Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2022
- 29 participants
- 39 discussions
All,
I've got authentication working nicely with MSCHAP, but now I'd like to
only allow users that are members of a certain AD group.
I would prefer to have this happen only when requests come from a
specific client (wireless access point). In this case the idea is to
have users only be able to get wireless access when they're in a
specific AD group.
How can I do this in freeradius?
Thanks,
Brian
7
18
Hi everyone!
I am facing a problem when freeradius reports that the limit of open
sessions has been reached. These are log entries, like "Too many open
sessions. Try increasing "max_sessions" in the EAP module configuration".
During the debugging, it was determined that some ios devices
(ipad/iphone), for a reason unknown to me, cyclically cannot complete
eap/tls authentication process. I found that these devices successfully
start communicating with the NAS (send EAP-Response/Identity). But after
receiving the (TLS Start)-message, they no longer send the (TLS
client_hello)-message, and restart the association process with the access
point and therefore open a new EAP session. If recreate a wifi connection
on such a device, it will connect successfully.
Until I find the root cause of this behavior, I would like to monitor the
number of open sessions of the radius server. But I couldn't find a
suitable way to do it. Here is what I tried:
- use the "status server" tool, but there is no suitable one among its
counters
- use tool "control-socket" and radmin but also i didn't find suitable
counter
Can you help me with this question?
Thanks!
2
4
Hello,
For some times now, Android 11 requires cert validation in WiFi
connections (see [1]).
At the same time, Android 11 also makes it much harder for end users
to import self-signed root CA (see [2]).
As I provide WiFi connectivity in BYOD environments and can't help end
users when they import certs, I choosed to test PEAP/MSCHAPv2 with
LetsEncrypt certs though I know this would be less secure than with
self-signed root CA.
I'm planning to generate and renew LetsEncrypt cert on a remote
Internet-connected host, and then copy both privkey.pem and
fullchain.pem files to Freeradius instance, as suggested by [3].
In my lab setup, I'm using a Samsung Galaxy Tab A7 Lite to test.
Though being Android 11-powered, this device also allows
Do-Not-Validate pre-Android 11 option !
When I connect to WiFi with this device, I'm using the following settings:
Identity: bar
Password: whateverneeded
CA Certificate: use system certificate
Online cert status: do not validate
Domain: the exact CN value
My lab setup includes:
- a Freeradius 3.0.21 on Debian Bullseye
- a Unifi WiFi Network 6.5.55 with WiFi AP
- a Samsung Galaxy Tab A7 Lite
- valid LetsEncrypt certs
My certs files are copied into Freeradius host as:
# ls -l /etc/freeradius/3.0/certs/letsencrypt/
total 12
-rw-r----- 1 freerad freerad 5604 27 juin 19:04 fullchain.pem
-rw------- 1 freerad freerad 1704 27 juin 19:04 privkey.pem
# openssl x509 -dates -noout -in
/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem
notBefore=May 28 17:32:21 2022 GMT
notAfter=Aug 26 17:32:20 2022 GMT
[1] https://internet-access-guide.com/android-wifi-ca-certificate-do-not-valida…
[2] https://httptoolkit.tech/blog/android-11-trust-ca-certificates/
[3] https://framebyframewifi.net/2017/01/29/use-lets-encrypt-certificates-with-…
When I connect to WiFi, this is part of freeradius -X output:
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
...
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/letsencrypt/privkey.pem"
certificate_file = "/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Please use tls_min_version and tls_max_version instead of disable_tlsv1
Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 56401
Listening on proxy address :: port 45775
Ready to process requests
(26) eap: Peer sent EAP Response (code 2) ID 1 length 141
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0xc733062dc6321fce
(26) eap: Finished EAP session with state 0xc733062dc6321fce
(26) eap: Previous EAP request found for state 0xc733062dc6321fce,
released from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(26) eap_peap: Got complete TLS record (131 bytes)
(26) eap_peap: [eaptls verify] = length included
(26) eap_peap: (other): before SSL initialization
(26) eap_peap: TLS_accept: before SSL initialization
(26) eap_peap: TLS_accept: before SSL initialization
(26) eap_peap: <<< recv TLS 1.3 [length 007e]
(26) eap_peap: TLS_accept: SSLv3/TLS read client hello
(26) eap_peap: >>> send TLS 1.2 [length 003d]
(26) eap_peap: TLS_accept: SSLv3/TLS write server hello
(26) eap_peap: >>> send TLS 1.2 [length 0fbe]
(26) eap_peap: TLS_accept: SSLv3/TLS write certificate
(26) eap_peap: >>> send TLS 1.2 [length 014d]
(26) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(26) eap_peap: >>> send TLS 1.2 [length 0004]
(26) eap_peap: TLS_accept: SSLv3/TLS write server done
(26) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(26) eap_peap: TLS - In Handshake Phase
(26) eap_peap: TLS - got 4448 bytes of data
(26) eap_peap: [eaptls process] = handled
(26) eap: Sending EAP Request (code 1) ID 2 length 1004
(26) eap: EAP session adding &reply:State = 0xc733062dc5311fce
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(26) Challenge { ... } # empty sub-section is ignored
(26) Sent Access-Challenge Id 43 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(26) EAP-Message =
0x010203ec19c000001160160303003d020000390303af5657898d92eefe5085a4ad3604bed4f0f0b48e39cd7ada954fbee1b104098800c02f000011ff01000100000b000403000102001700001603030fbe0b000fba000fb70005303082052c30820414a003020102021203734b50cf2bcbeb7c22ada836c00a3f624f300d06092a864886f70d01010b05003032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b3009060355040313025233301e170d3232303532383137333232315a170d3232303832363137333232305a301e311c301a06035504031313686f7374332e706572656e69702e636c6f756430820122300d06092a864886f70d01010105000382010f003082010a0282010100e653da7ed722cc166a21b4055852edc8973b7daa624eb8897805f735be194e49d231f0d04e2d091679c8a1f9075bf6051d24661042467c293e77827ed8de02eacf8132699f9aac89cb9471f1857c292dca4cc9d69608d7
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0xc733062dc5311fceda200d98107c2728
(26) Finished request
Waking up in 4.9 seconds.
(27) Received Access-Request Id 44 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(27) User-Name = "bar"
(27) NAS-IP-Address = 192.168.1.50
(27) NAS-Identifier = "f09fc2f50d43"
(27) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(27) NAS-Port-Type = Wireless-802.11
(27) Service-Type = Framed-User
(27) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(27) Connect-Info = "CONNECT 0Mbps 802.11b"
(27) Acct-Session-Id = "2087B41CCAAC0F74"
(27) Acct-Multi-Session-Id = "C546EF77BB09F037"
(27) WLAN-Pairwise-Cipher = 1027076
(27) WLAN-Group-Cipher = 1027076
(27) WLAN-AKM-Suite = 1027073
(27) Framed-MTU = 1400
(27) EAP-Message = 0x020200061900
(27) State = 0xc733062dc5311fceda200d98107c2728
(27) Message-Authenticator = 0x39f4e95b5909f1152843a2e02fbaffde
(27) session-state: No cached attributes
(27) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(27) authorize {
(27) policy filter_username {
(27) if (&User-Name) {
(27) if (&User-Name) -> TRUE
(27) if (&User-Name) {
(27) if (&User-Name =~ / /) {
(27) if (&User-Name =~ / /) -> FALSE
(27) if (&User-Name =~ /@[^@]*@/ ) {
(27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(27) if (&User-Name =~ /\.\./ ) {
(27) if (&User-Name =~ /\.\./ ) -> FALSE
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(27) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(27) if (&User-Name =~ /\.$/) {
(27) if (&User-Name =~ /\.$/) -> FALSE
(27) if (&User-Name =~ /(a)\./) {
(27) if (&User-Name =~ /(a)\./) -> FALSE
(27) } # if (&User-Name) = notfound
(27) } # policy filter_username = notfound
(27) [preprocess] = ok
(27) [chap] = noop
(27) [mschap] = noop
(27) [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "bar", looking up realm NULL
(27) suffix: No such realm "NULL"
(27) [suffix] = noop
(27) eap: Peer sent EAP Response (code 2) ID 2 length 6
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0xc733062dc5311fce
(27) eap: Finished EAP session with state 0xc733062dc5311fce
(27) eap: Previous EAP request found for state 0xc733062dc5311fce,
released from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: Peer ACKed our handshake fragment
(27) eap_peap: [eaptls verify] = request
(27) eap_peap: [eaptls process] = handled
(27) eap: Sending EAP Request (code 1) ID 3 length 1000
(27) eap: EAP session adding &reply:State = 0xc733062dc4301fce
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(27) Challenge { ... } # empty sub-section is ignored
(27) Sent Access-Challenge Id 44 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(27) EAP-Message =
0x010303e81940cca15e2a9dd6bfa61b4d866fdcc7284c9a6a860076002979bef09e393921f056739f63a577e5be577d9c600af8f94d5d265c255dc784000001810bf0d4030000040300473045022037d7b0385f16f2b16e8903082d51bb15604c0262cd7473239d165e5ca5a858740221009c92c932de42f9d7883a89cd8ddc171d91a0f5b0d2e77b6886d1ea473f7fbe17300d06092a864886f70d01010b05000382010100731334fe1bbdc145631a0ddd0e7174e87df1da2cf6b032521bba82995c0460886e5b751c5f0b417ad32fa987caac9f61be48ec68673e33bc5a1deebe1004c5546cb3ef098495ab393bd60c614e132ad13e5fe0ca56106aeb92cf1f4e6de2f8f736bc1e94b7659439b711b931ba2174abb85ef05347b7d82f18411fe147f74939fbe311977c50c90b7c7720e890b59300fef66c0c7b84cd536cbde1aee6231f21550751613cba3ad52f48c82b2cc0de8e38764ba3c988a8cd37994500c1233288e294319b95c4600a48b3094eadf3ac1d68bf
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0xc733062dc4301fceda200d98107c2728
(27) Finished request
Waking up in 4.9 seconds.
(28) Received Access-Request Id 45 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(28) User-Name = "bar"
(28) NAS-IP-Address = 192.168.1.50
(28) NAS-Identifier = "f09fc2f50d43"
(28) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(28) NAS-Port-Type = Wireless-802.11
(28) Service-Type = Framed-User
(28) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(28) Connect-Info = "CONNECT 0Mbps 802.11b"
(28) Acct-Session-Id = "2087B41CCAAC0F74"
(28) Acct-Multi-Session-Id = "C546EF77BB09F037"
(28) WLAN-Pairwise-Cipher = 1027076
(28) WLAN-Group-Cipher = 1027076
(28) WLAN-AKM-Suite = 1027073
(28) Framed-MTU = 1400
(28) EAP-Message = 0x020300061900
(28) State = 0xc733062dc4301fceda200d98107c2728
(28) Message-Authenticator = 0x441e1d2d2df0e955fe4065c44cb93a6b
(28) session-state: No cached attributes
(28) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(28) authorize {
(28) policy filter_username {
(28) if (&User-Name) {
(28) if (&User-Name) -> TRUE
(28) if (&User-Name) {
(28) if (&User-Name =~ / /) {
(28) if (&User-Name =~ / /) -> FALSE
(28) if (&User-Name =~ /@[^@]*@/ ) {
(28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(28) if (&User-Name =~ /\.\./ ) {
(28) if (&User-Name =~ /\.\./ ) -> FALSE
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(28) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(28) if (&User-Name =~ /\.$/) {
(28) if (&User-Name =~ /\.$/) -> FALSE
(28) if (&User-Name =~ /(a)\./) {
(28) if (&User-Name =~ /(a)\./) -> FALSE
(28) } # if (&User-Name) = notfound
(28) } # policy filter_username = notfound
(28) [preprocess] = ok
(28) [chap] = noop
(28) [mschap] = noop
(28) [digest] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "bar", looking up realm NULL
(28) suffix: No such realm "NULL"
(28) [suffix] = noop
(28) eap: Peer sent EAP Response (code 2) ID 3 length 6
(28) eap: Continuing tunnel setup
(28) [eap] = ok
(28) } # authorize = ok
(28) Found Auth-Type = eap
(28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(28) authenticate {
(28) eap: Expiring EAP session with state 0xc733062dc4301fce
(28) eap: Finished EAP session with state 0xc733062dc4301fce
(28) eap: Previous EAP request found for state 0xc733062dc4301fce,
released from the list
(28) eap: Peer sent packet with method EAP PEAP (25)
(28) eap: Calling submodule eap_peap to process data
(28) eap_peap: Continuing EAP-TLS
(28) eap_peap: Peer ACKed our handshake fragment
(28) eap_peap: [eaptls verify] = request
(28) eap_peap: [eaptls process] = handled
(28) eap: Sending EAP Request (code 1) ID 4 length 1000
(28) eap: EAP session adding &reply:State = 0xc733062dc3371fce
(28) [eap] = handled
(28) } # authenticate = handled
(28) Using Post-Auth-Type Challenge
(28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(28) Challenge { ... } # empty sub-section is ignored
(28) Sent Access-Challenge Id 45 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(28) EAP-Message =
0x010403e8194001ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0xc733062dc3371fceda200d98107c2728
(28) Finished request
Waking up in 4.9 seconds.
