 i enable sqlippool and make static ip for radcheck user
accounting update not working
working only if client take ip from sqlippool
(1) # Executing section accounting from file
/usr/local/etc/raddb/sites-enabled/default
(1) accounting {
(1) [unix] = noop
rlm_sql (sql): Reserved connection (1)
(1) sqlippool: EXPAND %{User-Name}
(1) sqlippool: --> 77777
(1) sqlippool: SQL-User-Name set to '77777'
(1) sqlippool: EXPAND UPDATE radippool SET expiry_time = NOW() + INTERVAL
1210 SECOND WHERE nasipaddress =
'%{%{Nas-IP-Address}:-%{Nas-IPv6-Address}}' AND pool_key = '%{NAS-Port}'
AND username = '%{User-Name}' AND callingstationid =
'%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'
(1) sqlippool: --> UPDATE radippool SET expiry_time = NOW() + INTERVAL
1210 SECOND WHERE nasipaddress = '192.168.254.1' AND pool_key = '15728742'
AND username = '77777' AND callingstationid = 'C0:25:E9:4B:81:2D' AND
framedipaddress = '10.104.255.254'
(1) sqlippool: Executing query: UPDATE radippool SET expiry_time = NOW() +
INTERVAL 1210 SECOND WHERE nasipaddress = '192.168.254.1' AND pool_key =
'15728742' AND username = '77777' AND callingstationid =
'C0:25:E9:4B:81:2D' AND framedipaddress = '10.104.255.254'
rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0
rlm_sql (sql): Released connection (1)
Need 1 more connections to reach min connections (3)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.7.39, protocol version 10
(1) [sqlippool] = notfound
(1) } # accounting = notfound
(1) Not sending reply to client.
(1) Finished request
(1) Cleaning up request packet ID 125 with timestamp +274 due to done
Thanks
2
11
17 Aug '22
I am currently migrating some Freeradius 2 based services over to
Freeradius 3 (3.2.0), and I am having an issue with post-auth executing in
the inner-tunnel. In Freeradius 2, I have some post-auth logic that runs
fine, but it seems that the post-auth section does not run in Freeradius
3. I have gone through the documentation and posts to the listserv and
haven't found any clues as to why. In my particular case, I am using the
proxy-inner-tunnel configuration and adding a post-auth section, but in
other tests, it doesn't seem that post-auth runs when I try to use the
"inner-tunnel" config, which already has a post-auth section. Just to make
things simple to debug, I was able to build a very simple test case which
shows the problem:
Steps to re-create:
build 3.2.0
delete link to inner-tunnel and link to proxy-inner-tunnel. edit eap to
point to proxy-inner-tunnel as virtual server
add section post-auth and put:
update outer.session-state {
User-Name := &User-Name
}
just as a test action to look for.
add config to proxy.conf to allow for proxying the inner tunnel to another
radius server.
Resulting logs when testing with eapol_test:
===================================================
(0) Received Access-Request Id 0 from 127.0.0.1:41445 to 127.0.0.1:1812
length 132
(0) User-Name = "anonymous"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x021d000e01616e6f6e796d6f7573
(0) Message-Authenticator = 0x39ea158d433932e66e0bc072cfa388d8
(0) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 29 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 30 length 22
(0) eap: EAP session adding &reply:State = 0xe675df6ee66bdb2e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:41445
length 80
(0) EAP-Message = 0x011e001604102a157d4326f67fce4347da02b42ebd23
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xe675df6ee66bdb2e8fcb18675fa52d04
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 127.0.0.1:41445 to 127.0.0.1:1812
length 142
(1) User-Name = "anonymous"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x021e00060319
(1) State = 0xe675df6ee66bdb2e8fcb18675fa52d04
(1) Message-Authenticator = 0xd42eec5a6a092ca329ae0713a3ef3cd6
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 30 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xe675df6ee66bdb2e
(1) eap: Finished EAP session with state 0xe675df6ee66bdb2e
(1) eap: Previous EAP request found for state 0xe675df6ee66bdb2e, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) Initiating new session
(1) eap: Sending EAP Request (code 1) ID 31 length 6
(1) eap: EAP session adding &reply:State = 0xe675df6ee76ac62e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:41445
length 64
(1) EAP-Message = 0x011f00061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xe675df6ee76ac62e8fcb18675fa52d04
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 127.0.0.1:41445 to 127.0.0.1:1812
length 326
(2) User-Name = "anonymous"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message =
0x021f00be1980000000b416030100af010000ab0303f1314c571be3433e52568c36e53402e80746307dd0b21b23326981a604679922000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004a000b000403000102000a000c000a001d0017001e001900180016000000170000000d002600240403050306030807080808090804080a0805080b08060401050106010303030102030201
(2) State = 0xe675df6ee76ac62e8fcb18675fa52d04
(2) Message-Authenticator = 0x675e1043ccbb0dfe522b1d29bd34c303
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 31 length 190
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xe675df6ee76ac62e
(2) eap: Finished EAP session with state 0xe675df6ee76ac62e
(2) eap: Previous EAP request found for state 0xe675df6ee76ac62e, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 180
bytes
(2) eap_peap: (TLS) EAP Got all data (180 bytes)
(2) eap_peap: (TLS) Handshake state - before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) Handshake state - Server before SSL initialization
(2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello
(2) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(2) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: (TLS) In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 32 length 1004
(2) eap: EAP session adding &reply:State = 0xe675df6ee455c62e
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:41445
length 1068
(2) EAP-Message =
0x012003ec19c000000a84160303003d0200003903036da97779dcfc5a5bc9f1c9906948eaebe1baa0466fad865b3e0f2f7c01d4d05d00c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303831303132313133365a170d3232313030393132313133365a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xe675df6ee455c62e8fcb18675fa52d04
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 127.0.0.1:41445 to 127.0.0.1:1812
length 142
(3) User-Name = "anonymous"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x022000061900
(3) State = 0xe675df6ee455c62e8fcb18675fa52d04
(3) Message-Authenticator = 0xfc03a376328f9a0499739fce27d2084c
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 32 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xe675df6ee455c62e
(3) eap: Finished EAP session with state 0xe675df6ee455c62e
(3) eap: Previous EAP request found for state 0xe675df6ee455c62e, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 33 length 1000
(3) eap: EAP session adding &reply:State = 0xe675df6ee554c62e
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:41445
length 1064
(3) EAP-Message =
