Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2023
- 28 participants
- 30 discussions
Dears,
Good Day,
I am trying to activate eduroam SP using FreeRADIUS by following these instructions https://wiki.geant.org/display/H2eduroam/eduroam+SP, in centos 7 OS, I am new in FreeRADIUS actually.
I have finished the installation and eduroam configuration as mentioned above, I am trying to test the service locally, using “bob” user but I the test is fail,
Could anybody assist me or guide me to discovered the issue .
when I started the service by (systemctl restart radiusd)+ run radiusd -x I got
Failed binding to auth address * port 1812 bound to server eduroam: Address already in use
/etc/raddb/sites-enabled/eduroam[3]: Error binding to port for 0.0.0.0 port 1812
Then, when I test bob user I got as below
[root@localhost ~]# radtest bob password 127.0.0.1 100 testing123
Sent Access-Request Id 73 from 0.0.0.0:54411 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "password"
Received Access-Reject Id 73 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
1. -: Expected Access-Accept got Access-Reject
When I stop the service and run radiusd -x I got ready to process request, then when I test bob user I got the below
[root@localhost ~]# radtest bob password 127.0.0.1 100 testing123
Sent Access-Request Id 8 from 0.0.0.0:48138 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "password"
Sent Access-Request Id 8 from 0.0.0.0:48138 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "password"
Sent Access-Request Id 8 from 0.0.0.0:48138 to 127.0.0.1:1812 length 73
User-Name = "bob"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "password"
(0) No reply from server for ID 8 socket 3
radiusd -X output is as below
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/f_ticks
including configuration file /etc/raddb/mods-enabled/eduroam_cui_log
including configuration file /etc/raddb/mods-enabled/sql
including configuration file /etc/raddb/mods-config/sql/main/sqlite/queries.conf
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/filter
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server eduroam.om {
ipaddr = 185.186.206.13
port = 1812
type = "auth+acct"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm LOCAL {
}
realm NULL {
nostrip
virtual_server = auth-reject
}
home_server_pool EDUROAM {
type = fail-over
home_server = eduroam.om
}
realm ~.+$ {
pool = EDUROAM
nostrip
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client OMREN-access-point-1 {
ipaddr = 192.168.X.X
netmask = 32
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "AP1"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client OMREN-access-point-2 {
ipaddr = 192.168.X.X
netmask = 32
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "AP2"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client eduroam.om {
ipaddr = 185.186.206.13
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "eduroam-main-server"
virtual_server = "eduroam"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüà âæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÃÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loading module "f_ticks" from file /etc/raddb/mods-enabled/f_ticks
linelog f_ticks {
filename = "syslog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
}
# Loading module "cui_log" from file /etc/raddb/mods-enabled/eduroam_cui_log
linelog cui_log {
filename = "/var/log/radius/radius.log"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "auth_log.%{%{reply:Packet-Type}:-format}"
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_null"
server = ""
port = 0
login = ""
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = ""
default_user_profile = ""
client_query = "SELECT id,nasname,shortname,type,secret FROM nas"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = ".query"
type {
accounting-on {
}
accounting-off {
}
start {
}
interim-update {
}
stop {
}
}
}
post-auth {
reference = ".query"
}
}
rlm_sql (sql): Driver rlm_sql_null (module rlm_sql_null) loaded and linked
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "f_ticks" from file /etc/raddb/mods-enabled/f_ticks
# Instantiating module "cui_log" from file /etc/raddb/mods-enabled/eduroam_cui_log
# Instantiating module "sql" from file /etc/raddb/mods-enabled/sql
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server eduroam { # from file /etc/raddb/sites-enabled/eduroam
# Loading authorize {...}
# Loading preacct {...}
# Loading pre-proxy {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server eduroam
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
Failed binding to auth address * port 1812 bound to server eduroam: Address already in use
/etc/raddb/sites-enabled/eduroam[3]: Error binding to port for 0.0.0.0 port 1812
Regards,
[cid:image001.png@01D924CC.ADF652B0]
[cid:image003.png@01D924CC.ADF652B0][cid:image004.png@01D924CC.ADF652B0] [cid:image005.png@01D924CC.ADF652B0]
Raiya Al Rashdi,
Applications Developer
Oman Research and Education Network - OMREN,
Ministry of Higher Education, Research and Innovation
P.O.Box 92, Innovation Park Muscat – Al Khoud 123,
Sultanate of Oman
T: +968 24442370
M: +968 98505517
E: raiya(a)omren.om <mailto:hilal.aljassasi@omren.om>
OMREN is the official national research and education network of the Sultanate of Oman under the Ministry of Higher Education, Research, and novation to contribute to the rise of an effective national innovation ecosystem and provide the research and education community in the Sultanate of Oman with a common network and state of the art infrastructure dedicated and adapted to their needs.