(29) Received Access-Request Id 46 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(29) User-Name = "bar"
(29) NAS-IP-Address = 192.168.1.50
(29) NAS-Identifier = "f09fc2f50d43"
(29) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(29) NAS-Port-Type = Wireless-802.11
(29) Service-Type = Framed-User
(29) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(29) Connect-Info = "CONNECT 0Mbps 802.11b"
(29) Acct-Session-Id = "2087B41CCAAC0F74"
(29) Acct-Multi-Session-Id = "C546EF77BB09F037"
(29) WLAN-Pairwise-Cipher = 1027076
(29) WLAN-Group-Cipher = 1027076
(29) WLAN-AKM-Suite = 1027073
(29) Framed-MTU = 1400
(29) EAP-Message = 0x020400061900
(29) State = 0xc733062dc3371fceda200d98107c2728
(29) Message-Authenticator = 0x662064b545b5aa385ea1ebd63c5d881b
(29) session-state: No cached attributes
(29) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /(a)\./) {
(29) if (&User-Name =~ /(a)\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [preprocess] = ok
(29) [chap] = noop
(29) [mschap] = noop
(29) [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "bar", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) eap: Peer sent EAP Response (code 2) ID 4 length 6
(29) eap: Continuing tunnel setup
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) authenticate {
(29) eap: Expiring EAP session with state 0xc733062dc3371fce
(29) eap: Finished EAP session with state 0xc733062dc3371fce
(29) eap: Previous EAP request found for state 0xc733062dc3371fce,
released from the list
(29) eap: Peer sent packet with method EAP PEAP (25)
(29) eap: Calling submodule eap_peap to process data
(29) eap_peap: Continuing EAP-TLS
(29) eap_peap: Peer ACKed our handshake fragment
(29) eap_peap: [eaptls verify] = request
(29) eap_peap: [eaptls process] = handled
(29) eap: Sending EAP Request (code 1) ID 5 length 1000
(29) eap: EAP session adding &reply:State = 0xc733062dc2361fce
(29) [eap] = handled
(29) } # authenticate = handled
(29) Using Post-Auth-Type Challenge
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) Challenge { ... } # empty sub-section is ignored
(29) Sent Access-Challenge Id 46 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(29) EAP-Message =
0x010503e81940f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd0
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) State = 0xc733062dc2361fceda200d98107c2728
(29) Finished request
Waking up in 4.8 seconds.
(30) Received Access-Request Id 47 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(30) User-Name = "bar"
(30) NAS-IP-Address = 192.168.1.50
(30) NAS-Identifier = "f09fc2f50d43"
(30) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(30) NAS-Port-Type = Wireless-802.11
(30) Service-Type = Framed-User
(30) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(30) Connect-Info = "CONNECT 0Mbps 802.11b"
(30) Acct-Session-Id = "2087B41CCAAC0F74"
(30) Acct-Multi-Session-Id = "C546EF77BB09F037"
(30) WLAN-Pairwise-Cipher = 1027076
(30) WLAN-Group-Cipher = 1027076
(30) WLAN-AKM-Suite = 1027073
(30) Framed-MTU = 1400
(30) EAP-Message = 0x020500061900
(30) State = 0xc733062dc2361fceda200d98107c2728
(30) Message-Authenticator = 0xdb1a11eda65bfd28f2bae8a4467c4bea
(30) session-state: No cached attributes
(30) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /(a)\./) {
(30) if (&User-Name =~ /(a)\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [preprocess] = ok
(30) [chap] = noop
(30) [mschap] = noop
(30) [digest] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "bar", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) eap: Peer sent EAP Response (code 2) ID 5 length 6
(30) eap: Continuing tunnel setup
(30) [eap] = ok
(30) } # authorize = ok
(30) Found Auth-Type = eap
(30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(30) authenticate {
(30) eap: Expiring EAP session with state 0xc733062dc2361fce
(30) eap: Finished EAP session with state 0xc733062dc2361fce
(30) eap: Previous EAP request found for state 0xc733062dc2361fce,
released from the list
(30) eap: Peer sent packet with method EAP PEAP (25)
(30) eap: Calling submodule eap_peap to process data
(30) eap_peap: Continuing EAP-TLS
(30) eap_peap: Peer ACKed our handshake fragment
(30) eap_peap: [eaptls verify] = request
(30) eap_peap: [eaptls process] = handled
(30) eap: Sending EAP Request (code 1) ID 6 length 478
(30) eap: EAP session adding &reply:State = 0xc733062dc1351fce
(30) [eap] = handled
(30) } # authenticate = handled
(30) Using Post-Auth-Type Challenge
(30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(30) Challenge { ... } # empty sub-section is ignored
(30) Sent Access-Challenge Id 47 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(30) EAP-Message =
0x010601de1900676dc257c5463941cf8a5883586d99fe57e8360ef00e23aafd8897d0e35c0e9449b5b51735d22ebf4e85ef18e08592eb063b6c29230960dc45024c12183be9fb0ededc44f85898aeeabd4545a1885d66cafe10e96f82c811420dfbe9ece38600de9d10e338faa47db1d8e8498284069b2be86b4f010c38772ef9dde739160303014d0c0001490300174104182d51bb94eedf8e4d45ba672b11c1683550862e7b3cbcc4c060eeb4bb6a788ba97e3226321cf8ba7055f70228fd8fbd726b203aaecea3297f2f15e87c0e13190804010065efa44cf7b89671f95ce0791208321c652e630ca175e1c4c11946ffa99a7ecddf6f6e5bc8b7689bca97ea17a48c085474e867dc62b2102a477c4a022336e02e2e4e38d5542a7c69276d22fd961b4022e88c54c7fe6fad2d1176b734f007a2af32ae3fd62b53a6fcd2da0b78040ee68241e4435189e87093b227e4f4f9ebb3c1b3da591bd3c129f70dcd71fca22d92ceaa6318dfcf6397a92d127e2a999be84a9be8
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) State = 0xc733062dc1351fceda200d98107c2728
(30) Finished request
Waking up in 4.8 seconds.
(31) Received Access-Request Id 48 from 192.168.1.50:58452 to
192.168.1.244:1812 length 242
(31) User-Name = "bar"
(31) NAS-IP-Address = 192.168.1.50
(31) NAS-Identifier = "f09fc2f50d43"
(31) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(31) NAS-Port-Type = Wireless-802.11
(31) Service-Type = Framed-User
(31) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(31) Connect-Info = "CONNECT 0Mbps 802.11b"
(31) Acct-Session-Id = "2087B41CCAAC0F74"
(31) Acct-Multi-Session-Id = "C546EF77BB09F037"
(31) WLAN-Pairwise-Cipher = 1027076
(31) WLAN-Group-Cipher = 1027076
(31) WLAN-AKM-Suite = 1027073
(31) Framed-MTU = 1400
(31) EAP-Message = 0x020600111980000000071503030002022d
(31) State = 0xc733062dc1351fceda200d98107c2728
(31) Message-Authenticator = 0x96fa48935246587652cd6219e8243639
(31) session-state: No cached attributes
(31) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(31) authorize {
(31) policy filter_username {
(31) if (&User-Name) {
(31) if (&User-Name) -> TRUE
(31) if (&User-Name) {
(31) if (&User-Name =~ / /) {
(31) if (&User-Name =~ / /) -> FALSE
(31) if (&User-Name =~ /@[^@]*@/ ) {
(31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(31) if (&User-Name =~ /\.\./ ) {
(31) if (&User-Name =~ /\.\./ ) -> FALSE
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(31) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE
(31) if (&User-Name =~ /\.$/) {
(31) if (&User-Name =~ /\.$/) -> FALSE
(31) if (&User-Name =~ /(a)\./) {
(31) if (&User-Name =~ /(a)\./) -> FALSE
(31) } # if (&User-Name) = notfound
(31) } # policy filter_username = notfound
(31) [preprocess] = ok
(31) [chap] = noop
(31) [mschap] = noop
(31) [digest] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: No '@' in User-Name = "bar", looking up realm NULL
(31) suffix: No such realm "NULL"
(31) [suffix] = noop
(31) eap: Peer sent EAP Response (code 2) ID 6 length 17
(31) eap: Continuing tunnel setup
(31) [eap] = ok
(31) } # authorize = ok
(31) Found Auth-Type = eap
(31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(31) authenticate {
(31) eap: Expiring EAP session with state 0xc733062dc1351fce
(31) eap: Finished EAP session with state 0xc733062dc1351fce
(31) eap: Previous EAP request found for state 0xc733062dc1351fce,
released from the list
(31) eap: Peer sent packet with method EAP PEAP (25)
(31) eap: Calling submodule eap_peap to process data
(31) eap_peap: Continuing EAP-TLS
(31) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(31) eap_peap: Got complete TLS record (7 bytes)
(31) eap_peap: [eaptls verify] = length included
(31) eap_peap: <<< recv TLS 1.2 [length 0002]
(31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(31) eap_peap: TLS_accept: Need to read more data: error
(31) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
expired
(31) eap_peap: TLS - In Handshake Phase
(31) eap_peap: TLS - Application data.
(31) eap_peap: ERROR: TLS failed during operation
(31) eap_peap: ERROR: [eaptls process] = fail
(31) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(31) eap: Sending EAP Failure (code 4) ID 6 length 4
(31) eap: Failed in EAP select
(31) [eap] = invalid
(31) } # authenticate = invalid
(31) Failed to authenticate the user
(31) Using Post-Auth-Type Reject
(31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(31) Post-Auth-Type REJECT {
(31) attr_filter.access_reject: EXPAND %{User-Name}
(31) attr_filter.access_reject: --> bar
(31) attr_filter.access_reject: Matched entry DEFAULT at line 11
(31) [attr_filter.access_reject] = updated
(31) [eap] = noop
(31) policy remove_reply_message_if_eap {
(31) if (&reply:EAP-Message && &reply:Reply-Message) {
(31) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(31) else {
(31) [noop] = noop
(31) } # else = noop
(31) } # policy remove_reply_message_if_eap = noop
(31) } # Post-Auth-Type REJECT = updated
(31) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(31) Sending delayed response
(31) Sent Access-Reject Id 48 from 192.168.1.244:1812 to
192.168.1.50:58452 length 44
(31) EAP-Message = 0x04060004
(31) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(24) Cleaning up request packet ID 41 with timestamp +308
How can I correct this ?
Best regards
3
5
14 Oct '22
Hello everyone, and thank you for your future help in solving this problem.
I’m trying to implement, a FreeRADIUS server for a wired usage using
EAP-TTLS/PAP protocol, I’m authorizing my users based on their credentials
saved in the users file.
I’ve created my certificates (CA and server) following the recommended
guidelines.
When I test EAP-TTLS/PAP with eapol_test, i’ve got a success message, the
same goes when I authenticate on my laptop under Windows 11 OS, with
EAP-PEAP, while previously disabling « check the identity of the server… ».
And when I click on the connect button after sending my credentials, to
acknowledge my certificate is not safe, I succeed to connect.
But when I try to authenticate with EAP-TTLS/PAP, it fails when I click on «
connect », I don’t have any following response to my Access-Challenge
packets.
I know there is an article on wiki.freeradius about certificate
compatibility, but I’ve not been able to solve the problem even with it.
FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/digest
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/rfc7542
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipv4addr = 127.0.0.1
port = 1812
type = "auth"
proto = "udp"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client private-network-1 {
ipaddr = 10.101.0.20
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p1-p173-001 {
ipv4addr = 10.100.0.16
require_message_authenticator = no
secret = <<< secret >>>
shortname = "swi_nico_p173"
nas_type = "cisco"
virtual_server = "serveur_eap_ttls_pap"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p173-002 {
ipv4addr = 10.100.0.50
require_message_authenticator = no
secret = <<< secret >>>
shortname = "swi_said_edward_p173"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client test-network {
ipaddr = 10.112.0.136
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
with_alvarion_vsa_hack = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 16384
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference =
"Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
instantiate {
}
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "PROFILE=SYSTEM"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
url = http://127.0.0.1/ocsp/
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipv4addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv4addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on proxy address * port 56698
Ready to process requests
(0) Received Accounting-Request Id 60 from 10.100.0.50:1646 to
10.101.0.20:1813 length 285
(0) Acct-Session-Id = "0000006A"
(0) Cisco-AVPair = "audit-session-id=0A6400320000003BB2AB2641"
(0) User-Name = "test"
(0) Acct-Authentic = RADIUS
(0) Acct-Terminate-Cause = Lost-Carrier
(0) Cisco-AVPair = "disc-cause-ext=No Reason"
(0) Cisco-AVPair = "connect-progress=Call Up"
(0) Acct-Session-Time = 93
(0) Acct-Input-Octets = 14097
(0) Acct-Output-Octets = 19204
(0) Acct-Input-Packets = 127
(0) Acct-Output-Packets = 74
(0) Acct-Status-Type = Stop
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50006
(0) NAS-Port-Id = "GigabitEthernet0/6"
(0) Called-Station-Id = "24-01-C7-8E-84-86"
(0) Calling-Station-Id = "74-78-27-1B-F2-78"
(0) Service-Type = Framed-User
(0) NAS-IP-Address = 10.100.0.50
(0) Acct-Delay-Time = 19
(0) # Executing section preacct from file /etc/raddb/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) update request {
(0) &Tmp-String-9 := "ai:"
(0) } # update request = noop
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(0) EXPAND %{hex:&Class}
(0) -->
(0) EXPAND ^%{hex:&Tmp-String-9}
(0) --> ^61693a
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(0) else {
(0) update request {
(0) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> 0391b84a0867b3fc2bafaf4741bd212a
(0) &Acct-Unique-Session-Id := 0391b84a0867b3fc2bafaf4741bd212a
(0) } # update request = noop
(0) } # else = noop
(0) } # policy acct_unique = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) } # preacct = ok
(0) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(0) accounting {
(0) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(0) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725
(0) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.50/detail-20220725
(0) detail: EXPAND %t
(0) detail: --> Mon Jul 25 18:15:40 2022
(0) [detail] = ok
(0) [unix] = ok
(0) radutmp: EXPAND /var/log/radius/radutmp
(0) radutmp: --> /var/log/radius/radutmp
(0) radutmp: EXPAND %{User-Name}
(0) radutmp: --> test
(0) [radutmp] = ok
(0) sradutmp: EXPAND /var/log/radius/sradutmp
(0) sradutmp: --> /var/log/radius/sradutmp
(0) sradutmp: EXPAND %{User-Name}
(0) sradutmp: --> test
(0) [sradutmp] = ok
(0) [exec] = noop
(0) attr_filter.accounting_response: EXPAND %{User-Name}
(0) attr_filter.accounting_response: --> test
(0) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(0) [attr_filter.accounting_response] = updated
(0) } # accounting = updated
(0) Sent Accounting-Response Id 60 from 10.101.0.20:1813 to 10.100.0.50:1646
length 0
(0) Finished request
(0) Cleaning up request packet ID 60 with timestamp +3
Ready to process requests
(1) Received Access-Request Id 0 from 127.0.0.1:48058 to 127.0.0.1:1812
length 142
(1) User-Name = "anonymous_test"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x02a1001301616e6f6e796d6f75735f74657374
(1) Message-Authenticator = 0x63e0215c3759e15af3f8b2b777ce8370
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 161 length 19
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Auth-Type eap {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 162 length 6
(1) eap: EAP session adding &reply:State = 0x594837c159ea227a
(1) [eap] = handled
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) attr_filter.access_challenge: EXPAND %{User-Name}
(1) attr_filter.access_challenge: --> anonymous_test
(1) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(1) [attr_filter.access_challenge.post-auth] = updated
(1) [handled] = handled
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(1) } # Auth-Type eap = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(1) EAP-Message = 0x01a200061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x594837c159ea227a35f4296c6c550caa
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 1 from 127.0.0.1:48058 to 127.0.0.1:1812
length 343
(2) User-Name = "anonymous_test"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message =
0x02a200ca150016030100bf010000bb03037526679cd3ccd5346e9ffc32b3a61bc85036d03f
f978485f54af4c4c4713eef2000048c02cc030cca9cca8c0adc02bc02fc0acc023c027c00ac0
14c009c013009dc09d009cc09c003d003c0035002f009fccaac09f009ec09e006b0067003900
33c008c012000a001600ff0100004a000b000403000102000a000c000a001d0017001e001900
180016000000170000000d002600240403050306030807080808090804080a0805080b080604
01050106010303030102030201
(2) State = 0x594837c159ea227a35f4296c6c550caa
(2) Message-Authenticator = 0xa2ab78a30c2fd4c0b1e73fbaaa7c1007
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 162 length 202
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Auth-Type eap {
(2) eap: Expiring EAP session with state 0x594837c159ea227a
(2) eap: Finished EAP session with state 0x594837c159ea227a
(2) eap: Previous EAP request found for state 0x594837c159ea227a, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Got final TLS record fragment (196 bytes)
(2) eap_ttls: WARNING: Total received TLS record fragments (196 bytes), does
not equal indicated TLS record length (0 bytes)
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv TLS 1.3 [length 00bf]
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send TLS 1.2 [length 003d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send TLS 1.2 [length 08e9]
(2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(2) eap_ttls: >>> send TLS 1.2 [length 014d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(2) eap_ttls: >>> send TLS 1.2 [length 0004]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server done
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_ttls: TLS - In Handshake Phase
(2) eap_ttls: TLS - got 2699 bytes of data
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 163 length 1014
(2) eap: EAP session adding &reply:State = 0x594837c158eb227a
(2) [eap] = handled
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) EXPAND Response-Packet-Type
(2) --> Access-Challenge
(2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) attr_filter.access_challenge: EXPAND %{User-Name}
(2) attr_filter.access_challenge: --> anonymous_test
(2) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(2) [attr_filter.access_challenge.post-auth] = updated
(2) [handled] = handled
(2) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(2) } # Auth-Type eap = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(2) EAP-Message =
0x01a303f615c000000a8b160303003d020000390303ce7f5bed68f2bdab8d4c8b7ee830f975
965fb3242093f407d9b7f3798ed45b2000c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x594837c158eb227a35f4296c6c550caa
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 2 from 127.0.0.1:48058 to 127.0.0.1:1812
length 147
(3) User-Name = "anonymous_test"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x02a300061500
(3) State = 0x594837c158eb227a35f4296c6c550caa
(3) Message-Authenticator = 0x0281d393c2571ae6091802af7143b0ed
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 163 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Auth-Type eap {
(3) eap: Expiring EAP session with state 0x594837c158eb227a
(3) eap: Finished EAP session with state 0x594837c158eb227a
(3) eap: Previous EAP request found for state 0x594837c158eb227a, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 164 length 1014
(3) eap: EAP session adding &reply:State = 0x594837c15bec227a
(3) [eap] = handled
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) EXPAND Response-Packet-Type
(3) --> Access-Challenge
(3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) attr_filter.access_challenge: EXPAND %{User-Name}
(3) attr_filter.access_challenge: --> anonymous_test
(3) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(3) [attr_filter.access_challenge.post-auth] = updated
(3) [handled] = handled
(3) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(3) } # Auth-Type eap = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(3) EAP-Message =
0x01a403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91
d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8
62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b
83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
035504080c065261646975733112301006035504070c09536f6d657768657265311530130603
55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69
6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966
696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038
30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x594837c15bec227a35f4296c6c550caa
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 3 from 127.0.0.1:48058 to 127.0.0.1:1812
length 147
(4) User-Name = "anonymous_test"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x02a400061500
(4) State = 0x594837c15bec227a35f4296c6c550caa
(4) Message-Authenticator = 0x12aad93ece4c588ec719216bbaecd7fb
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 164 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Auth-Type eap {
(4) eap: Expiring EAP session with state 0x594837c15bec227a
(4) eap: Finished EAP session with state 0x594837c15bec227a
(4) eap: Previous EAP request found for state 0x594837c15bec227a, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 165 length 701
(4) eap: EAP session adding &reply:State = 0x594837c15aed227a
(4) [eap] = handled
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) EXPAND Response-Packet-Type
(4) --> Access-Challenge
(4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) attr_filter.access_challenge: EXPAND %{User-Name}
(4) attr_filter.access_challenge: --> anonymous_test
(4) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(4) [attr_filter.access_challenge.post-auth] = updated
(4) [handled] = handled
(4) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(4) } # Auth-Type eap = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(4) EAP-Message =
0x01a502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029
a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e
63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14
2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac
df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4
5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5
7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973
4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb
c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759
b33199019e7d482f8786044516160303014d0c000149030017410489b770c1cc2ded
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x594837c15aed227a35f4296c6c550caa
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 4 from 127.0.0.1:48058 to 127.0.0.1:1812
length 273
(5) User-Name = "anonymous_test"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x02a500841500160303004610000042410490f5fd271b8155492b8cd225df9a917c58da15b7
53f67fd3321719ee5bc61ec5d7dcc4344910224de589c074295c7725827083aa2533f613f392
603ac84822891403030001011603030028297482347c2337f8e1cd6ab9e31cc6bcb3d37932cb
7cf4dbf7e728729f98c928414c9b895270d9c5
(5) State = 0x594837c15aed227a35f4296c6c550caa
(5) Message-Authenticator = 0xdbe58d4e8258b430621002f6a1cde860
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 165 length 132
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Auth-Type eap {
(5) eap: Expiring EAP session with state 0x594837c15aed227a
(5) eap: Finished EAP session with state 0x594837c15aed227a
(5) eap: Previous EAP request found for state 0x594837c15aed227a, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2 [length 0046]
(5) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_ttls: <<< recv TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS read finished
(5) eap_ttls: >>> send TLS 1.2 [length 0001]
(5) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_ttls: >>> send TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS write finished
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: TLS - Connection Established
(5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_ttls: TLS-Session-Version = "TLS 1.2"
(5) eap_ttls: TLS - got 51 bytes of data
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 166 length 61
(5) eap: EAP session adding &reply:State = 0x594837c15dee227a
(5) [eap] = handled
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) EXPAND Response-Packet-Type
(5) --> Access-Challenge
(5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) attr_filter.access_challenge: EXPAND %{User-Name}
(5) attr_filter.access_challenge: --> anonymous_test
(5) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(5) [attr_filter.access_challenge.post-auth] = updated
(5) [handled] = handled
(5) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(5) } # Auth-Type eap = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(5) EAP-Message =
0x01a6003d158000000033140303000101160303002868a7ea5e693524f968d02ec14fd7cb5a
629fbd3ff3d28e4a1fee62533733003052e86c7f2303bc2c
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x594837c15dee227a35f4296c6c550caa
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 5 from 127.0.0.1:48058 to 127.0.0.1:1812
length 212
(6) User-Name = "anonymous_test"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message =
0x02a600471500170303003c297482347c2337f99ae8244b354c6918951f0f3bde4cd3a1631f
568103bb1527d53de82d2d036cc96b994d91266bfc523eab035954577cc893219d7c
(6) State = 0x594837c15dee227a35f4296c6c550caa
(6) Message-Authenticator = 0x6aa1c90905881534f18620852003faf3
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 166 length 71
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Auth-Type eap {
(6) eap: Expiring EAP session with state 0x594837c15dee227a
(6) eap: Finished EAP session with state 0x594837c15dee227a
(6) eap: Previous EAP request found for state 0x594837c15dee227a, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "test"
(6) eap_ttls: User-Password = "testing"
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) User-Name = "test"
(6) User-Password = "testing"
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Event-Timestamp = "Jul 25 2022 18:15:48 CEST"