0x012103e819402adb595160175b017ed0e17a78bc099f1156837d868d3cbbf3e451228cba9c6d5ace7fa48e393591d454b4eeedf7a3c90910e6cd8dcc47b6e19ebe5d559324942cef992db2bd43102f8f5e89e5edb824cba0d5233dd57861bcd08acc9de162ba78fa450458c5530004fe308204fa308203e2a003020102021435d2a8dc2d1b2be61dc557b21db07c8fa0fc6647300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303831303132313133365a170d3232313030393132313133365a308193310b3009060355040613024652310f300d06035504080c0652616469
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xe675df6ee554c62e8fcb18675fa52d04
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 127.0.0.1:41445 to 127.0.0.1:1812
length 142
(4) User-Name = "anonymous"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x022100061900
(4) State = 0xe675df6ee554c62e8fcb18675fa52d04
(4) Message-Authenticator = 0x8569b7d08d76ab03703a102f5d4288b5
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 33 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xe675df6ee554c62e
(4) eap: Finished EAP session with state 0xe675df6ee554c62e
(4) eap: Previous EAP request found for state 0xe675df6ee554c62e, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 34 length 710
(4) eap: EAP session adding &reply:State = 0xe675df6ee257c62e
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:41445
length 772
(4) EAP-Message =
0x012202c6190072746966696361746520417574686f72697479821435d2a8dc2d1b2be61dc557b21db07c8fa0fc6647300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010050d5336980e982145b06a8a407b19683d7f53faf13f80a0e7e74c5c629669a7b19e3046c6e075497f3ed348ba7f771991661ac6727f3247b2432c88f8d3ce43f4cbe446154361b182bf735339a4436f4d6a9c04dd86a8831ce2d5e82f534dc0dfa03b22936c611f13e376f283e56897337a54ce3bfba868789142a04b9be837250de393c66f399c36ffbd3e9d4f2053473e1b50079a53ea4c17888cea0e0b7dd8c3c1bc8cf9cd11522da747088e4a02cc3b15453b2a01fcf26852c934351321ee5ccee3da2c56d28939644f8d3c6bf0d14191a75c27b989b9ac66e025f8c0c8824dbf60d0c3677f0197712
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xe675df6ee257c62e8fcb18675fa52d04
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 5 from 127.0.0.1:41445 to 127.0.0.1:1812
length 239
(5) User-Name = "anonymous"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x0222006719800000005d160303002510000021205badd466a638f7537d8010eab5e0d3d8d6aaa705b329068bef15e3059fd39f501403030001011603030028c9186d481dde735885d75fa1f3d4c72bda0f66f8632b5206d9f169111cdb694c8ca57fb878cbd583
(5) State = 0xe675df6ee257c62e8fcb18675fa52d04
(5) Message-Authenticator = 0x8ea387527f36de9ea4e8f4278e256010
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 34 length 103
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xe675df6ee257c62e
(5) eap: Finished EAP session with state 0xe675df6ee257c62e
(5) eap: Previous EAP request found for state 0xe675df6ee257c62e, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) EAP Peer says that the final record size will be 93
bytes
(5) eap_peap: (TLS) EAP Got all data (93 bytes)
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(5) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key
exchange
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher
spec
(5) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished
(5) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec
(5) eap_peap: (TLS) send TLS 1.2 Handshake, Finished
(5) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished
(5) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully
(5) eap_peap: (TLS) Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap: Sending EAP Request (code 1) ID 35 length 57
(5) eap: EAP session adding &reply:State = 0xe675df6ee356c62e
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:41445
length 115
(5) EAP-Message =
0x01230039190014030300010116030300282054ff1c9b5e54f29863aa0bd69ed60ba57d30beacbe09fd503621ec887b1c6569231971db0cc58b
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xe675df6ee356c62e8fcb18675fa52d04
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 6 from 127.0.0.1:41445 to 127.0.0.1:1812
length 142
(6) User-Name = "anonymous"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message = 0x022300061900
(6) State = 0xe675df6ee356c62e8fcb18675fa52d04
(6) Message-Authenticator = 0x78ff7dfd696415044fb2363b8595b00c
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 35 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xe675df6ee356c62e
(6) eap: Finished EAP session with state 0xe675df6ee356c62e
(6) eap: Previous EAP request found for state 0xe675df6ee356c62e, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is
finished
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 36 length 40
(6) eap: EAP session adding &reply:State = 0xe675df6ee051c62e
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:41445
length 98
(6) EAP-Message =
0x012400281900170303001d2054ff1c9b5e54f33382548c13b84579a2844d2cbe8a06080b85335aba
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xe675df6ee051c62e8fcb18675fa52d04
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 7 from 127.0.0.1:41445 to 127.0.0.1:1812
length 188
(7) User-Name = "anonymous"
(7) NAS-IP-Address = 127.0.0.1
(7) Calling-Station-Id = "02-00-00-00-00-01"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Connect-Info = "CONNECT 11Mbps 802.11b"
(7) EAP-Message =
0x0224003419001703030029c9186d481dde7359fda0277d5d1165a6f67f77bd2273b9e846ae774aa73ba8c5fd0122fffdf5364740
(7) State = 0xe675df6ee051c62e8fcb18675fa52d04
(7) Message-Authenticator = 0xe17bde94850882d1c7ab3953ffe189a8
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 36 length 52
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xe675df6ee051c62e
(7) eap: Finished EAP session with state 0xe675df6ee051c62e
(7) eap: Previous EAP request found for state 0xe675df6ee051c62e, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) EAP Done initial handshake
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - username(a)example.org
(7) eap_peap: Got inner identity 'username(a)example.org'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(7) eap_peap: Setting User-Name to username(a)example.org
(7) eap_peap: Sending tunneled request to proxy-inner-tunnel
(7) eap_peap: EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "username(a)example.org"
(7) Virtual server proxy-inner-tunnel received request
(7) EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "username(a)example.org"
(7) server proxy-inner-tunnel {
(7) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel
(7) authorize {
(7) update control {
(7) &Proxy-To-Realm := "example.org"
(7) } # update control = noop
(7) } # authorize = noop
(7) } # server proxy-inner-tunnel
(7) Virtual server sending reply
(7) eap_peap: Got tunneled reply code 0
(7) eap_peap: Tunnelled authentication will be proxied to example.org
(7) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(7) [eap] = handled
(7) } # authenticate = handled
(7) Starting proxy to home server 127.0.0.1 port 1812
(7) server default {
(7) }
(7) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000
(7) Sent Access-Request Id 221 from 0.0.0.0:59393 to 127.0.0.1:1812 length
82
(7) EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(7) User-Name = "username(a)example.org"
(7) Message-Authenticator = 0x
(7) Proxy-State = 0x37
Waking up in 0.3 seconds.