3
5
Hello,
I noticed a problem if I configure the file this way :
root@radius:/etc/freeradius/3.0# cat users
# user_zone1
$INCLUDE /etc/freeradius/3.0/users_1
# user_zone2
$INCLUDE /etc/freeradius/3.0/users_2
# Test
test Cleartext-Password := "::123456789@"
Reply-Message := "Hello, %{User-Name}"
#DEFAULLT Section
DEFAULT
Alc-Primary-Dns = 8.8.8.8,
Alc-Secondary-Dns = 192.168.100.100,
Framed-IP-Netmask = 255.255.255.0,
Alc-Default-Router = 192.168.100.1,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
All the DNS and default-router part is not transmitted... I have to reorganize the file in this way for it to work :
root@radius:/etc/freeradius/3.0# cat users
#DEFAULLT Section
DEFAULT
Alc-Primary-Dns = 8.8.8.8,
Alc-Secondary-Dns = 192.168.100.100,
Framed-IP-Netmask = 255.255.255.0,
Alc-Default-Router = 192.168.100.1,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
# user_zone1
$INCLUDE /etc/freeradius/3.0/users_1
# user_zone2
$INCLUDE /etc/freeradius/3.0/users_2
# Test
test Cleartext-Password := "::123456789@"
Reply-Message := "Hello, %{User-Name}"
Is this normal behavior (FreeRADIUS Version 3.0.21) ?
Thanks for the explanation.
2
1
Hello,
ezhangiso@ezhangiso-virtual-machine:/$ docker exec -it radius-test /bin/bash
root@4ff809b932fe:/# chgrp -h freerad /etc/freeradius/mods-available/sql
root@4ff809b932fe:/# chown -R freerad:freerad /etc/freeradius/mods-enabled/sql
root@4ff809b932fe:/# vi etc/freeradius/mods-available/sql
root@4ff809b932fe:/# vi /etc/freeradius/sites-available/default
root@4ff809b932fe:/# vi /etc/freeradius/sites-available/inner-tunnel
root@4ff809b932fe:/# vi radiusd.conf
root@4ff809b932fe:/# vi /etc/freeradius/radiusd.conf
root@4ff809b932fe:/# cat etc/freeradius/mods-available/sql
dialect = "mysql"
driver = "rlm_sql_mysql"
sqlite {
filename = "/tmp/freeradius.db"
busy_timeout = 200
bootstrap = "${modconfdir}/${..:name}/main/sqlite/schema.sql"
}
mysql {
tls_required = no
tls_check_cert = no
tls_check_cert_cn = no
}
warnings = auto
}
postgresql {
send_application_name = yes
}
#
mongo {
appname = "freeradius"
tls {
certificate_file = /path/to/file
certificate_password = "password"
ca_file = /path/to/file
ca_dir = /path/to/directory
crl_file = /path/to/file
weak_cert_validation = false
allow_invalid_hostname = false
server = "10.0.8.31"
port = 3306
login = "radius"
password = "radius"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
groupcheck_table = "radgroupcheck"
authreply_table = "radreply"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
delete_stale_sessions = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
client_table = "nas"
group_attribute = "SQL-Group"
$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
}
root@4ff809b932fe:/# cat /etc/freeradius/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
correct_escapes = true
max_request_time = 30
cleanup_delay = 5
hostname_lookups = no
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
checkrad = ${sbindir}/checkrad
ENV {
}
security {
user = freerad
group = freerad
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
modules {
$INCLUDE mods-enabled/sql
$INCLUDE mods-enabled/
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/
root@4ff809b932fe:/# apt install mariadb-client
root@4ff809b932fe:/# mysql -h 10.0.8.31 -uradius -p radius
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [radius]> show tables;
+------------------+
| Tables_in_radius |
+------------------+
| nas |
| radacct |
| radcheck |
| radgroupcheck |
| radgroupreply |
| radpostauth |
| radreply |
| radusergroup |
+------------------+
8 rows in set (0.00 sec)
MariaDB [radius]> exit
Bye
root@4ff809b932fe:/# exit
exit
ezhangiso@ezhangiso-virtual-machine:/$ docker commit radius-test radius-mariadb
sha256:1b5a68d2c3c3aaf70be72f8dcbfda27a7cf63e7ba448f412b73bd5f0d8aef63b
ezhangiso@ezhangiso-virtual-machine:/$ docker stop radius-test
radius-test
ezhangiso@ezhangiso-virtual-machine:/$ docker run --rm --name myradius -t -p1812-1813:1812-1813/udp radius-mariadb -X
FreeRADIUS Version 3.0.25
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/mods-enabled/sql
/etc/freeradius/mods-enabled/sql[365]: Reference "${dialect}" not found
Errors reading or parsing /etc/freeradius/radiusd.conf
ezhangiso@ezhangiso-virtual-machine:/$
Can anyone shed some light on this and point me in the right direction what
else should I do?