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) [eap] = noop
(6) files: users: Matched entry test at line 1
(6) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(6) files: --> tu as reussi avec et en etant test
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = updated
(6) } # authorize = updated
(6) Found Auth-Type = PAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6) [pap] = ok
(6) } # Auth-Type PAP = ok
(6) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(6) post-auth {
(6) if (0) {
(6) if (0) -> FALSE
(6) } # post-auth = noop
(6) Login OK: [test] (from client localhost port 0 cli 02-00-00-00-00-01
via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) Reply-Message = "tu as reussi avec et en etant test"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap: Sending EAP Success (code 3) ID 166 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(6) } # Auth-Type eap = ok
(6) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(6) post-auth {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(6) update {
(6) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(6) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(6) } # update = noop
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # post-auth = noop
(6) Login OK: [anonymous_test] (from client localhost port 0 cli
02-00-00-00-00-01)
(6) Sent Access-Accept Id 5 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0
(6) MS-MPPE-Recv-Key =
0xe14135f14a872f650673a7f048b96e42d97e94269c4c9c764cc8957057a9f70a
(6) MS-MPPE-Send-Key =
0x196c96bc3d4308ae0bd2fe7ba2292a4008232c68960bbc67658a13bb966e74fd
(6) EAP-Message = 0x03a60004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) User-Name = "anonymous_test"
(6) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 0 with timestamp +11
(2) Cleaning up request packet ID 1 with timestamp +11
(3) Cleaning up request packet ID 2 with timestamp +11
(4) Cleaning up request packet ID 3 with timestamp +11
(5) Cleaning up request packet ID 4 with timestamp +11
(6) Cleaning up request packet ID 5 with timestamp +11
Ready to process requests
(7) Received Access-Request Id 181 from 10.100.0.50:1645 to 10.101.0.20:1812
length 204
(7) User-Name = "anonymous"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1500
(7) Called-Station-Id = "24-01-C7-8E-84-86"
(7) Calling-Station-Id = "74-78-27-1B-F2-78"
(7) EAP-Message = 0x0201000e01616e6f6e796d6f7573
(7) Message-Authenticator = 0x55c09e83405ccf67b9c08d1e70ac4b1d
(7) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(7) NAS-Port-Type = Ethernet
(7) NAS-Port = 50006
(7) NAS-Port-Id = "GigabitEthernet0/6"
(7) NAS-IP-Address = 10.100.0.50
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 14
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Auth-Type eap {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Initiating new TLS session
(7) eap_ttls: [eaptls start] = request
(7) eap: Sending EAP Request (code 1) ID 2 length 6
(7) eap: EAP session adding &reply:State = 0x1aff00fb1afd150b
(7) [eap] = handled
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) EXPAND Response-Packet-Type
(7) --> Access-Challenge
(7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) attr_filter.access_challenge: EXPAND %{User-Name}
(7) attr_filter.access_challenge: --> anonymous
(7) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(7) [attr_filter.access_challenge.post-auth] = updated
(7) [handled] = handled
(7) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(7) } # Auth-Type eap = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 181 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(7) EAP-Message = 0x010200061520
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x1aff00fb1afd150bdec157b3b6aa7742
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 182 from 10.100.0.50:1645 to 10.101.0.20:1812
length 380
(8) User-Name = "anonymous"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1500
(8) Called-Station-Id = "24-01-C7-8E-84-86"
(8) Calling-Station-Id = "74-78-27-1B-F2-78"
(8) EAP-Message =
0x020200ac1580000000a2160303009d01000099030362dec1cb4de29748aa3f666036d19548
5065509be2151045e5ff5ad25a8dc96f00002ac02cc02bc030c02f009f009ec024c023c028c0
27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a
00080006001d00170018000b00020100000d001a001808040805080604010501020104030503
02030202060106030023000000170000ff01000100
(8) Message-Authenticator = 0xf4be43381cba5bcb881815edb82aaedc
(8) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50006
(8) NAS-Port-Id = "GigabitEthernet0/6"
(8) State = 0x1aff00fb1afd150bdec157b3b6aa7742
(8) NAS-IP-Address = 10.100.0.50
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 2 length 172
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Auth-Type eap {
(8) eap: Expiring EAP session with state 0x1aff00fb1afd150b
(8) eap: Finished EAP session with state 0x1aff00fb1afd150b
(8) eap: Previous EAP request found for state 0x1aff00fb1afd150b, released
from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: Continuing EAP-TLS
(8) eap_ttls: Peer indicated complete TLS record size will be 162 bytes
(8) eap_ttls: Got complete TLS record (162 bytes)
(8) eap_ttls: [eaptls verify] = length included
(8) eap_ttls: (other): before SSL initialization
(8) eap_ttls: TLS_accept: before SSL initialization
(8) eap_ttls: TLS_accept: before SSL initialization
(8) eap_ttls: <<< recv TLS 1.3 [length 009d]
(8) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(8) eap_ttls: >>> send TLS 1.2 [length 003d]
(8) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(8) eap_ttls: >>> send TLS 1.2 [length 08e9]
(8) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(8) eap_ttls: >>> send TLS 1.2 [length 014d]
(8) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(8) eap_ttls: >>> send TLS 1.2 [length 0004]
(8) eap_ttls: TLS_accept: SSLv3/TLS write server done
(8) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(8) eap_ttls: TLS - In Handshake Phase
(8) eap_ttls: TLS - got 2699 bytes of data
(8) eap_ttls: [eaptls process] = handled
(8) eap: Sending EAP Request (code 1) ID 3 length 1014
(8) eap: EAP session adding &reply:State = 0x1aff00fb1bfc150b
(8) [eap] = handled
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) EXPAND Response-Packet-Type
(8) --> Access-Challenge
(8) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) attr_filter.access_challenge: EXPAND %{User-Name}
(8) attr_filter.access_challenge: --> anonymous
(8) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(8) [attr_filter.access_challenge.post-auth] = updated
(8) [handled] = handled
(8) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(8) } # Auth-Type eap = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 182 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(8) EAP-Message =
0x010303f615c000000a8b160303003d020000390303dc012d9023dc1e70f151f05ebf2e358c
66de5ac2dc909c71b3ff934c6deeb0bb00c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x1aff00fb1bfc150bdec157b3b6aa7742
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 183 from 10.100.0.50:1645 to 10.101.0.20:1812
length 214
(9) User-Name = "anonymous"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1500
(9) Called-Station-Id = "24-01-C7-8E-84-86"
(9) Calling-Station-Id = "74-78-27-1B-F2-78"
(9) EAP-Message = 0x020300061500
(9) Message-Authenticator = 0x27fa8829f5e4cbd6c0703ff10396bd50
(9) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50006
(9) NAS-Port-Id = "GigabitEthernet0/6"
(9) State = 0x1aff00fb1bfc150bdec157b3b6aa7742
(9) NAS-IP-Address = 10.100.0.50
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 3 length 6
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Auth-Type eap {
(9) eap: Expiring EAP session with state 0x1aff00fb1bfc150b
(9) eap: Finished EAP session with state 0x1aff00fb1bfc150b
(9) eap: Previous EAP request found for state 0x1aff00fb1bfc150b, released
from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: Continuing EAP-TLS
(9) eap_ttls: Peer ACKed our handshake fragment
(9) eap_ttls: [eaptls verify] = request
(9) eap_ttls: [eaptls process] = handled
(9) eap: Sending EAP Request (code 1) ID 4 length 1014
(9) eap: EAP session adding &reply:State = 0x1aff00fb18fb150b
(9) [eap] = handled
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) EXPAND Response-Packet-Type
(9) --> Access-Challenge
(9) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) attr_filter.access_challenge: EXPAND %{User-Name}
(9) attr_filter.access_challenge: --> anonymous
(9) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(9) [attr_filter.access_challenge.post-auth] = updated
(9) [handled] = handled
(9) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(9) } # Auth-Type eap = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) Sent Access-Challenge Id 183 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(9) EAP-Message =
0x010403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91
d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8
62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b
83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
035504080c065261646975733112301006035504070c09536f6d657768657265311530130603
55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69
6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966
696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038
30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x1aff00fb18fb150bdec157b3b6aa7742
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 184 from 10.100.0.50:1645 to
10.101.0.20:1812 length 214
(10) User-Name = "anonymous"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1500
(10) Called-Station-Id = "24-01-C7-8E-84-86"
(10) Calling-Station-Id = "74-78-27-1B-F2-78"
(10) EAP-Message = 0x020400061500
(10) Message-Authenticator = 0xc343c114dc97c30f335f153612ee98ba
(10) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(10) NAS-Port-Type = Ethernet
(10) NAS-Port = 50006
(10) NAS-Port-Id = "GigabitEthernet0/6"
(10) State = 0x1aff00fb18fb150bdec157b3b6aa7742
(10) NAS-IP-Address = 10.100.0.50
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 4 length 6
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Auth-Type eap {
(10) eap: Expiring EAP session with state 0x1aff00fb18fb150b
(10) eap: Finished EAP session with state 0x1aff00fb18fb150b
(10) eap: Previous EAP request found for state 0x1aff00fb18fb150b, released
from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: Continuing EAP-TLS
(10) eap_ttls: Peer ACKed our handshake fragment
(10) eap_ttls: [eaptls verify] = request
(10) eap_ttls: [eaptls process] = handled
(10) eap: Sending EAP Request (code 1) ID 5 length 701
(10) eap: EAP session adding &reply:State = 0x1aff00fb19fa150b
(10) [eap] = handled
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) EXPAND Response-Packet-Type
(10) --> Access-Challenge
(10) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) attr_filter.access_challenge: EXPAND %{User-Name}
(10) attr_filter.access_challenge: --> anonymous
(10) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(10) [attr_filter.access_challenge.post-auth] = updated
(10) [handled] = handled
(10) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(10) } # Auth-Type eap = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) Sent Access-Challenge Id 184 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(10) EAP-Message =
0x010502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029
a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e
63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14
2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac
df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4
5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5
7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973
4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb
c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759
b33199019e7d482f8786044516160303014d0c0001490300174104ea71ea5eb3ce16
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x1aff00fb19fa150bdec157b3b6aa7742
(10) Finished request
Waking up in 4.8 seconds.
(11) Received Access-Request Id 185 from 10.100.0.50:1645 to
10.101.0.20:1812 length 344
(11) User-Name = "anonymous"
(11) Service-Type = Framed-User
(11) Framed-MTU = 1500
(11) Called-Station-Id = "24-01-C7-8E-84-86"
(11) Calling-Station-Id = "74-78-27-1B-F2-78"
(11) EAP-Message =
0x0205008815800000007e16030300461000004241041bafe37c8a64c35895a588b20bcfdef3
d2b1464ce4d5ae1c8e8e920de9406dc98f4a94b63bcd85a4cbbe35b06823f7cb4f7f6b7cb9ba
6c3f93273bbad00a32a214030300010116030300280000000000000000b2756332a6d5dece72
43e156997beb79b6e0890ac8bdf90da6ada1e3a02371ce
(11) Message-Authenticator = 0x12631f913feb4471ab0fca288c0638f1
(11) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50006
(11) NAS-Port-Id = "GigabitEthernet0/6"
(11) State = 0x1aff00fb19fa150bdec157b3b6aa7742
(11) NAS-IP-Address = 10.100.0.50
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 5 length 136
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Auth-Type eap {
(11) eap: Expiring EAP session with state 0x1aff00fb19fa150b
(11) eap: Finished EAP session with state 0x1aff00fb19fa150b
(11) eap: Previous EAP request found for state 0x1aff00fb19fa150b, released
from the list
(11) eap: Peer sent packet with method EAP TTLS (21)
(11) eap: Calling submodule eap_ttls to process data
(11) eap_ttls: Authenticate
(11) eap_ttls: Continuing EAP-TLS
(11) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(11) eap_ttls: Got complete TLS record (126 bytes)
(11) eap_ttls: [eaptls verify] = length included
(11) eap_ttls: TLS_accept: SSLv3/TLS write server done
(11) eap_ttls: <<< recv TLS 1.2 [length 0046]
(11) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(11) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(11) eap_ttls: <<< recv TLS 1.2 [length 0010]
(11) eap_ttls: TLS_accept: SSLv3/TLS read finished
(11) eap_ttls: >>> send TLS 1.2 [length 0001]
(11) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(11) eap_ttls: >>> send TLS 1.2 [length 0010]
(11) eap_ttls: TLS_accept: SSLv3/TLS write finished
(11) eap_ttls: (other): SSL negotiation finished successfully
(11) eap_ttls: TLS - Connection Established
(11) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) eap_ttls: TLS-Session-Version = "TLS 1.2"
(11) eap_ttls: TLS - got 51 bytes of data
(11) eap_ttls: [eaptls process] = handled
(11) eap: Sending EAP Request (code 1) ID 6 length 61
(11) eap: EAP session adding &reply:State = 0x1aff00fb1ef9150b
(11) [eap] = handled
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) EXPAND Response-Packet-Type
(11) --> Access-Challenge
(11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) attr_filter.access_challenge: EXPAND %{User-Name}
(11) attr_filter.access_challenge: --> anonymous
(11) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(11) [attr_filter.access_challenge.post-auth] = updated
(11) [handled] = handled
(11) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(11) } # Auth-Type eap = handled
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) session-state: Saving cached attributes
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) Sent Access-Challenge Id 185 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(11) EAP-Message =
0x0106003d158000000033140303000101160303002890e19eed4974783059ef0d676e70aab3
470cc68cadd1254943ddd9bbe1307ceed06dc7a28a15b4b1
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x1aff00fb1ef9150bdec157b3b6aa7742
(11) Finished request
Waking up in 4.8 seconds.