(8) Received Access-Request Id 221 from 127.0.0.1:59393 to 127.0.0.1:1812
length 82
(8) EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(8) User-Name = "username(a)example.org"
(8) Message-Authenticator = 0x43b1c4ff0c835adf67913c98a827f03a
(8) Proxy-State = 0x37
(8) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "example.org" for User-Name = "
username(a)example.org"
(8) suffix: Found realm "example.org"
(8) suffix: Adding Realm = "example.org"
(8) suffix: Proxying request from user username(a)example.org to realm
example.org
(8) suffix: Preparing to proxy authentication request to realm "example.org"
(8) [suffix] = updated
(8) eap: Request is supposed to be proxied to Realm example.org. Not doing
EAP.
(8) [eap] = noop
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Starting proxy to home server 10.6.11.15 port 1812
(8) server default {
(8) }
(8) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000
(8) Sent Access-Request Id 186 from 0.0.0.0:59393 to 10.6.11.15:1812 length
99
(8) EAP-Message = 0x0224001501636772696666696e4075666c2e656475
(8) User-Name = "username(a)example.org"
(8) Message-Authenticator = 0x43b1c4ff0c835adf67913c98a827f03a
(8) Proxy-State = 0x37
(8) Event-Timestamp = "Aug 10 2022 08:18:59 EDT"
(8) NAS-IP-Address = 127.0.0.1
(8) Proxy-State = 0x323231
Waking up in 0.3 seconds.
(8) Marking home server 10.6.11.15 port 1812 alive
(8) Clearing existing &reply: attributes
(8) Received Access-Challenge Id 186 from 10.6.11.15:1812 to
10.6.11.22:59393 length 131
(8) Proxy-State = 0x37
(8) Proxy-State = 0x323231
(8) Session-Timeout = 60
(8) EAP-Message =
0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136
(8) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(8) Message-Authenticator = 0x75e2f8c4ebb5d17b32cc932f2d37777b
(8) server default {
(8) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(8) post-proxy {
(8) eap: No pre-existing handler found
(8) [eap] = noop
(8) } # post-proxy = noop
(8) }
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 221 from 127.0.0.1:1812 to 127.0.0.1:59393
length 126
(8) Session-Timeout = 60
(8) EAP-Message =
0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136
(8) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(8) Message-Authenticator = 0x75e2f8c4ebb5d17b32cc932f2d37777b
(8) Proxy-State = 0x37
(8) Finished request
Waking up in 0.2 seconds.
(7) Marking home server 127.0.0.1 port 1812 alive
(7) Clearing existing &reply: attributes
(7) Received Access-Challenge Id 221 from 127.0.0.1:1812 to 127.0.0.1:59393
length 126
(7) Session-Timeout = 60
(7) EAP-Message =
0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136
(7) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(7) Message-Authenticator = 0xaec7f4f146d52066eb1af0e204283dcd
(7) Proxy-State = 0x37
(7) server default {
(7) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(7) post-proxy {
(7) eap: Doing post-proxy callback
(7) eap: Passing reply from proxy back into the tunnel
(7) eap: Got tunneled reply RADIUS code 11
(7) eap: Session-Timeout = 60
(7) eap: EAP-Message =
0x012500271a0125002210919965cf8da364883037da7f61f7f09e4e534c41422d4e5053324b3136
(7) eap: State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(7) eap: Message-Authenticator = 0xaec7f4f146d52066eb1af0e204283dcd
(7) eap: Proxy-State = 0x37
(7) eap: Got tunneled Access-Challenge
(7) eap: Reply was handled
(7) eap: Sending EAP Request (code 1) ID 37 length 70
(7) eap: EAP session adding &reply:State = 0xe675df6ee150c62e
(7) [eap] = ok
(7) } # post-proxy = ok
(7) }
(7) session-state: Saving cached attributes
(7) Framed-MTU = 994
(7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:41445
length 128
(7) EAP-Message =
0x012500461900170303003b2054ff1c9b5e54f41704b7e71c7b36fac19dc00a4c72e794816491552341929e3a29eaacb6ed73a86178e2a411236422b3f1fb96aa4050005cfd0c
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xe675df6ee150c62e8fcb18675fa52d04
(7) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 8 from 127.0.0.1:41445 to 127.0.0.1:1812
length 242
(9) User-Name = "anonymous"
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id = "02-00-00-00-00-01"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Connect-Info = "CONNECT 11Mbps 802.11b"
(9) EAP-Message =
0x0225006a1900170303005fc9186d481dde735a6f6ed9296cacf6e5e023ec3f83ee85a45230752da0ad7ecadeda1694f5c57198ab6841dfd339157a386210e7f3ebd75a3f15c87e8b8013129a97f5b62c4066a50056afee0c1275fd499841f9f6c4d4e00c312aafe6272e
(9) State = 0xe675df6ee150c62e8fcb18675fa52d04
(9) Message-Authenticator = 0x2934573eb6545749fc175ddbb34b8896
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 994
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(9) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 37 length 106
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xe675df6ee150c62e
(9) eap: Finished EAP session with state 0xe675df6ee150c62e
(9) eap: Previous EAP request found for state 0xe675df6ee150c62e, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: (TLS) EAP Done initial handshake
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(9) eap_peap: Setting User-Name to username(a)example.org
(9) eap_peap: Sending tunneled request to proxy-inner-tunnel
(9) eap_peap: EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "username(a)example.org"
(9) eap_peap: State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) Virtual server proxy-inner-tunnel received request
(9) EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "username(a)example.org"
(9) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) server proxy-inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel
(9) authorize {
(9) update control {
(9) &Proxy-To-Realm := "example.org"
(9) } # update control = noop
(9) } # authorize = noop
(9) } # server proxy-inner-tunnel
(9) Virtual server sending reply
(9) eap_peap: Got tunneled reply code 0
(9) eap_peap: Tunnelled authentication will be proxied to example.org
(9) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(9) [eap] = handled
(9) } # authenticate = handled
(9) Starting proxy to home server 127.0.0.1 port 1812
(9) server default {
(9) }
(9) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000
(9) Sent Access-Request Id 235 from 0.0.0.0:59393 to 127.0.0.1:1812 length
174
(9) EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(9) User-Name = "username(a)example.org"
(9) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) Message-Authenticator = 0x
(9) Proxy-State = 0x38
Waking up in 0.3 seconds.