2
1
>That doesn't make sense. The resumption tickets are sent via TLS to the
client.
>The client has chosen to not do session resumption. It probably needs to
be configured to do that.
Ok, I'll try to look my switch config to see if I found parameters to store
sessions. Can you please indicate me the lines of logs in my previous
message, in which resumption ticket is sent, thank very much.
>Read the RFCs if you're wondering how TTLS works.
I have already read it, but I just wanted to know what is the best practice.
Florent VERCOURT
2
1
Hello everyone,
I’m working to set up a FreeRADIUS server in version 3.2 that is able to
perform fast-reauthentication of users by caching sessions.
I‘m using EAP-TTLS/PAP as authentication protocol, and my users are stored
in an LDAP.
I would like to perform fast re-authentication of users once they have been
authenticated and allowed on the network as it’s explained in this radius
documentation article (link below).
<https://networkradius.com/articles/2020/12/10/design-blueprint-for-universi
ties.html>
https://networkradius.com/articles/2020/12/10/design-blueprint-for-universit
ies.html
I configured the « eap » module by enabling the cache of session, but it
seems sessions are only stored locally and, the ticket of the user sessions
is not forward to the supplicant to perform the re-authentication later on,
without having to go through all EAP-TTLS steps.
When I try to regain access to the network after being authenticated once,
all the EAP-TTLS steps are performed.
So I would like to know if I misunderstood the cache section and the way it
works in the « eap » module, or if there is a way to re-authenticate users
in a defined period of time by using the cache after they disconnect.
Also, Is it a good practice to send the total Length of the message in each
packet, or is it not recommended?
I configured « mods-enabled/eap » as follows :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = ${max_requests}
tls-config tls-common {
private_key_password = << secret >>
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
# auto_chain = yes
# psk_identity = "test"
# psk_hexphrase = "036363823"
# psk_query = "%{sql:select hex(key) from psk_keys where keyid
= '%{TLS-PSK-Identity}'}"
# dh_file = ${certdir}/dh
# random_file = /dev/urandom
# fragment_size = 2048
include_length = yes
# check_crl = yes
# check_all_crl = yes
# ca_path_reload_interval = 3600
allow_expired_crl = no
reject_unknown_intermediate_ca = yes
cipher_list = "DEFAULT"
# sigalgs_list = ""
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.3"
ecdh_curve = ""
cache {
enable = yes
lifetime = 18 # hours
name = "EAP-test"
persist_dir = "${logdir}/tlscache"
store {
Tunnel-type,
Tunnel-medium-type,
Tunnel-Private-Group-Id
}
}
verify {
# skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = " <http://127.0.0.1/ocsp/>
http://127.0.0.1/ocsp/"
# use_nonce = yes
# timeout = 0
# softfail = no
}
# realm_dir = ${certdir}/realms/
}
ttls {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
# include_length = yes
}
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~
My server is running correctly, here the debug output:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~
FreeRADIUS Version 3.2.1
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/ldap_dauphine
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/totp
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/digest
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/rfc7542
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dauphine
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 4
max_requests = 87040
postauth_client_lost = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 300
reject_delay = 1.200000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p173-002 {
ipaddr = 10.100.0.50