(7) Cleaning up request packet ID 181 with timestamp +35
(8) Cleaning up request packet ID 182 with timestamp +35
(9) Cleaning up request packet ID 183 with timestamp +35
(10) Cleaning up request packet ID 184 with timestamp +35
(11) Cleaning up request packet ID 185 with timestamp +35
Ready to process requests
(12) Received Access-Request Id 186 from 10.100.0.50:1645 to
10.101.0.20:1812 length 194
(12) User-Name = "test"
(12) Service-Type = Framed-User
(12) Framed-MTU = 1500
(12) Called-Station-Id = "24-01-C7-8E-84-86"
(12) Calling-Station-Id = "74-78-27-1B-F2-78"
(12) EAP-Message = 0x020100090174657374
(12) Message-Authenticator = 0x5064878bed8665909256b735e175b2d4
(12) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(12) NAS-Port-Type = Ethernet
(12) NAS-Port = 50006
(12) NAS-Port-Id = "GigabitEthernet0/6"
(12) NAS-IP-Address = 10.100.0.50
(12) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /(a)\./) {
(12) if (&User-Name =~ /(a)\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "test", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 1 length 9
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Auth-Type eap {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_ttls to process data
(12) eap_ttls: Initiating new TLS session
(12) eap_ttls: [eaptls start] = request
(12) eap: Sending EAP Request (code 1) ID 2 length 6
(12) eap: EAP session adding &reply:State = 0x5709dc2c570bc95d
(12) [eap] = handled
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) EXPAND Response-Packet-Type
(12) --> Access-Challenge
(12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) attr_filter.access_challenge: EXPAND %{User-Name}
(12) attr_filter.access_challenge: --> test
(12) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(12) [attr_filter.access_challenge.post-auth] = updated
(12) [handled] = handled
(12) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(12) } # Auth-Type eap = handled
(12) Using Post-Auth-Type Challenge
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Challenge { ... } # empty sub-section is ignored
(12) Sent Access-Challenge Id 186 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(12) EAP-Message = 0x010200061520
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0x5709dc2c570bc95d080b76220813d0d4
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 187 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(13) User-Name = "test"
(13) Service-Type = Framed-User
(13) Framed-MTU = 1500
(13) Called-Station-Id = "24-01-C7-8E-84-86"
(13) Calling-Station-Id = "74-78-27-1B-F2-78"
(13) EAP-Message = 0x020200060319
(13) Message-Authenticator = 0xde3e82b04cacf9575f36bb5d7da5a570
(13) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(13) NAS-Port-Type = Ethernet
(13) NAS-Port = 50006
(13) NAS-Port-Id = "GigabitEthernet0/6"
(13) State = 0x5709dc2c570bc95d080b76220813d0d4
(13) NAS-IP-Address = 10.100.0.50
(13) session-state: No cached attributes
(13) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /(a)\./) {
(13) if (&User-Name =~ /(a)\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "test", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 2 length 6
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) } # authorize = updated
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Auth-Type eap {
(13) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(13) eap: Finished EAP session with state 0x5709dc2c570bc95d
(13) eap: Previous EAP request found for state 0x5709dc2c570bc95d, released
from the list
(13) eap: Peer sent packet with method EAP NAK (3)
(13) eap: Found mutually acceptable type PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Initiating new TLS session
(13) eap_peap: [eaptls start] = request
(13) eap: Sending EAP Request (code 1) ID 3 length 6
(13) eap: EAP session adding &reply:State = 0x5709dc2c560ac55d
(13) [eap] = handled
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) EXPAND Response-Packet-Type
(13) --> Access-Challenge
(13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) attr_filter.access_challenge: EXPAND %{User-Name}
(13) attr_filter.access_challenge: --> test
(13) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(13) [attr_filter.access_challenge.post-auth] = updated
(13) [handled] = handled
(13) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(13) } # Auth-Type eap = handled
(13) Using Post-Auth-Type Challenge
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Challenge { ... } # empty sub-section is ignored
(13) Sent Access-Challenge Id 187 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(13) EAP-Message = 0x010300061920
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0x5709dc2c560ac55d080b76220813d0d4
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 188 from 10.100.0.50:1645 to
10.101.0.20:1812 length 375
(14) User-Name = "test"
(14) Service-Type = Framed-User
(14) Framed-MTU = 1500
(14) Called-Station-Id = "24-01-C7-8E-84-86"
(14) Calling-Station-Id = "74-78-27-1B-F2-78"
(14) EAP-Message =
0x020300ac1980000000a2160303009d01000099030362dec1e8bb336220b36115a2f152d4ff
bda23da4d62a4b3a3dd2d90243cfb65500002ac02cc02bc030c02f009f009ec024c023c028c0
27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a
00080006001d00170018000b00020100000d001a001808040805080604010501020104030503
02030202060106030023000000170000ff01000100
(14) Message-Authenticator = 0x723199c45f61b638f39acfd1af4ef706
(14) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(14) NAS-Port-Type = Ethernet
(14) NAS-Port = 50006
(14) NAS-Port-Id = "GigabitEthernet0/6"
(14) State = 0x5709dc2c560ac55d080b76220813d0d4
(14) NAS-IP-Address = 10.100.0.50
(14) session-state: No cached attributes
(14) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /(a)\./) {
(14) if (&User-Name =~ /(a)\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "test", looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 3 length 172
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Auth-Type eap {
(14) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(14) eap: Finished EAP session with state 0x5709dc2c560ac55d
(14) eap: Previous EAP request found for state 0x5709dc2c560ac55d, released
from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(14) eap_peap: Got complete TLS record (162 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: (other): before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: <<< recv TLS 1.3 [length 009d]
(14) eap_peap: TLS_accept: SSLv3/TLS read client hello
(14) eap_peap: >>> send TLS 1.2 [length 003d]
(14) eap_peap: TLS_accept: SSLv3/TLS write server hello
(14) eap_peap: >>> send TLS 1.2 [length 08e9]
(14) eap_peap: TLS_accept: SSLv3/TLS write certificate
(14) eap_peap: >>> send TLS 1.2 [length 014d]
(14) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(14) eap_peap: >>> send TLS 1.2 [length 0004]
(14) eap_peap: TLS_accept: SSLv3/TLS write server done
(14) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(14) eap_peap: TLS - In Handshake Phase
(14) eap_peap: TLS - got 2699 bytes of data
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 4 length 1014
(14) eap: EAP session adding &reply:State = 0x5709dc2c550dc55d
(14) [eap] = handled
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) EXPAND Response-Packet-Type
(14) --> Access-Challenge
(14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) attr_filter.access_challenge: EXPAND %{User-Name}
(14) attr_filter.access_challenge: --> test
(14) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(14) [attr_filter.access_challenge.post-auth] = updated
(14) [handled] = handled
(14) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(14) } # Auth-Type eap = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Challenge { ... } # empty sub-section is ignored
(14) Sent Access-Challenge Id 188 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(14) EAP-Message =
0x010403f619c000000a8b160303003d020000390303e63773a6f4e7998fe2174245b1361d9d
6235d691817e1c0537491a129c815c5e00c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x5709dc2c550dc55d080b76220813d0d4
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 189 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(15) User-Name = "test"
(15) Service-Type = Framed-User
(15) Framed-MTU = 1500
(15) Called-Station-Id = "24-01-C7-8E-84-86"
(15) Calling-Station-Id = "74-78-27-1B-F2-78"
(15) EAP-Message = 0x020400061900
(15) Message-Authenticator = 0x5c6dceb7d89b74812695116e8c825b77
(15) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(15) NAS-Port-Type = Ethernet
(15) NAS-Port = 50006
(15) NAS-Port-Id = "GigabitEthernet0/6"
(15) State = 0x5709dc2c550dc55d080b76220813d0d4
(15) NAS-IP-Address = 10.100.0.50
(15) session-state: No cached attributes
(15) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /(a)\./) {
(15) if (&User-Name =~ /(a)\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) [mschap] = noop
(15) [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "test", looking up realm NULL
(15) suffix: No such realm "NULL"
(15) [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 4 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Auth-Type eap {
(15) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(15) eap: Finished EAP session with state 0x5709dc2c550dc55d
(15) eap: Previous EAP request found for state 0x5709dc2c550dc55d, released
from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer ACKed our handshake fragment
(15) eap_peap: [eaptls verify] = request
(15) eap_peap: [eaptls process] = handled
(15) eap: Sending EAP Request (code 1) ID 5 length 1010
(15) eap: EAP session adding &reply:State = 0x5709dc2c540cc55d
(15) [eap] = handled
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) EXPAND Response-Packet-Type
(15) --> Access-Challenge
(15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) attr_filter.access_challenge: EXPAND %{User-Name}
(15) attr_filter.access_challenge: --> test
(15) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(15) [attr_filter.access_challenge.post-auth] = updated
(15) [handled] = handled
(15) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(15) } # Auth-Type eap = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Challenge { ... } # empty sub-section is ignored
(15) Sent Access-Challenge Id 189 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(15) EAP-Message =
0x010503f219402191b630136f9c3efec0d255f3b83b044d67821de971742e781d91d550b267
675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd862dd0004
fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b83f0300d
06092a864886f70d01010b0500308193310b3009060355040613024652310f300d0603550408
0c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c
0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578
616d706c652e6f72673126302406035504030c1d4578616d706c652043657274696669636174
6520417574686f72697479301e170d3232303630373133353631355a170d3232303830363133
353631355a308193310b3009060355040613024652310f300d06035504080c06526164697573
3112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x5709dc2c540cc55d080b76220813d0d4
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 190 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(16) User-Name = "test"
(16) Service-Type = Framed-User
(16) Framed-MTU = 1500
(16) Called-Station-Id = "24-01-C7-8E-84-86"
(16) Calling-Station-Id = "74-78-27-1B-F2-78"
(16) EAP-Message = 0x020500061900
(16) Message-Authenticator = 0x338407f535f332f0091f8b6a8546c39a
(16) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(16) NAS-Port-Type = Ethernet
(16) NAS-Port = 50006
(16) NAS-Port-Id = "GigabitEthernet0/6"
(16) State = 0x5709dc2c540cc55d080b76220813d0d4
(16) NAS-IP-Address = 10.100.0.50
(16) session-state: No cached attributes
(16) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /(a)\./) {
(16) if (&User-Name =~ /(a)\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "test", looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 5 length 6
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Auth-Type eap {
(16) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(16) eap: Finished EAP session with state 0x5709dc2c540cc55d
(16) eap: Previous EAP request found for state 0x5709dc2c540cc55d, released
from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: Peer ACKed our handshake fragment
(16) eap_peap: [eaptls verify] = request
(16) eap_peap: [eaptls process] = handled
(16) eap: Sending EAP Request (code 1) ID 6 length 697
(16) eap: EAP session adding &reply:State = 0x5709dc2c530fc55d
(16) [eap] = handled
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) EXPAND Response-Packet-Type
(16) --> Access-Challenge
(16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) attr_filter.access_challenge: EXPAND %{User-Name}
(16) attr_filter.access_challenge: --> test
(16) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(16) [attr_filter.access_challenge.post-auth] = updated
(16) [handled] = handled
(16) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(16) } # Auth-Type eap = handled
(16) Using Post-Auth-Type Challenge
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Challenge { ... } # empty sub-section is ignored
(16) Sent Access-Challenge Id 190 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(16) EAP-Message =
0x010602b919001d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625
687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c30
0d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d142dea0f64
ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabacdf1f473b
35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee45ad98a87
9609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f57a3c4654
49fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb9734ad96157
81be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdbc7942c0d
7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759b3319901
9e7d482f8786044516160303014d0c00014903001741045122cc6a47b169b7a16ff1
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x5709dc2c530fc55d080b76220813d0d4
(16) Finished request
Waking up in 4.8 seconds.
(17) Received Access-Request Id 191 from 10.100.0.50:1645 to
10.101.0.20:1812 length 339
(17) User-Name = "test"
(17) Service-Type = Framed-User
(17) Framed-MTU = 1500
(17) Called-Station-Id = "24-01-C7-8E-84-86"
(17) Calling-Station-Id = "74-78-27-1B-F2-78"
(17) EAP-Message =
0x0206008819800000007e160303004610000042410446771ce3728af651ce38b33f2dbad2de
2ec1398220b2deca4e147610a28845f811a15650a23e9c2d6cda8703a81d827e6d5c3335a7ad
ed1f9348bed6398856db140303000101160303002800000000000000006467b41f8f49082292
2783c45df9e0ab3f5f3ee2d6b27ac824a0291d83fc0cbb
(17) Message-Authenticator = 0x9881bcce42caeb449d1792b76c542650
(17) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(17) NAS-Port-Type = Ethernet
(17) NAS-Port = 50006
(17) NAS-Port-Id = "GigabitEthernet0/6"
(17) State = 0x5709dc2c530fc55d080b76220813d0d4
(17) NAS-IP-Address = 10.100.0.50
(17) session-state: No cached attributes
(17) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /(a)\./) {
(17) if (&User-Name =~ /(a)\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) [mschap] = noop
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "test", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 6 length 136
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Auth-Type eap {
(17) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(17) eap: Finished EAP session with state 0x5709dc2c530fc55d
(17) eap: Previous EAP request found for state 0x5709dc2c530fc55d, released
from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(17) eap_peap: Got complete TLS record (126 bytes)
(17) eap_peap: [eaptls verify] = length included
(17) eap_peap: TLS_accept: SSLv3/TLS write server done
(17) eap_peap: <<< recv TLS 1.2 [length 0046]
(17) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(17) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(17) eap_peap: <<< recv TLS 1.2 [length 0010]
(17) eap_peap: TLS_accept: SSLv3/TLS read finished
(17) eap_peap: >>> send TLS 1.2 [length 0001]
(17) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(17) eap_peap: >>> send TLS 1.2 [length 0010]
(17) eap_peap: TLS_accept: SSLv3/TLS write finished
(17) eap_peap: (other): SSL negotiation finished successfully
(17) eap_peap: TLS - Connection Established
(17) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) eap_peap: TLS-Session-Version = "TLS 1.2"
(17) eap_peap: TLS - got 51 bytes of data
(17) eap_peap: [eaptls process] = handled
(17) eap: Sending EAP Request (code 1) ID 7 length 57
(17) eap: EAP session adding &reply:State = 0x5709dc2c520ec55d
(17) [eap] = handled
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) EXPAND Response-Packet-Type
(17) --> Access-Challenge
(17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) attr_filter.access_challenge: EXPAND %{User-Name}
(17) attr_filter.access_challenge: --> test
(17) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(17) [attr_filter.access_challenge.post-auth] = updated
(17) [handled] = handled
(17) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(17) } # Auth-Type eap = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Challenge { ... } # empty sub-section is ignored
(17) session-state: Saving cached attributes
(17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) TLS-Session-Version = "TLS 1.2"
(17) Sent Access-Challenge Id 191 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(17) EAP-Message =
0x01070039190014030300010116030300285bc3632e6b443560a1c7f7fcfd4d4dce83eb70b6
a001d27389578382a78d0283e43c7e8969d6f3ba
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x5709dc2c520ec55d080b76220813d0d4
(17) Finished request
Waking up in 4.8 seconds.