(10) Received Access-Request Id 235 from 127.0.0.1:59393 to 127.0.0.1:1812
length 174
(10) EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(10) User-Name = "username(a)example.org"
(10) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(10) Message-Authenticator = 0x2252e6f6a3cc56e21ec1162298e833f4
(10) Proxy-State = 0x38
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: Looking up realm "example.org" for User-Name = "
username(a)example.org"
(10) suffix: Found realm "example.org"
(10) suffix: Adding Realm = "example.org"
(10) suffix: Proxying request from user username(a)example.org to realm
example.org
(10) suffix: Preparing to proxy authentication request to realm "example.org"
(10) [suffix] = updated
(10) eap: Request is supposed to be proxied to Realm example.org. Not doing
EAP.
(10) [eap] = noop
(10) [files] = noop
(10) [expiration] = noop
(10) [logintime] = noop
(10) [pap] = noop
(10) } # authorize = updated
(10) Starting proxy to home server 10.6.11.15 port 1812
(10) server default {
(10) }
(10) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000
(10) Sent Access-Request Id 59 from 0.0.0.0:59393 to 10.6.11.15:1812 length
191
(10) EAP-Message =
0x0225004b1a02250046316d86546d02682c467d806da7600f65070000000000000000e909fed167b345f628d792682860607f350019b3c2b83a3800636772696666696e4075666c2e656475
(10) User-Name = "username(a)example.org"
(10) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(10) Message-Authenticator = 0x2252e6f6a3cc56e21ec1162298e833f4
(10) Proxy-State = 0x38
(10) Event-Timestamp = "Aug 10 2022 08:18:59 EDT"
(10) NAS-IP-Address = 127.0.0.1
(10) Proxy-State = 0x323335
Waking up in 0.3 seconds.
(10) Clearing existing &reply: attributes
(10) Received Access-Challenge Id 59 from 10.6.11.15:1812 to
10.6.11.22:59393 length 143
(10) Proxy-State = 0x38
(10) Proxy-State = 0x323335
(10) Session-Timeout = 60
(10) EAP-Message =
0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(10) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(10) Message-Authenticator = 0x6b8527e1973479a319453417a2c90f42
(10) server default {
(10) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(10) post-proxy {
(10) eap: No pre-existing handler found
(10) [eap] = noop
(10) } # post-proxy = noop
(10) }
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) Sent Access-Challenge Id 235 from 127.0.0.1:1812 to 127.0.0.1:59393
length 138
(10) Session-Timeout = 60
(10) EAP-Message =
0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(10) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(10) Message-Authenticator = 0x6b8527e1973479a319453417a2c90f42
(10) Proxy-State = 0x38
(10) Finished request
Waking up in 0.1 seconds.
(9) Clearing existing &reply: attributes
(9) Received Access-Challenge Id 235 from 127.0.0.1:1812 to 127.0.0.1:59393
length 138
(9) Session-Timeout = 60
(9) EAP-Message =
0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(9) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) Message-Authenticator = 0xa7a5d80e820957076837a9676974152d
(9) Proxy-State = 0x38
(9) server default {
(9) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(9) post-proxy {
(9) eap: Doing post-proxy callback
(9) eap: Passing reply from proxy back into the tunnel
(9) eap: Got tunneled reply RADIUS code 11
(9) eap: Session-Timeout = 60
(9) eap: EAP-Message =
0x012600331a0325002e533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(9) eap: State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(9) eap: Message-Authenticator = 0xa7a5d80e820957076837a9676974152d
(9) eap: Proxy-State = 0x38
(9) eap: Got tunneled Access-Challenge
(9) eap: Reply was handled
(9) eap: Sending EAP Request (code 1) ID 38 length 82
(9) eap: EAP session adding &reply:State = 0xe675df6eee53c62e
(9) [eap] = ok
(9) } # post-proxy = ok
(9) }
(9) session-state: Saving cached attributes
(9) Framed-MTU = 994
(9) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:41445
length 140
(9) EAP-Message =
0x01260052190017030300472054ff1c9b5e54f59cc0dcaebf53e944b82ed1c318ffbc62c980efe461b0d53ad17c41ec8d2ea20cee09c6fd2c291ff46f9f4c6f1c958b4f5bda67798c4c472160325089c9d09d
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xe675df6eee53c62e8fcb18675fa52d04
(9) Finished request
Waking up in 4.7 seconds.
(11) Received Access-Request Id 9 from 127.0.0.1:41445 to 127.0.0.1:1812
length 173
(11) User-Name = "anonymous"
(11) NAS-IP-Address = 127.0.0.1
(11) Calling-Station-Id = "02-00-00-00-00-01"
(11) Framed-MTU = 1400
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Connect-Info = "CONNECT 11Mbps 802.11b"
(11) EAP-Message =
0x022600251900170303001ac9186d481dde735bda9d2d9bf418939943eeadac727b51daf83d
(11) State = 0xe675df6eee53c62e8fcb18675fa52d04
(11) Message-Authenticator = 0x4369ac0ea166f1c1235fad5555c6b7bf
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 994
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(11) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 38 length 37
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0xe675df6eee53c62e
(11) eap: Finished EAP session with state 0xe675df6eee53c62e
(11) eap: Previous EAP request found for state 0xe675df6eee53c62e, released
from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: (TLS) EAP Done initial handshake
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state phase2
(11) eap_peap: EAP method MSCHAPv2 (26)
(11) eap_peap: Got tunneled request
(11) eap_peap: EAP-Message = 0x022600061a03
(11) eap_peap: Setting User-Name to username(a)example.org
(11) eap_peap: Sending tunneled request to proxy-inner-tunnel
(11) eap_peap: EAP-Message = 0x022600061a03
(11) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(11) eap_peap: User-Name = "username(a)example.org"
(11) eap_peap: State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(11) Virtual server proxy-inner-tunnel received request
(11) EAP-Message = 0x022600061a03
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) User-Name = "username(a)example.org"
(11) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(11) server proxy-inner-tunnel {
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/proxy-inner-tunnel
(11) authorize {
(11) update control {
(11) &Proxy-To-Realm := "example.org"
(11) } # update control = noop
(11) } # authorize = noop
(11) } # server proxy-inner-tunnel
(11) Virtual server sending reply
(11) eap_peap: Got tunneled reply code 0
(11) eap_peap: Tunnelled authentication will be proxied to example.org
(11) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(11) [eap] = handled
(11) } # authenticate = handled
(11) Starting proxy to home server 127.0.0.1 port 1812
(11) server default {
(11) }
(11) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000
(11) Sent Access-Request Id 27 from 0.0.0.0:59393 to 127.0.0.1:1812 length
105
(11) EAP-Message = 0x022600061a03
(11) User-Name = "username(a)example.org"
(11) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(11) Message-Authenticator = 0x
(11) Proxy-State = 0x39
Waking up in 0.3 seconds.