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client edouard {
ipaddr = 10.100.0.0/24
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client micro-switch {
ipaddr = 10.100.12.139
require_message_authenticator = no
secret = <<< secret >>>
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_ldap
# Loading module "ldap_dauphine" from file
/etc/raddb/mods-enabled/ldap_dauphine
ldap ldap_dauphine {
server = "ldap.dauphine.fr"
port = 389
identity = "uid=radius,ou=bindusers,dc=dauphine,dc=fr"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=posixGroup)"
scope = "sub"
name_attribute = "cn"
membership_attribute = "memberOf"
cacheable_name = no
cacheable_dn = no
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=frClient)"
scope = "sub"
base_dn = "ou=people,dc=dauphine,dc=fr"
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 3
}
tls {
start_tls = no
require_cert = "never"
}
}
Creating attribute ldap_dauphine-LDAP-Group
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_totp
# Loading module "totp" from file /etc/raddb/mods-enabled/totp
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 87040
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
instantiate {
}
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/coa
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "ldap_dauphine" from file
/etc/raddb/mods-enabled/ldap_dauphine
rlm_ldap: libldap vendor: OpenLDAP, version: 20459
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
rlm_ldap (ldap_dauphine): Initialising connection pool
pool {
start = 5
min = 4
max = 46
spare = 3
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 1
spread = no
}
rlm_ldap (ldap_dauphine): Opening additional connection (0), 1 of 46 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
rlm_ldap (ldap_dauphine): Opening additional connection (1), 1 of 45 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
rlm_ldap (ldap_dauphine): Opening additional connection (2), 1 of 44 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
rlm_ldap (ldap_dauphine): Opening additional connection (3), 1 of 43 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
rlm_ldap (ldap_dauphine): Opening additional connection (4), 1 of 42 pending
slots used
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
allow_expired_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = yes
ecdh_curve = ""
tls_max_version = "1.3"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 18
name = "EAP-test"
max_entries = 255
persist_dir = "/var/log/radius/tlscache"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = " <http://127.0.0.1/ocsp/> http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 53058
Listening on proxy address :: port 55734
Ready to process requests
(0) Received Access-Request Id 116 from 10.100.0.16:1645 to 10.101.0.20:1812
length 257
(0) User-Name = "anonymous"
(0) Service-Type = Framed-User
(0) Cisco-AVPair = "service-type=Framed"
(0) Framed-MTU = 1500
(0) Called-Station-Id = "1C-1D-86-68-F0-05"
(0) Calling-Station-Id = "10-65-30-0F-CF-AD"
(0) EAP-Message = 0x0201000e01616e6f6e796d6f7573
(0) Message-Authenticator = 0x27170bf1dd6f1899c3a48f0953367396
(0) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(0) Cisco-AVPair = "method=dot1x"
(0) Framed-IP-Address = 10.111.0.176
(0) NAS-IP-Address = 10.100.0.16
(0) NAS-Port-Id = "GigabitEthernet0/5"
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50105
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(0) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0xfe02921efe00877b
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 1014
(0) Sent Access-Challenge Id 116 from 10.101.0.20:1812 to 10.100.0.16:1645
length 64
(0) EAP-Message = 0x010200061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xfe02921efe00877b6bacf72413ed26ad
(0) Finished request
Waking up in 3.9 seconds.