(18) Received Access-Request Id 192 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(18) User-Name = "test"
(18) Service-Type = Framed-User
(18) Framed-MTU = 1500
(18) Called-Station-Id = "24-01-C7-8E-84-86"
(18) Calling-Station-Id = "74-78-27-1B-F2-78"
(18) EAP-Message = 0x020700061900
(18) Message-Authenticator = 0x33689c92606612b6d8b208e12717fd08
(18) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(18) NAS-Port-Type = Ethernet
(18) NAS-Port = 50006
(18) NAS-Port-Id = "GigabitEthernet0/6"
(18) State = 0x5709dc2c520ec55d080b76220813d0d4
(18) NAS-IP-Address = 10.100.0.50
(18) Restoring &session-state
(18) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(18) &session-state:TLS-Session-Version = "TLS 1.2"
(18) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /(a)\./) {
(18) if (&User-Name =~ /(a)\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) [mschap] = noop
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "test", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 7 length 6
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Auth-Type eap {
(18) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(18) eap: Finished EAP session with state 0x5709dc2c520ec55d
(18) eap: Previous EAP request found for state 0x5709dc2c520ec55d, released
from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(18) eap_peap: [eaptls verify] = success
(18) eap_peap: [eaptls process] = success
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state TUNNEL ESTABLISHED
(18) eap: Sending EAP Request (code 1) ID 8 length 40
(18) eap: EAP session adding &reply:State = 0x5709dc2c5101c55d
(18) [eap] = handled
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) EXPAND Response-Packet-Type
(18) --> Access-Challenge
(18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) attr_filter.access_challenge: EXPAND %{User-Name}
(18) attr_filter.access_challenge: --> test
(18) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(18) [attr_filter.access_challenge.post-auth] = updated
(18) [handled] = handled
(18) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(18) } # Auth-Type eap = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Challenge { ... } # empty sub-section is ignored
(18) session-state: Saving cached attributes
(18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) TLS-Session-Version = "TLS 1.2"
(18) Sent Access-Challenge Id 192 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(18) EAP-Message =
0x010800281900170303001d5bc3632e6b443561fcf82593fda17abbf449f59d02196666fae6
9cf929
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x5709dc2c5101c55d080b76220813d0d4
(18) Finished request
Waking up in 2.1 seconds.
(19) Received Access-Request Id 193 from 10.100.0.50:1645 to
10.101.0.20:1812 length 243
(19) User-Name = "test"
(19) Service-Type = Framed-User
(19) Framed-MTU = 1500
(19) Called-Station-Id = "24-01-C7-8E-84-86"
(19) Calling-Station-Id = "74-78-27-1B-F2-78"
(19) EAP-Message =
0x020800281900170303001d0000000000000001f4b75ef3c9c70e7de845b7ad53435ce649bc
e97bd6
(19) Message-Authenticator = 0xdd6a472f02ab76bc724223ac8592f303
(19) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(19) NAS-Port-Type = Ethernet
(19) NAS-Port = 50006
(19) NAS-Port-Id = "GigabitEthernet0/6"
(19) State = 0x5709dc2c5101c55d080b76220813d0d4
(19) NAS-IP-Address = 10.100.0.50
(19) Restoring &session-state
(19) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /(a)\./) {
(19) if (&User-Name =~ /(a)\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) [mschap] = noop
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "test", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 8 length 40
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Auth-Type eap {
(19) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(19) eap: Finished EAP session with state 0x5709dc2c5101c55d
(19) eap: Previous EAP request found for state 0x5709dc2c5101c55d, released
from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(19) eap_peap: Identity - test
(19) eap_peap: Got inner identity 'test'
(19) eap_peap: Setting default EAP type for tunneled EAP session
(19) eap_peap: Got tunneled request
(19) eap_peap: EAP-Message = 0x020800090174657374
(19) eap_peap: Setting User-Name to test
(19) eap_peap: Sending tunneled request to inner-tunnel
(19) eap_peap: EAP-Message = 0x020800090174657374
(19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_peap: User-Name = "test"
(19) Virtual server inner-tunnel received request
(19) EAP-Message = 0x020800090174657374
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "test"
(19) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(19) server inner-tunnel {
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /(a)\./) {
(19) if (&User-Name =~ /(a)\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [chap] = noop
(19) [mschap] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "test", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) update control {
(19) &Proxy-To-Realm := LOCAL
(19) } # update control = noop
(19) eap: Peer sent EAP Response (code 2) ID 8 length 9
(19) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(19) authenticate {
(19) eap: Peer sent packet with method EAP Identity (1)
(19) eap: Calling submodule eap_mschapv2 to process data
(19) eap_mschapv2: Issuing Challenge
(19) eap: Sending EAP Request (code 1) ID 9 length 43
(19) eap: EAP session adding &reply:State = 0xc8f1f8bdc8f8e24d
(19) [eap] = handled
(19) } # authenticate = handled
(19) } # server inner-tunnel
(19) Virtual server sending reply
(19) EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled reply code 11
(19) eap_peap: EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled reply RADIUS code 11
(19) eap_peap: EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled Access-Challenge
(19) eap: Sending EAP Request (code 1) ID 9 length 74
(19) eap: EAP session adding &reply:State = 0x5709dc2c5000c55d
(19) [eap] = handled
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) EXPAND Response-Packet-Type
(19) --> Access-Challenge
(19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) attr_filter.access_challenge: EXPAND %{User-Name}
(19) attr_filter.access_challenge: --> test
(19) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(19) [attr_filter.access_challenge.post-auth] = updated
(19) [handled] = handled
(19) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(19) } # Auth-Type eap = handled
(19) Using Post-Auth-Type Challenge
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Challenge { ... } # empty sub-section is ignored
(19) session-state: Saving cached attributes
(19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) TLS-Session-Version = "TLS 1.2"
(19) Sent Access-Challenge Id 193 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(19) EAP-Message =
0x0109004a1900170303003f5bc3632e6b4435625e5c5051af7c363be95d4ee4f3f3b7ac445d
1ecac6abc90cb5263d48732e332fae270276b7d924f672cc1b74d6916b68c2e03e7ebe1975
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x5709dc2c5000c55d080b76220813d0d4
(19) Finished request
Waking up in 2.0 seconds.
(20) Received Access-Request Id 194 from 10.100.0.50:1645 to
10.101.0.20:1812 length 297
(20) User-Name = "test"
(20) Service-Type = Framed-User
(20) Framed-MTU = 1500
(20) Called-Station-Id = "24-01-C7-8E-84-86"
(20) Calling-Station-Id = "74-78-27-1B-F2-78"
(20) EAP-Message =
0x0209005e19001703030053000000000000000267df274f7aba3c388821a73daf611375d9d7
2eef18a2029801924010afde0f8c56c84035beb392c5d720651c2253091340fa76a3f6a37152
3b42fb59bacd4ff5ff77aa734d8f4abc3bfe4c
(20) Message-Authenticator = 0xdd9df03d48297b3c9942e21f2b832e07
(20) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(20) NAS-Port-Type = Ethernet
(20) NAS-Port = 50006
(20) NAS-Port-Id = "GigabitEthernet0/6"
(20) State = 0x5709dc2c5000c55d080b76220813d0d4
(20) NAS-IP-Address = 10.100.0.50
(20) Restoring &session-state
(20) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(20) &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /(a)\./) {
(20) if (&User-Name =~ /(a)\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) [mschap] = noop
(20) [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "test", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 9 length 94
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Auth-Type eap {
(20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(20) eap: Finished EAP session with state 0x5709dc2c5000c55d
(20) eap: Previous EAP request found for state 0x5709dc2c5000c55d, released
from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: [eaptls verify] = ok
(20) eap_peap: Done initial handshake
(20) eap_peap: [eaptls process] = ok
(20) eap_peap: Session established. Decoding tunneled attributes
(20) eap_peap: PEAP state phase2
(20) eap_peap: EAP method MSCHAPv2 (26)
(20) eap_peap: Got tunneled request
(20) eap_peap: EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) eap_peap: Setting User-Name to test
(20) eap_peap: Sending tunneled request to inner-tunnel
(20) eap_peap: EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(20) eap_peap: User-Name = "test"
(20) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(20) Virtual server inner-tunnel received request
(20) EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) FreeRADIUS-Proxied-To = 127.0.0.1
(20) User-Name = "test"
(20) State = 0xc8f1f8bdc8f8e24d226d055121876240
(20) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(20) server inner-tunnel {
(20) session-state: No cached attributes
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /(a)\./) {
(20) if (&User-Name =~ /(a)\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [chap] = noop
(20) [mschap] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "test", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) update control {
(20) &Proxy-To-Realm := LOCAL
(20) } # update control = noop
(20) eap: Peer sent EAP Response (code 2) ID 9 length 63
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) files: users: Matched entry test at line 1
(20) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(20) files: --> tu as reussi avec et en etant test
(20) [files] = ok
(20) [expiration] = noop
(20) [logintime] = noop
(20) pap: WARNING: Auth-Type already set. Not setting to PAP
(20) [pap] = noop
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(20) authenticate {
(20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(20) eap: Finished EAP session with state 0xc8f1f8bdc8f8e24d
(20) eap: Previous EAP request found for state 0xc8f1f8bdc8f8e24d, released
from the list
(20) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(20) eap: Calling submodule eap_mschapv2 to process data
(20) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(20) eap_mschapv2: authenticate {
(20) mschap: Found Cleartext-Password, hashing to create NT-Password
(20) mschap: Creating challenge hash with username: test
(20) mschap: Client is using MS-CHAPv2
(20) mschap: Adding MS-CHAPv2 MPPE keys
(20) eap_mschapv2: [mschap] = ok
(20) eap_mschapv2: } # authenticate = ok
(20) eap_mschapv2: MSCHAP Success
(20) eap: Sending EAP Request (code 1) ID 10 length 51
(20) eap: EAP session adding &reply:State = 0xc8f1f8bdc9fbe24d
(20) [eap] = handled
(20) } # authenticate = handled
(20) } # server inner-tunnel
(20) Virtual server sending reply
(20) Reply-Message = "tu as reussi avec et en etant test"
(20) EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled reply code 11
(20) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(20) eap_peap: EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled reply RADIUS code 11
(20) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(20) eap_peap: EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled Access-Challenge
(20) eap: Sending EAP Request (code 1) ID 10 length 82
(20) eap: EAP session adding &reply:State = 0x5709dc2c5f03c55d
(20) [eap] = handled
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) EXPAND Response-Packet-Type
(20) --> Access-Challenge
(20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) attr_filter.access_challenge: EXPAND %{User-Name}
(20) attr_filter.access_challenge: --> test
(20) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(20) [attr_filter.access_challenge.post-auth] = updated
(20) [handled] = handled
(20) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(20) } # Auth-Type eap = handled
(20) Using Post-Auth-Type Challenge
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Challenge { ... } # empty sub-section is ignored
(20) session-state: Saving cached attributes
(20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) TLS-Session-Version = "TLS 1.2"
(20) Sent Access-Challenge Id 194 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(20) EAP-Message =
0x010a0052190017030300475bc3632e6b443563bfdb8a34b1d033e80abaed0886740e922409
cc823028e6c31f02665c568a46c5f021df9853700a6be0d1b2248b9520ffad2833cdfccb681b
bfefac58b6c6e8
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x5709dc2c5f03c55d080b76220813d0d4
(20) Finished request
Waking up in 2.0 seconds.
(21) Received Access-Request Id 195 from 10.100.0.50:1645 to
10.101.0.20:1812 length 240
(21) User-Name = "test"
(21) Service-Type = Framed-User
(21) Framed-MTU = 1500
(21) Called-Station-Id = "24-01-C7-8E-84-86"
(21) Calling-Station-Id = "74-78-27-1B-F2-78"
(21) EAP-Message =
0x020a00251900170303001a0000000000000003b7e4977bb2c798f1390f20f4c06d08798279
(21) Message-Authenticator = 0xc450ef4dd19f37f7ff7136f788d710b0
(21) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(21) NAS-Port-Type = Ethernet
(21) NAS-Port = 50006
(21) NAS-Port-Id = "GigabitEthernet0/6"
(21) State = 0x5709dc2c5f03c55d080b76220813d0d4
(21) NAS-IP-Address = 10.100.0.50
(21) Restoring &session-state
(21) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(21) &session-state:TLS-Session-Version = "TLS 1.2"
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /(a)\./) {
(21) if (&User-Name =~ /(a)\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) [mschap] = noop
(21) [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "test", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) eap: Peer sent EAP Response (code 2) ID 10 length 37
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Auth-Type eap {
(21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(21) eap: Finished EAP session with state 0x5709dc2c5f03c55d
(21) eap: Previous EAP request found for state 0x5709dc2c5f03c55d, released
from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Continuing EAP-TLS
(21) eap_peap: [eaptls verify] = ok
(21) eap_peap: Done initial handshake
(21) eap_peap: [eaptls process] = ok
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state phase2
(21) eap_peap: EAP method MSCHAPv2 (26)
(21) eap_peap: Got tunneled request
(21) eap_peap: EAP-Message = 0x020a00061a03
(21) eap_peap: Setting User-Name to test
(21) eap_peap: Sending tunneled request to inner-tunnel
(21) eap_peap: EAP-Message = 0x020a00061a03
(21) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(21) eap_peap: User-Name = "test"
(21) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(21) Virtual server inner-tunnel received request
(21) EAP-Message = 0x020a00061a03
(21) FreeRADIUS-Proxied-To = 127.0.0.1
(21) User-Name = "test"
(21) State = 0xc8f1f8bdc9fbe24d226d055121876240
(21) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(21) server inner-tunnel {
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /(a)\./) {
(21) if (&User-Name =~ /(a)\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [chap] = noop
(21) [mschap] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "test", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) update control {
(21) &Proxy-To-Realm := LOCAL
(21) } # update control = noop
(21) eap: Peer sent EAP Response (code 2) ID 10 length 6
(21) eap: No EAP Start, assuming it's an on-going EAP conversation
(21) [eap] = updated
(21) files: users: Matched entry test at line 1
(21) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(21) files: --> tu as reussi avec et en etant test
(21) [files] = ok
(21) [expiration] = noop
(21) [logintime] = noop
(21) pap: WARNING: Auth-Type already set. Not setting to PAP
(21) [pap] = noop
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(21) authenticate {
(21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(21) eap: Finished EAP session with state 0xc8f1f8bdc9fbe24d
(21) eap: Previous EAP request found for state 0xc8f1f8bdc9fbe24d, released
from the list
(21) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(21) eap: Calling submodule eap_mschapv2 to process data
(21) eap: Sending EAP Success (code 3) ID 10 length 4
(21) eap: Freeing handler
(21) [eap] = ok
(21) } # authenticate = ok
(21) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(21) post-auth {
(21) if (0) {
(21) if (0) -> FALSE
(21) } # post-auth = noop
(21) Login OK: [test] (from client swi_said_edward_p173 port 0 via TLS
tunnel)
(21) } # server inner-tunnel
(21) Virtual server sending reply
(21) Reply-Message = "tu as reussi avec et en etant test"
(21) MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) EAP-Message = 0x030a0004
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) User-Name = "test"
(21) eap_peap: Got tunneled reply code 2
(21) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) eap_peap: EAP-Message = 0x030a0004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: User-Name = "test"
(21) eap_peap: Got tunneled reply RADIUS code 2
(21) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) eap_peap: EAP-Message = 0x030a0004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: User-Name = "test"
(21) eap_peap: Tunneled authentication was successful
(21) eap_peap: SUCCESS
(21) eap: Sending EAP Request (code 1) ID 11 length 46
(21) eap: EAP session adding &reply:State = 0x5709dc2c5e02c55d
(21) [eap] = handled
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) EXPAND Response-Packet-Type
(21) --> Access-Challenge
(21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) attr_filter.access_challenge: EXPAND %{User-Name}
(21) attr_filter.access_challenge: --> test
(21) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(21) [attr_filter.access_challenge.post-auth] = updated
(21) [handled] = handled
(21) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(21) } # Auth-Type eap = handled
(21) Using Post-Auth-Type Challenge
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Challenge { ... } # empty sub-section is ignored
(21) session-state: Saving cached attributes
(21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) TLS-Session-Version = "TLS 1.2"
(21) Sent Access-Challenge Id 195 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(21) EAP-Message =
0x010b002e190017030300235bc3632e6b443564d2723008ae0ef670403b61176bfb8668e1ff
44cb3c02f7217871f0
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x5709dc2c5e02c55d080b76220813d0d4
(21) Finished request
Waking up in 2.0 seconds.