(12) Received Access-Request Id 27 from 127.0.0.1:59393 to 127.0.0.1:1812
length 105
(12) EAP-Message = 0x022600061a03
(12) User-Name = "username(a)example.org"
(12) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(12) Message-Authenticator = 0x28dbdd5be33bb7040adfddfe8d9352cd
(12) Proxy-State = 0x39
(12) session-state: No cached attributes
(12) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /(a)\./) {
(12) if (&User-Name =~ /(a)\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: Looking up realm "example.org" for User-Name = "
username(a)example.org"
(12) suffix: Found realm "example.org"
(12) suffix: Adding Realm = "example.org"
(12) suffix: Proxying request from user username(a)example.org to realm
example.org
(12) suffix: Preparing to proxy authentication request to realm "example.org"
(12) [suffix] = updated
(12) eap: Request is supposed to be proxied to Realm example.org. Not doing
EAP.
(12) [eap] = noop
(12) [files] = noop
(12) [expiration] = noop
(12) [logintime] = noop
(12) [pap] = noop
(12) } # authorize = updated
(12) Starting proxy to home server 10.6.11.15 port 1812
(12) server default {
(12) }
(12) Proxying request to home server 10.6.11.15 port 1812 timeout 10.000000
(12) Sent Access-Request Id 52 from 0.0.0.0:59393 to 10.6.11.15:1812 length
121
(12) EAP-Message = 0x022600061a03
(12) User-Name = "username(a)example.org"
(12) State =
0x6e3e08c40000013700011700fe800000000000008df64cb7c2d32694000000045f724dfe
(12) Message-Authenticator = 0x28dbdd5be33bb7040adfddfe8d9352cd
(12) Proxy-State = 0x39
(12) Event-Timestamp = "Aug 10 2022 08:18:59 EDT"
(12) NAS-IP-Address = 127.0.0.1
(12) Proxy-State = 0x3237
Waking up in 0.3 seconds.
(12) Clearing existing &reply: attributes
(12) Received Access-Accept Id 52 from 10.6.11.15:1812 to 10.6.11.22:59393
length 281
(12) Proxy-State = 0x39
(12) Proxy-State = 0x3237
(12) Framed-Protocol = PPP
(12) Service-Type = Framed-User
(12) EAP-Message = 0x03260004
(12) Class =
0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48
(12) MS-Link-Utilization-Threshold = 50
(12) MS-Link-Drop-Time-Limit = 120
(12) MS-CHAP-Domain = "\001UFAD"
(12) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e
(12) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314
(12) MS-CHAP2-Success =
0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(12) Message-Authenticator = 0xc89831d91964fd2ed5b22785ef179a2e
(12) server default {
(12) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(12) post-proxy {
(12) eap: No pre-existing handler found
(12) [eap] = noop
(12) } # post-proxy = noop
(12) }
(12) Found Auth-Type = Accept
(12) Auth-Type = Accept, accepting the user
(12) # Executing section post-auth from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(12) post-auth {
(12) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(12) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(12) update {
(12) No attributes updated for RHS &session-state:
(12) } # update = noop
(12) [exec] = noop
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(12) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(12) } # post-auth = noop
(12) Sent Access-Accept Id 27 from 127.0.0.1:1812 to 127.0.0.1:59393 length
277
(12) Framed-Protocol = PPP
(12) Service-Type = Framed-User
(12) EAP-Message = 0x03260004
(12) Class =
0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48
(12) MS-Link-Utilization-Threshold = 50
(12) MS-Link-Drop-Time-Limit = 120
(12) MS-CHAP-Domain = "\001UFAD"
(12) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e
(12) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314
(12) MS-CHAP2-Success =
0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(12) Message-Authenticator = 0xc89831d91964fd2ed5b22785ef179a2e
(12) Proxy-State = 0x39
(12) Finished request
Waking up in 0.3 seconds.
(11) Clearing existing &reply: attributes
(11) Received Access-Accept Id 27 from 127.0.0.1:1812 to 127.0.0.1:59393
length 277
(11) Framed-Protocol = PPP
(11) Service-Type = Framed-User
(11) EAP-Message = 0x03260004
(11) Class =
0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48
(11) MS-Link-Utilization-Threshold = 50
(11) MS-Link-Drop-Time-Limit = 120
(11) MS-CHAP-Domain = "\001UFAD"
(11) MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e
(11) MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314
(11) MS-CHAP2-Success =
0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(11) Message-Authenticator = 0xde8fa57b092b483a7be18b2d1893aa40
(11) Proxy-State = 0x39
(11) server default {
(11) # Executing section post-proxy from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(11) post-proxy {
(11) eap: Doing post-proxy callback
(11) eap: Passing reply from proxy back into the tunnel
(11) eap: Got tunneled reply RADIUS code 2
(11) eap: Framed-Protocol = PPP
(11) eap: Service-Type = Framed-User
(11) eap: EAP-Message = 0x03260004
(11) eap: Class =
0x9cfe09b000000137000102000a060b0f000000008df64cb7c2d3269401d830f9a2012075000000000006ed48
(11) eap: MS-Link-Utilization-Threshold = 50
(11) eap: MS-Link-Drop-Time-Limit = 120
(11) eap: MS-CHAP-Domain = "\001UFAD"
(11) eap: MS-MPPE-Send-Key = 0x10e45324b8c3d2c45a891f6068c60e8e
(11) eap: MS-MPPE-Recv-Key = 0xe91ba4c29e258660071f4bfce79d0314
(11) eap: MS-CHAP2-Success =
0x01533d46444535443942333830393542413637373242454642363234354444323637313836363836374632
(11) eap: Message-Authenticator = 0xde8fa57b092b483a7be18b2d1893aa40
(11) eap: Proxy-State = 0x39
(11) eap: Tunneled authentication was successful
(11) eap: SUCCESS
(11) eap: Reply was handled
(11) eap: Sending EAP Request (code 1) ID 39 length 46
(11) eap: EAP session adding &reply:State = 0xe675df6eef52c62e
(11) [eap] = ok
(11) } # post-proxy = ok
(11) }
(11) session-state: Saving cached attributes
(11) Framed-MTU = 994
(11) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(11) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(11) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(11) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) Sent Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:41445
length 104
(11) EAP-Message =
0x0127002e190017030300232054ff1c9b5e54f65a96c6f9c26f4368dea611f63dd222bbc75a6489e3787981c6c053
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0xe675df6eef52c62e8fcb18675fa52d04
(11) Finished request
Waking up in 4.7 seconds.