(22) Received Access-Request Id 196 from 10.100.0.50:1645 to
10.101.0.20:1812 length 249
(22) User-Name = "test"
(22) Service-Type = Framed-User
(22) Framed-MTU = 1500
(22) Called-Station-Id = "24-01-C7-8E-84-86"
(22) Calling-Station-Id = "74-78-27-1B-F2-78"
(22) EAP-Message =
0x020b002e19001703030023000000000000000445fbfc432839d0f47cc453ff5500e022d602
41ef8e33106eda0936
(22) Message-Authenticator = 0x7ca959931442315cd10d49eb490df5db
(22) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(22) NAS-Port-Type = Ethernet
(22) NAS-Port = 50006
(22) NAS-Port-Id = "GigabitEthernet0/6"
(22) State = 0x5709dc2c5e02c55d080b76220813d0d4
(22) NAS-IP-Address = 10.100.0.50
(22) Restoring &session-state
(22) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(22) &session-state:TLS-Session-Version = "TLS 1.2"
(22) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /(a)\./) {
(22) if (&User-Name =~ /(a)\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [chap] = noop
(22) [mschap] = noop
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "test", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 11 length 46
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Auth-Type eap {
(22) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(22) eap: Finished EAP session with state 0x5709dc2c5e02c55d
(22) eap: Previous EAP request found for state 0x5709dc2c5e02c55d, released
from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: [eaptls verify] = ok
(22) eap_peap: Done initial handshake
(22) eap_peap: [eaptls process] = ok
(22) eap_peap: Session established. Decoding tunneled attributes
(22) eap_peap: PEAP state send tlv success
(22) eap_peap: Received EAP-TLV response
(22) eap_peap: Success
(22) eap: Sending EAP Success (code 3) ID 11 length 4
(22) eap: Freeing handler
(22) [eap] = ok
(22) if (handled && (Response-Packet-Type == Access-Challenge)) {
(22) if (handled && (Response-Packet-Type == Access-Challenge)) ->
FALSE
(22) } # Auth-Type eap = ok
(22) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(22) post-auth {
(22) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(22) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(22) update {
(22) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(22) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(22) } # update = noop
(22) [exec] = noop
(22) policy remove_reply_message_if_eap {
(22) if (&reply:EAP-Message && &reply:Reply-Message) {
(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(22) else {
(22) [noop] = noop
(22) } # else = noop
(22) } # policy remove_reply_message_if_eap = noop
(22) } # post-auth = noop
(22) Login OK: [test] (from client swi_said_edward_p173 port 50006 cli
74-78-27-1B-F2-78)
(22) Sent Access-Accept Id 196 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(22) MS-MPPE-Recv-Key =
0xb3963e8d4a98a9a2b83fc3463f4aee62e926bbe31e9fab554887fbef5efce59d
(22) MS-MPPE-Send-Key =
0xe659945053c03ec5ae6b8b0ceef6fa83d90c3718f2a69f013f86f3870e5349ed
(22) EAP-Message = 0x030b0004
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) User-Name = "test"
(22) Finished request
Waking up in 2.0 seconds.
(23) Received Accounting-Request Id 61 from 10.100.0.50:1646 to
10.101.0.20:1813 length 217
(23) Acct-Session-Id = "0000006D"
(23) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(23) User-Name = "test"
(23) Cisco-AVPair = "connect-progress=Call Up"
(23) Acct-Authentic = RADIUS
(23) Acct-Status-Type = Start
(23) NAS-Port-Type = Ethernet
(23) NAS-Port = 50006
(23) NAS-Port-Id = "GigabitEthernet0/6"
(23) Called-Station-Id = "24-01-C7-8E-84-86"
(23) Calling-Station-Id = "74-78-27-1B-F2-78"
(23) Service-Type = Framed-User
(23) NAS-IP-Address = 10.100.0.50
(23) Acct-Delay-Time = 0
(23) # Executing section preacct from file /etc/raddb/sites-enabled/default
(23) preacct {
(23) [preprocess] = ok
(23) policy acct_unique {
(23) update request {
(23) &Tmp-String-9 := "ai:"
(23) } # update request = noop
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(23) EXPAND %{hex:&Class}
(23) -->
(23) EXPAND ^%{hex:&Tmp-String-9}
(23) --> ^61693a
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(23) else {
(23) update request {
(23) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(23) --> ec3bf2e33c3293d656fc4362227660f2
(23) &Acct-Unique-Session-Id := ec3bf2e33c3293d656fc4362227660f2
(23) } # update request = noop
(23) } # else = noop
(23) } # policy acct_unique = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "test", looking up realm NULL
(23) suffix: No such realm "NULL"
(23) [suffix] = noop
(23) [files] = noop
(23) } # preacct = ok
(23) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(23) accounting {
(23) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(23) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725
(23) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.50/detail-20220725
(23) detail: EXPAND %t
(23) detail: --> Mon Jul 25 18:16:45 2022
(23) [detail] = ok
(23) [unix] = ok
(23) radutmp: EXPAND /var/log/radius/radutmp
(23) radutmp: --> /var/log/radius/radutmp
(23) radutmp: EXPAND %{User-Name}
(23) radutmp: --> test
(23) [radutmp] = ok
(23) sradutmp: EXPAND /var/log/radius/sradutmp
(23) sradutmp: --> /var/log/radius/sradutmp
(23) sradutmp: EXPAND %{User-Name}
(23) sradutmp: --> test
(23) [sradutmp] = ok
(23) [exec] = noop
(23) attr_filter.accounting_response: EXPAND %{User-Name}
(23) attr_filter.accounting_response: --> test
(23) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(23) [attr_filter.accounting_response] = updated
(23) } # accounting = updated
(23) Sent Accounting-Response Id 61 from 10.101.0.20:1813 to
10.100.0.50:1646 length 0
(23) Finished request
(23) Cleaning up request packet ID 61 with timestamp +68
Waking up in 0.8 seconds.
(12) Cleaning up request packet ID 186 with timestamp +64
(13) Cleaning up request packet ID 187 with timestamp +64
(14) Cleaning up request packet ID 188 with timestamp +64
(15) Cleaning up request packet ID 189 with timestamp +64
(16) Cleaning up request packet ID 190 with timestamp +64
(17) Cleaning up request packet ID 191 with timestamp +64
Waking up in 2.7 seconds.
(18) Cleaning up request packet ID 192 with timestamp +67
(19) Cleaning up request packet ID 193 with timestamp +67
(20) Cleaning up request packet ID 194 with timestamp +67
(21) Cleaning up request packet ID 195 with timestamp +67
(22) Cleaning up request packet ID 196 with timestamp +67
Ready to process requests
3
7
Hello Alan, how are you? I ran some tests as fast as I could.
Now it's giving the following message:
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
checkrad: Unknown NAS 2804:444:1:1::2, not checking
NAS 2804:444:1:1::2 was added normally:
rlm_sql (sql): Adding client 2804:444:1:1::2 (R1.ITU) to global clients list
rlm_sql (2804:444:1:1::2): Client "R1.ITU" (sql) added
Authentication normally takes place with IPv6. The problem is with checkrad.
Below is the Access-Request package and the freeradius -X command output.
Could you help please?
Thank you!
Fabricio Viana
root@li1268-188:/# freeradius -v
radiusd: FreeRADIUS Version 3.0.24 (git #83d87a2), for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.0.24
(0) Received Access-Request Id 142 from [2804:444:1:1::2]:33926 to [2600:4a00::f132:91a4:f567:34fd]:1812 length 185
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 15813747
(0) NAS-Port-Type = Ethernet
(0) User-Name = "joseph.test"
(0) Calling-Station-Id = "AA:BB:B6:41:33:AA"
(0) Called-Station-Id = "pppoe-server-olt02"
(0) NAS-Port-Id = "ether3.501-PPPoE-OLT02"
(0) CHAP-Challenge = 0x388b23cbdc8d67936f09a731c70acf6e
(0) CHAP-Password = 0x018003bc3835139074138c89d63370276a
(0) NAS-Identifier = "R1.ITU"
(0) NAS-IPv6-Address = 2804:444:1:1::2
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) {
(0) EXPAND %{Cisco-AVPair[*]}
(0) -->
(0) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) -> FALSE
(0) elsif (ERX-Dhcp-Mac-Addr =~ /^([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/) {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) else {
(0) update request {
(0) EXPAND %{toupper:%{Calling-Station-Id}}
(0) --> AA:BB:B6:41:33:AA
(0) Calling-Station-Id := AA:BB:B6:41:33:AA
(0) } # update request = noop
(0) } # else = noop
(0) if (!control:Cleartext-Password){
(0) if (!control:Cleartext-Password) -> TRUE
(0) if (!control:Cleartext-Password) {
(0) update control {
(0) Cleartext-Password := "no_user_found_radiusnet"
(0) } # update control = noop
(0) } # if (!control:Cleartext-Password) = noop
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'joseph.test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'joseph.test' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "ellen8858"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'joseph.test' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'joseph.test' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'joseph.test' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'joseph.test' ORDER BY priority
(0) sql: User found in the group table
(0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '2BLO' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '2BLO' ORDER BY id
(0) sql: Group "2BLO": Conditional check items matched
(0) sql: Group "2BLO": Merging assignment check items
(0) sql: Simultaneous-Use := 1
(0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '2BLO' ORDER BY id
(0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '2BLO' ORDER BY id
(0) sql: Group "2BLO": Merging reply items
(0) sql: Mikrotik-Rate-Limit = "100k/100k"
(0) sql: WISPr-Bandwidth-Max-Down = 100000
(0) sql: WISPr-Bandwidth-Max-Up = 100000
(0) sql: Framed-Pool = "pool_bloqueados"
(0) sql: Mikrotik-Address-List = "bloqueados"
rlm_sql (sql): Released connection (1)
(0) [sql] = ok
(0) pap: WARNING: Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type CHAP {
(0) chap: Comparing with "known good" Cleartext-Password
(0) chap: CHAP user "joseph.test" authenticated successfully
(0) [chap] = ok
(0) if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group){
(0) if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group) -> FALSE
(0) if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group){
(0) if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group) -> FALSE
(0) if (request:Service-Type == Framed-User && reply:Mikrotik-Group){
(0) if (request:Service-Type == Framed-User && reply:Mikrotik-Group) -> FALSE
(0) if (reject && Framed-Protocol == PPP) {
(0) if (reject && Framed-Protocol == PPP) -> FALSE
(0) if (invalid && Framed-Protocol == PPP) {
(0) if (invalid && Framed-Protocol == PPP) -> FALSE
(0) } # Auth-Type CHAP = ok
(0) # Executing section session from file /etc/freeradius/sites-enabled/default
(0) session {
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: EXPAND SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL
(0) sql: --> SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
(0) sql: Executing select query: SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = 'joseph.test' AND acctstoptime IS NULL
checkrad: Unknown NAS 2804:444:1:1::2, not checking
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) } # session = ok
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(0) sql: EXPAND %{User-Name}
(0) sql: --> joseph.test
(0) sql: SQL-User-Name set to 'joseph.test'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{Calling-Station-Id}')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'joseph.test', '0x018003bc3835139074138c89d63370276a', 'Access-Reject', UTC_TIMESTAMP(), '2804:444:1:1::2', 'AA:BB:B6:41:33:AA')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'joseph.test', '0x018003bc3835139074138c89d63370276a', 'Access-Reject', UTC_TIMESTAMP(), '2804:444:1:1::2', 'AA:BB:B6:41:33:AA')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(0) [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> joseph.test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
FreeRADIUS Version 3.0.24
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/sqlippool_v4
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/sqlippool
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/sql
including configuration file /etc/freeradius/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/ddns_exec
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/sqlippool_v6
including configuration file /etc/freeradius/mods-config/sql/ippool/mysql/queries_v6.conf
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/digest
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/accounting
/etc/freeradius/policy.d/accounting[42]: Reference "${IDRADIUSSERVER}" not found
/etc/freeradius/policy.d/accounting[54]: Reference "${IDRADIUSSERVER}" not found
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/control
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/freeradius.env
including configuration file /etc/freeradius/ddns.env
main {
security {
user = "root"
group = "root"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/var/scriptsradius/callcheckrad.sh"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/mods-enabled/files
files {
filename = "/etc/freeradius/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Loaded module rlm_sqlippool
# Loading module "sqlippool_v4" from file /etc/freeradius/mods-enabled/sqlippool_v4
sqlippool sqlippool_v4 {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) AND banned = 0 ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/mods-enabled/chap
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loading module "sqlippool" from file /etc/freeradius/mods-enabled/sqlippool
sqlippool {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
ipv6 = yes
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippool WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) AND banned = 0 ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippool SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippool WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippool SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IP-Address}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/freeradius/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "192.0.2.2"
port = 3306
login = "radius_user"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = yes
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}' AND acctstarttime <= UTC_TIMESTAMP()"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}' AND acctstarttime <= UTC_TIMESTAMP()"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, framedipv6prefix, delegatedipv6prefix) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', UTC_TIMESTAMP(), UTC_TIMESTAMP(), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Framed-IPv6-Prefix}', '%{Delegated-IPv6-Prefix}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = UTC_TIMESTAMP(), acctinterval = UNIX_TIMESTAMP(UTC_TIMESTAMP()) - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', framedipv6prefix = '%{Framed-IPv6-Prefix}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctstoptime = NULL, nasportid = '%{NAS-Port-Id}', calledstationid = '%{Called-Station-Id}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' OR AcctUniqueId = '%{Segundo-AcctUnique-Id}' OR AcctUniqueId = '%{Terceiro-AcctUnique-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = UTC_TIMESTAMP(), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}', '%{Calling-Station-Id}')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "ddns_del" from file /etc/freeradius/mods-enabled/ddns_exec
exec ddns_del {
wait = yes
program = "/var/scriptsradius/ddns.php del %{User-Name} %{Framed-IP-Address}"
input_pairs = "request"
shell_escape = no
}
# Loading module "ddns_add" from file /etc/freeradius/mods-enabled/ddns_exec
exec ddns_add {
wait = yes
program = "/var/scriptsradius/ddns.php add %{User-Name} %{Framed-IP-Address}"
input_pairs = "request"
shell_escape = no
}
# Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loading module "sqlippool_v6" from file /etc/freeradius/mods-enabled/sqlippool_v6
sqlippool sqlippool_v6 {
sql_module_instance = "sql"
lease_duration = 3600
pool_name = "Pool-Name"
default_pool = "main_pool"
ipv6 = yes
allocate_begin = "START TRANSACTION"
allocate_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE expiry_time <= UTC_TIMESTAMP() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'"
allocate_clear_timeout = 1
allocate_existing = ""
allocate_requested = ""
allocate_find = "SELECT framedipaddress FROM radippoolv6 WHERE pool_name = '%{control:Pool-Name}' AND (expiry_time < UTC_TIMESTAMP() OR expiry_time IS NULL) ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'), expiry_time LIMIT 1 FOR UPDATE"
allocate_update = "UPDATE radippoolv6 SET nasipaddress = '%{NAS-IP-Address}', pool_key = '%{NAS-Port}', callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}', expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE framedipaddress = '%I' AND expiry_time IS NULL"
allocate_commit = "COMMIT"
pool_check = "SELECT id FROM radippoolv6 WHERE pool_name='%{control:Pool-Name}' LIMIT 1"
start_begin = ""
start_update = "UPDATE radippoolv6 SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{NAS-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
start_commit = ""
alive_begin = ""
alive_update = "UPDATE radippoolv6 SET expiry_time = UTC_TIMESTAMP() + INTERVAL 3600 SECOND WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
alive_commit = ""
stop_begin = ""
stop_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}' AND pool_key = '%{NAS-Port}' AND username = '%{User-Name}' AND callingstationid = '%{Calling-Station-Id}' AND framedipaddress = '%{Framed-IPv6-Prefix}'"
stop_commit = ""
on_begin = ""
on_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
on_commit = ""
off_begin = ""
off_clear = "UPDATE radippoolv6 SET nasipaddress = '', pool_key = 0, callingstationid = '', username = '', expiry_time = NULL WHERE nasipaddress = '%{Nas-IP-Address}'"
off_commit = ""
messages {
exists = "Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
success = "Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
clear = "Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
failed = "IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
nopool = "No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
}
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate
# Loading module "exec" from file /etc/freeradius/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôoùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔOÙÛÜY"
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "detail" from file /etc/freeradius/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/mods-enabled/digest
instantiate {
}
# Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
# Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog
# Instantiating module "files" from file /etc/freeradius/mods-enabled/files
reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
# Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration
# Instantiating module "sqlippool_v4" from file /etc/freeradius/mods-enabled/sqlippool_v4
# Instantiating module "sql" from file /etc/freeradius/mods-enabled/sql
rlm_sql_mysql: libmysql version: 5.7.35
mysql {
tls {
tls_required = no
check_cert = no
check_cert_cn = no
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Adding client 2804:444:1:1::2 (R1.ITU) to global clients list
rlm_sql (2804:444:1:1::2): Client "R1.ITU" (sql) added
rlm_sql (sql): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on 192.0.2.2 via TCP/IP, server version 5.7.18-log, protocol version 10
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime
# Instantiating module "sqlippool" from file /etc/freeradius/mods-enabled/sqlippool
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm
# Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response
# Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess
reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints
# Instantiating module "sqlippool_v6" from file /etc/freeradius/mods-enabled/sqlippool_v6
Ignoring "allocate_clear_timeout = 1", forcing to "allocate_clear_timeout = 1"
# Instantiating module "cache_eap" from file /etc/freeradius/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "reject" from file /etc/freeradius/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/mods-enabled/always
# Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server default { # from file /etc/freeradius/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 38092
Listening on proxy address :: port 58617
Ready to process requests
2
3
I had a desire to log additional information about authentications to help
enrich our logging analysis. The best idea I came up with at the time was
to customize msg_goodpass and msg_badpass in the log{} section of the
radius.conf. This worked as expected, however, now I find myself wanting
to customize these messages based on unlang attributes. Specifically, I
log something like:
msg_goodpass = "AP-location: %{Aruba-Location-Id}, Device:
%{Aruba-Device-Type}, SSID: %{Aruba-Essid-Name}, Group: %{Aruba-AP-Group}”
This makes perfect sense and really helps the support staff to troubleshoot
user issues. However, this log line will also log when a VPN user
successfully authenticates, and as such, makes no sense. Any ideas or
suggestions for a more flexible way of customizing logging data would be
appreciated.
Munroe Sollog (He/Him/His)
Network Architect
munroe(a)lehigh.edu
2
1
Hello,
I have to set up a radius server which must make a specific response to a
realm and I can't find how to do it.
So I configured a realm in proxy.conf:
realm "~(my.realm)" {
nostrip
}
Then I tried in the users file (./mods-config/files/authorize) to put:
bob(a)my.realm Cleartext-Password := "hello"
Tunnel-Type:1 = L2TP,
Tunnel-Medium-Type:1 = IPv4,
Tunnel-Server-Endpoint:1="192.168.1.100",
Tunnel-Preference:1=1,
Tunnel-Assignment-Id:1 = "\"Rt1\"",
Tunnel-Type:2 = L2TP,
Tunnel-Medium-Type:2 = IPv4,
Tunnel-Server-Endpoint:2="192.168.2.100",
Tunnel-Preference:2=1,
Tunnel-Assignment-Id:2 = "\"Rt2\"",
Service-Type = Framed-User,
Framed-Protocol = PPP
in radtest, it's good.
but now i want same with all username and without check password
sample:
*(a)my.realm Cleartext-Password := "*"
Tunnel-Type:1 = L2TP,
Tunnel-Medium-Type:1 = IPv4,
Tunnel-Server-Endpoint:1="192.168.1.100",
Tunnel-Preference:1=1,
Tunnel-Assignment-Id:1 = "\"Rt1\"",
Tunnel-Type:2 = L2TP,
Tunnel-Medium-Type:2 = IPv4,
Tunnel-Server-Endpoint:2="192.168.2.100",
Tunnel-Preference:2=1,
Tunnel-Assignment-Id:2 = "\"Rt2\"",
Service-Type = Framed-User,
Framed-Protocol = PPP
I don't know how to do this, does anyone have a tip?
thank you in advance for your help
2
1
Hi Alan,
Actually the problem is something different. i checked all queries and all
indexes. even i enabled MySQL logs for slow queries + without indexed
queries. and it's showing none..
Another main thing is MySQL is only taking 5-10% cpu max. i already
increased the max_connection as well with 1024 from the first day of
installation.
So, I am monitoring how many connections are opened by WebUI and FreeRADIUS
servers separately.
So, everytime WebUI (NGINX + PHP-FPM) has so many connections like around
150. But on the other hand the FreeRADIUS has only 15 to 20 max
connections. why it's not taking full advantage of MySQL
resources/connections.
I also increased max_server from 32 to 64 in radiusd.conf but still it's
not creating more connections.
And whenever i restart freeradius it shows *rlm_exec unblocked* (i think
because of intruption in running php processes.). But the *rlm_sql
unblocked* is sometimes in a day without any reason.. But I am sure that
*rlm_sql* means pre-compiled queries Or action update queries. Right?
Please correct me if I am wrong..
The *rlm_sql unblocked (with conflict packet)* problem is from the
configuration of freeradius.. it's not from a php exec script.
Please suggest to me what will be the bottleneck in this issue.
Thanks
Imdad 😊
2
1
Thank you so much alen for very quick response.
I am checking indexes. let's see, if i find any misconfiguration in that.
Thanks Again and very good morning. have a good day.
Imdad
😊
1
0
Hi Alen,
Right now in current version of my app,
1.) For accounting i am using pre-compiled FreeRADIUS queries with two
tables approach one radacct for live and another for closed sessions.
2.) In update control i am updating in/out octets on another table for
specific user total usage. (Also for Accounting)
3.) For Authentication/Authorization i am still using exec with php script,
i am planning to move on perl, but still confuse because of some old posts
about perl module.
- MySQL server have 32GB RAM and 8-Core CPU with Mysql
READ-COMMITED isolation mode.
- MySQL server CPU usage is max to max 10% to 15% On high load.
- FreeRADIUS server have 4GB RAM and 2-Core CPU.
- FreeRADIUS server CPU usage is around 50 to 75%. but the half of total
usage (around 30%) is by the system kernel itself. mostly these two
function of the kernel.
*5.29% [kernel] [k]
copy_pte_range.isra.0 4.52% [kernel]
[k] zap_pte_range.isra.0*
- MySQL and FreeRADIUS is linked in the local network in one VPC of Amazon
AWS.
- The average load of internet subscriber is around 35k. and i set 5mins
interim update time for every subscriber for accounting.
- most of time is working fine, but some times it's gives below errors and
hangs.. on client sides it's showing *radius time out.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
MARUTI-OFFICE port 41243 - ID: 74 due to unfinished request in module .
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
Sargasan port 43843 - ID: 39 due to unfinished request in module . Giving
up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
kathlal port 45688 - ID: 18 due to unfinished request in module <queue>.
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : WARNING: (4098875) WARNING: Module rlm_sql
became unblocked*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
omnet port 54191 - ID: 82 due to unfinished request in module sql. Giving
up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
Vadhvan-GIDC port 50558 - ID: 247 due to unfinished request in module .
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
GULIA port 60073 - ID: 21 due to unfinished request in module . Giving up
on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
G_NET port 58334 - ID: 158 due to unfinished request in module <queue>.
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
omnet port 42216 - ID: 84 due to unfinished request in module <queue>.
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
KUHA_1009 port 39064 - ID: 103 due to unfinished request in module
<queue>. Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
mansa port 35213 - ID: 73 due to unfinished request in module <queue>.
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
omnet port 48780 - ID: 83 due to unfinished request in module sql. Giving
up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
omnet port 60583 - ID: 87 due to unfinished request in module <queue>.
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
omnet port 55875 - ID: 86 due to unfinished request in module <queue>.
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: Received conflicting packet from client
omnet port 50524 - ID: 85 due to unfinished request in module <queue>.
Giving up on old request.*
*Thu Sep 29 07:40:54 2022 : Error: (4098887) Ignoring duplicate packet from
client Skynet-Agra-BNG port 37257 - ID: 1 due to unfinished request in
component <core> module <queue>*
*Thu Sep 29 07:40:54 2022 : WARNING: (4098878) WARNING: Module rlm_sql
became unblocked*
Thanks
Imdad 😊
2
1