(13) Received Access-Request Id 10 from 127.0.0.1:41445 to 127.0.0.1:1812
length 182
(13) User-Name = "anonymous"
(13) NAS-IP-Address = 127.0.0.1
(13) Calling-Station-Id = "02-00-00-00-00-01"
(13) Framed-MTU = 1400
(13) NAS-Port-Type = Wireless-802.11
(13) Service-Type = Framed-User
(13) Connect-Info = "CONNECT 11Mbps 802.11b"
(13) EAP-Message =
0x0227002e19001703030023c9186d481dde735c252cdf5e4f904d6191485ee65d136156c4a980ed966e9fc425cbd7
(13) State = 0xe675df6eef52c62e8fcb18675fa52d04
(13) Message-Authenticator = 0x1d9975ec3f07b5971e779a3aaa8d0a4d
(13) Restoring &session-state
(13) &session-state:Framed-MTU = 994
(13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(13) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(13) &session-state:TLS-Session-Version = "TLS 1.2"
(13) # Executing section authorize from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /(a)\./) {
(13) if (&User-Name =~ /(a)\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 39 length 46
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(13) authenticate {
(13) eap: Expiring EAP session with state 0xe675df6eef52c62e
(13) eap: Finished EAP session with state 0xe675df6eef52c62e
(13) eap: Previous EAP request found for state 0xe675df6eef52c62e, released
from the list
(13) eap: Peer sent packet with method EAP PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: (TLS) EAP Done initial handshake
(13) eap_peap: Session established. Decoding tunneled attributes
(13) eap_peap: PEAP state send tlv success
(13) eap_peap: Received EAP-TLV response
(13) eap_peap: Success
(13) eap: Sending EAP Success (code 3) ID 39 length 4
(13) eap: Freeing handler
(13) [eap] = ok
(13) } # authenticate = ok
(13) # Executing section post-auth from file
/opt/freeradius-test/etc/raddb/sites-enabled/default
(13) post-auth {
(13) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(13) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(13) update {
(13) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerHello'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
Certificate'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerKeyExchange'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
ServerHelloDone'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake,
Finished'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2
ChangeCipherSpec'
(13) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake,
Finished'
(13) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(13) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(13) } # update = noop
(13) [exec] = noop
(13) policy remove_reply_message_if_eap {
(13) if (&reply:EAP-Message && &reply:Reply-Message) {
(13) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(13) else {
(13) [noop] = noop
(13) } # else = noop
(13) } # policy remove_reply_message_if_eap = noop
(13) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(13) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(13) } # post-auth = noop
(13) Sent Access-Accept Id 10 from 127.0.0.1:1812 to 127.0.0.1:41445 length
177
(13) MS-MPPE-Recv-Key =
0x62648fa7a7f83a26511884879c34872597bf15b27f0fe7c0e8b9426e2de1e5b4
(13) MS-MPPE-Send-Key =
0x9e1e4d2c8aede721a947dfc545f44960236c983e73f6883659db7ddf618c46fc
(13) EAP-Message = 0x03270004
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) User-Name = "anonymous"
(13) Framed-MTU += 994
(13) Finished request
Waking up in 4.7 seconds.
(0) Cleaning up request packet ID 0 with timestamp +3 due to cleanup_delay
was reached
(1) Cleaning up request packet ID 1 with timestamp +3 due to cleanup_delay
was reached
(2) Cleaning up request packet ID 2 with timestamp +3 due to cleanup_delay
was reached
(3) Cleaning up request packet ID 3 with timestamp +3 due to cleanup_delay
was reached
(4) Cleaning up request packet ID 4 with timestamp +3 due to cleanup_delay
was reached
(5) Cleaning up request packet ID 5 with timestamp +3 due to cleanup_delay
was reached
(6) Cleaning up request packet ID 6 with timestamp +3 due to cleanup_delay
was reached
(8) Cleaning up request packet ID 221 with timestamp +3 due to
cleanup_delay was reached
(7) Cleaning up request packet ID 7 with timestamp +3 due to cleanup_delay
was reached
Waking up in 0.1 seconds.
(10) Cleaning up request packet ID 235 with timestamp +3 due to
cleanup_delay was reached
(9) Cleaning up request packet ID 8 with timestamp +3 due to cleanup_delay
was reached
(12) Cleaning up request packet ID 27 with timestamp +3 due to
cleanup_delay was reached
(11) Cleaning up request packet ID 9 with timestamp +3 due to cleanup_delay
was reached
(13) Cleaning up request packet ID 10 with timestamp +3 due to
cleanup_delay was reached
Ready to process requests
==============================================
I don't see post-auth being called from proxy-inner-tunnel. Is there any
trick that I missed to get it to run?
Thanks!
Chris
2
7
Hi, I apologize in advance I know that this is not a question about
freeradius server, but here I think I have a better chance to find the
answer.
I need to check the realm of incoming radius requests and I have setup
with EAP-TLS. Android provide a way to specify the anonymous identity
and include into it realm value but Apple devices seem to use CN field
from cert as username and as anonymous username.
So I just want to check with a community that I am correct in my
observation that Apple devices use CN as an anonymous identity. Maybe
someone can confirm it.
Apple documentation saying next about anonymous identity.
---
"Optional. This key is only relevant to TTLS, PEAP, and EAP-FAST.
This allows the user to hide his or her identity. The userʼs actual
name appears only inside the encrypted tunnel. For example, it could
be set to ”anonymous” or ”anon”, or
”anon(a)mycompany.xn--net-9o0a.
It can increase security because an attacker canʼt see the
authenticating userʼs name in the clear.
"
---
Best regards
Vladimir
2
1
Dear Savers ...
I got this error in my debug the php program check something and return 0 for true and -1 for false and the php code work fine
but the I don't understand what to echo back or return to freeradius to understand the situation
I try to echo and not echo
when I echo the value it pass like this
so what is the best way to do such a thing
(2) update control {
(2) Executing: /usr/bin/php -f /opt/ajrass/egy-radius-cloud/freeradius/exec/dns.php:
(2) Program returned code (0) and output ''1"
(2) Tmp-Integer-0 := 0
(2) } # update control = noop
(2) if (Tmp-Integer-0 < 0 ){
(2) ERROR: Failed retrieving values required to evaluate condition
(2) } # policy call_dns = noop
Mohammed
2
1
Re: FreeRADIUS fails to include attributes in response to a Juniper switch
by White, Daniel E. (GSFC-770.0)[AEGIS] 12 Aug '22
by White, Daniel E. (GSFC-770.0)[AEGIS] 12 Aug '22
12 Aug '22
On Aug 11, 2022, at 9:27 AM, White, Daniel E. (GSFC-770.0)[AEGIS] via Freeradius-Users <freeradius-users(a)lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> wrote:
I tried commenting it out.
Same failure.
I suggest reading the documentation instead of trying random things. And paying attention to what you're doing. Your "users" file entries are mostly wrong.
# DEFAULT Auth-Type := ntlm_auth
bobb Cleartext-Password := "hello"
Typo in "bobb". This doesn't affect anything, but it's still a typo.
Not a typo. I used a different name.
DEFAULT LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
This matches the LDAP group, and then... does nothing. See the documentation for the "users" file, and look for reply attributes.
Looking at the man page for users, I now see what you are referring to.
i.e. Why doesn't it send any reply attributes when I don't put reply attributes in the users file?"
That question answers itself.
So... put reply attributes here. As done in the other examples. As the documentation says.
I am following what was previously done on Cistron RADIUS
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
Old and not necessary. Delete it.
It is in the default file from freeradius.x86_64 3.0.20-12.module+el8.6.0+13617+542eca26 @rhel-8-for-x86_64-appstream-rpms
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
Old and not necessary. Delete it.
It is in the default file from freeradius.x86_64 3.0.20-12.module+el8.6.0+13617+542eca26 @rhel-8-for-x86_64-appstream-rpms
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
Old and not necessary. Delete it.
It is in the default file from freeradius.x86_64 3.0.20-12.module+el8.6.0+13617+542eca26 @rhel-8-for-x86_64-appstream-rpms
DEFAULT Group-Name = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
Juniper-Local-User-Name = "remote-nocengr",
Service-Type = Login-User,
Fall-Through = No
Why "Group-Name", and not "LDAP-Group"?
DEFAULT Group = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
Juniper-Local-User-Name = "remote-nocengr",
Service-Type = Login-User,
Fall-Through = Yes
Why "Group", and not "LDAP-Group"?
The documentation makes it clear that "Group" and "Group-Name" is for unix group checking.
And the main difference between the last two entires is that one has "Fall-Through = yes", and the other has "Fall-Through = no".
You're randomly using "LDAP-Group", "Group", and "Group-Name" as synonyms. They're not. You're randomly adding reply attributes to some users file entries, and then not to others.
Please be more specific as to “the documentation”. I found “LDAP-Group", "Group", and "Group-Name" referenced in dictionary.freeradius.internal but without any explanation.
This looks like you're just trying a bunch of things by mashing at the keyboard, and not paying attention to details. It helps rather a lot to read the docs, to pay attention to details, and to take a careful approach to making changes.
Where is the documentation about adding VSA’s to the RADIUS response, please ?
2
1
FreeRADIUS fails to include attributes in response to a Juniper switch
by White, Daniel E. (GSFC-770.0)[AEGIS] 11 Aug '22
by White, Daniel E. (GSFC-770.0)[AEGIS] 11 Aug '22
11 Aug '22
Trying to talk to a Juniper Switch:
FreeRADIUS says the credentials are OK, but the switch needs a response that includes attributes
I am copying configuration from an ancient Cistron RADIUS server that I am trying to replace.
The necessary attribute, Juniper-Local-User-Name, is specified in the users file, but it is not included in the response from FR to the device.
What am I missing, please ?
Is this a vendor-specific attribute or VSA ?
-------------------------------------
/etc/raddb/users :
# DEFAULT Auth-Type := ntlm_auth
bobb Cleartext-Password := "hello"
DEFAULT LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
DEFAULT Group-Name = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
Juniper-Local-User-Name = "remote-nocengr",
Service-Type = Login-User,
Fall-Through = No
DEFAULT Group = "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
Juniper-Local-User-Name = "remote-nocengr",
Service-Type = Login-User,
Fall-Through = Yes
-------------------------------------
/etc/raddb/clients.conf :
client localhost {
ipaddr = 127.0.0.1
proto = *
secret = testing123
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
client juniper-switch-01 {
ipaddr = JUNIPER_SWITCH_IP
nas_types = juniper
secret = Simple123
}
-------------------------------------
[userlogin@SSH_FROM ~]$ ssh JUNIPER_SWITCH_IP
Password:
Received disconnect from JUNIPER_SWITCH_IP port 22:2: Too many password failures for userlogin
Authentication failed.
-------------------------------------
radiusd -X output:
FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/ldap
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/rfc7542
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client nm-gsf14-x16b {
ipaddr = JUNIPER_SWITCH_IP
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = LDAP
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MY.DOMAIN.TLD} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/bin/ntlm_auth --request-nt-key --domain=MY.DOMAIN.TLD --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
ldap {
server = "AD-DC-1_IP"
port = 389
identity = "SERVICE_ACCOUNT"
password = <<< secret >>>
sasl {
}
user_dn = "LDAP-UserDn"
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=group)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
membership_filter = "(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
cacheable_name = no
cacheable_dn = yes
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
}
}
Creating attribute LDAP-Group
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "PROFILE=SYSTEM"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20446
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://AD-DC-1_IP:389 ldap://AD-DC-2_IP:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://AD-DC-1_IP:389 ldap://AD-DC-2_IP:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://AD-DC-1_IP:389 ldap://AD-DC-2_IP:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap): Connecting to ldap://AD-DC-1_IP:389 ldap://AD-DC-2_IP:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldap://AD-DC-1_IP:389 ldap://AD-DC-2_IP:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 50293
Ready to process requests
(0) Received Access-Request Id 159 from JUNIPER_SWITCH_IP:50002 to RADIUS_SERVER_IP:1812 length 89
(0) User-Name = "userlogin"
(0) User-Password = "XXXXXXXXXXXXXXX"
(0) NAS-Identifier = "juniper-switch-01"
(0) Calling-Station-Id = "SSH_FROM_IP"
(0) NAS-IP-Address = JUNIPER_SWITCH_IP
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "userlogin", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: Searching for user in group "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
rlm_ldap (ldap): Reserved connection (0)
(0) files: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (sAMAccountName=userlogin)
(0) files: Performing search in "OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" with filter "(sAMAccountName=userlogin)", scope "sub"
(0) files: Waiting for search result...
(0) files: User object found at DN "CN=User Login,OU=Systems,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
(0) files: Checking for user in group objects
(0) files: EXPAND (&(objectClass=group)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0) files: --> (&(objectClass=group)(|(member=CN\3dUser Login\2cOU\3dSystems\2cOU\3dUSERS1\2cDC\3ddc1\2cDC\3ddc2\2cDC\3ddc3\2cDC\3ddc4)(memberUid=userlogin)))
(0) files: Performing search in "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" with filter "(&(objectClass=group)(|(member=CN\3dUser Login\2cOU\3dSystems\2cOU\3dUSERS1\2cDC\3ddc1\2cDC\3ddc2\2cDC\3ddc3\2cDC\3ddc4)(memberUid=userlogin)))", scope "sub"
(0) files: Waiting for search result...
(0) files: User found in group object "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldap://AD-DC-1_IP:389 ldap://AD-DC-2_IP:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) files: users: Matched entry DEFAULT at line 5
(0) [files] = ok
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (sAMAccountName=userlogin)
(0) ldap: Performing search in "OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" with filter "(sAMAccountName=userlogin)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "CN=User Login,OU=Systems,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
(0) ldap: Adding cacheable user object memberships
(0) ldap: &control:LDAP-Group += "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: EXPAND (&(objectClass=group)(|(member=%{control:LDAP-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0) ldap: --> (&(objectClass=group)(|(member=CN\3dUser Login\2cOU\3dSystems\2cOU\3dUSERS1\2cDC\3ddc1\2cDC\3ddc2\2cDC\3ddc3\2cDC\3ddc4)(memberUid=userlogin)))
(0) ldap: Performing search in "OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" with filter "(&(objectClass=group)(|(member=CN\3dUser Login\2cOU\3dSystems\2cOU\3dUSERS1\2cDC\3ddc1\2cDC\3ddc2\2cDC\3ddc3\2cDC\3ddc4)(memberUid=userlogin)))", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Adding cacheable group object memberships
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=…"
(0) ldap: &control:LDAP-Group += "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (1)
(0) [ldap] = ok
(0) if ((ok|| updated) && User-Password) {
(0) if ((ok|| updated) && User-Password) -> TRUE
(0) if ((ok|| updated) && User-Password) {
(0) update {
(0) control:Auth-Type := LDAP
(0) } # update = noop
(0) } # if ((ok|| updated) && User-Password) = noop
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (2)
(0) ldap: Login attempt by "userlogin"
(0) ldap: Using user DN from request "CN=User Login,OU=Systems,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "CN=User Login,OU=Systems,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" was successful
rlm_ldap (ldap): Released connection (2)
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) if (LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" ) {
(0) Searching for user in group "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
(0) User found. Matched cached membership
(0) if (LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" ) -> TRUE
(0) if (LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" ) {
(0) update reply {
(0) EXPAND %{control:LDAP-Group}
(0) --> CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4
(0) Reply-Message := CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4
(0) } # update reply = noop
(0) } # if (LDAP-Group == "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4" ) = noop
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Sent Access-Accept Id 159 from RADIUS_SERVER_IP:1812 to JUNIPER_SWITCH_IP:50002 length 0
(0) Reply-Message := "CN=engineer,OU=Network,OU=USERS1,DC=dc1,DC=dc2,DC=dc3,DC=dc4"
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 159 with timestamp +9
Ready to process requests
3
3
Hi,
I've got working 2 factor (challenge-response) authentication by
rlm_perl module (https://github.com/LinOTP/linotp-auth-freeradius-perl)
I'm trying to secure this communication within tunnel (EAP-TTLS), but it
ends with a message: No tunneled reply was found for request.
If I disable challenge-response while using EAP-TTLS it works like a
charm - Auth-Type linotp2 ends with ok state, and sends Access-Accept
through tunnel.
I've got no idea why it's not working with Access-Challenge reply and I
think I've already tried every possible setup.
This is my ttls config:
ttls {
tls = "tls-common"
default_eap_type = "gtc"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
and debug output:
(5) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} ->
'password'
(5) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'username'
(5) perl: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1200'
(5) perl: ERROR: Failed to create pair - failed to parse time string
"sie 10 2022 11:23:48 CEST"
(5) perl: ERROR: &request:Event-Timestamp =
$RAD_REQUEST{'Event-Timestamp'} -> 'sie 10 2022 11:23:48 CEST'
(5) perl: &request:Framed-IP-Address = $RAD_REQUEST{'Framed-IP-Address'}
-> 'some_IP'
(5) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Framed-User'
(5) perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} ->
'linotp'
(5) perl: &request:FreeRADIUS-Proxied-To =
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(5) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
'some_IP'
(5) perl: &reply:State = $RAD_REPLY{'State'} -> '81561830980360'
(5) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} ->
'Multiple challenges submitted.'
(5) perl: &control:Response-Packet-Type =
$RAD_CHECK{'Response-Packet-Type'} -> 'Access-Challenge'
(5) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'linotp2'
(5) [perl] = handled
(5) } # Auth-Type linotp2 = handled
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) State = 0x3831353631383330393830333630
(5) Reply-Message = "Multiple challenges submitted."
(5) eap_ttls: No tunneled reply was found for request 5 , and the
request was not proxied: rejecting the user.
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
Thanks for any advice and tips.
Przemek
2
3
Setting up RADIUS to send accounting packets to multiple database servers simultaneously
by Sea Gull 10 Aug '22
by Sea Gull 10 Aug '22
10 Aug '22
Hi,
I would like to set up RADIUS to send accounting packets to a local
MySQL database and a remote PostgreSQL database. From the research that I
did, this does not seem to be possible unless having them set redundant to
each other. Is there a possible way to achieve this, please?
I have started by setting up RADIUS to write accounting packets to the
remote PostgreSQL, which was successful. However, I needed to test that if
the remote database is unavailable, RADIUS will still start up.
Unfortunately, although I did the change below, RADIUS will not start if
the PostgreSQL database is not available. How is it possible to accomplish
this, if not as shown below, please?
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# database being available.
start = 0
Furthermore, I am attaching RADIUS debug logs showing what I've explained
above.
Thanks in advance.
Kind Regards,
SG
4
5