(1) Received Access-Request Id 117 from 10.100.0.16:1645 to 10.101.0.20:1812
length 524
(1) User-Name = "anonymous"
(1) Service-Type = Framed-User
(1) Cisco-AVPair = "service-type=Framed"
(1) Framed-MTU = 1500
(1) Called-Station-Id = "1C-1D-86-68-F0-05"
(1) Calling-Station-Id = "10-65-30-0F-CF-AD"
(1) EAP-Message =
0x020201051580000000fb16030100f6010000f20303dc99e42d66e577ee8d0af140d8e46d9f
bd48e63536874e0c314774ec014347f8200953178c2f5495c71a18fe2ad8eec676bf5e2d7044
5c63bd3d080835a5e946df002813021301c02cc02bc030c02fc024c023c028c027c00ac009c0
14c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303
020301000d001a00180804080508060401050102010403050302030202060106030023000000
0a00080006001d00170018003300260024001d00201bb4781d453e1b91b923da8a0c73f42f6c
6247d2477723266ac7c98181928a0c0031000000170000ff01000100002d00020101
(1) Message-Authenticator = 0x54b5e0c7cd28c4feae286e5b226d376c
(1) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(1) Cisco-AVPair = "method=dot1x"
(1) Framed-IP-Address = 10.111.0.176
(1) NAS-IP-Address = 10.100.0.16
(1) NAS-Port-Id = "GigabitEthernet0/5"
(1) NAS-Port-Type = Ethernet
(1) NAS-Port = 50105
(1) State = 0xfe02921efe00877b6bacf72413ed26ad
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 1014
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(1) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 261
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xfe02921efe00877b
(1) eap: Finished EAP session with state 0xfe02921efe00877b
(1) eap: Previous EAP request found for state 0xfe02921efe00877b, released
from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 251
bytes
(1) eap_ttls: (TLS) EAP Got all data (251 bytes)
(1) eap_ttls: (TLS) Handshake state - before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, ServerHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(1) eap_ttls: (TLS) send TLS 1.3 ChangeCipherSpec
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, EncryptedExtensions
(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write encrypted
extensions
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, Certificate
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, CertificateVerify
(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write server
certificate verify
(1) eap_ttls: (TLS) send TLS 1.3 Handshake, Finished
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data
(1) eap_ttls: (TLS) Server : Need to read more data: TLSv1.3 early data
(1) eap_ttls: (TLS) In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 3 length 1024
(1) eap: EAP session adding &reply:State = 0xfe02921eff01877b
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 1014
(1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(1) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(1) Sent Access-Challenge Id 117 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090
(1) EAP-Message =
0x0103040015c000000bc9160303007a02000076030381b4a004b35335db2ff66ef5edd6ed4b
0688d9c0e4b6b25d1fa302772e2e70a7200953178c2f5495c71a18fe2ad8eec676bf5e2d7044
5c63bd3d080835a5e946df130200002e002b0002030400330024001d0020f318ac027b747f50
9768c85d7ebfbc626224cea3d101c5d59810fb7e8c7fa85f140303000101170303001785ca5e
cb5f681c5af67a7fc28a2fe530799654b00fbad617030309bb26eb9d4a9031efc383c91f348e
e4e7deccc759b1548cb9ecc402aa7cb28bf575845e8c778f9525b43b7cd39402e5dd4b927834
65dbbe6a004358cabbc564eb15bbfa5871bd052c486f5138a93aaf8e2e3e4a2c88ab777cd29c
5e15fa4a258b3f24acaba90931ab6fb035f9970bef74b4102569f5bfe7e2f458a6459abb5d35
a2251ba80f0d117c8f705b1ab369c351e7c0ee8342b9454f8f5d6dad9d2dad63734adf14c0d4
058d35368c6010c4cf9716fd1931c3ac6f3ece235eb1cd3d213ec253275e194b0d2f
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xfe02921eff01877b6bacf72413ed26ad
(1) Finished request
Waking up in 3.9 seconds.
(2) Received Access-Request Id 118 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267
(2) User-Name = "anonymous"
(2) Service-Type = Framed-User
(2) Cisco-AVPair = "service-type=Framed"
(2) Framed-MTU = 1500
(2) Called-Station-Id = "1C-1D-86-68-F0-05"
(2) Calling-Station-Id = "10-65-30-0F-CF-AD"
(2) EAP-Message = 0x020300061500
(2) Message-Authenticator = 0x3f9ce0a2d3b32ad8e5a8134f48355378
(2) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(2) Cisco-AVPair = "method=dot1x"
(2) Framed-IP-Address = 10.111.0.176
(2) NAS-IP-Address = 10.100.0.16
(2) NAS-Port-Id = "GigabitEthernet0/5"
(2) NAS-Port-Type = Ethernet
(2) NAS-Port = 50105
(2) State = 0xfe02921eff01877b6bacf72413ed26ad
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 1014
(2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(2) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xfe02921eff01877b
(2) eap: Finished EAP session with state 0xfe02921eff01877b
(2) eap: Previous EAP request found for state 0xfe02921eff01877b, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 4 length 1024
(2) eap: EAP session adding &reply:State = 0xfe02921efc06877b
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 1014
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(2) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(2) Sent Access-Challenge Id 118 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090
(2) EAP-Message =
0x0104040015c000000bc9f1f4cf437af91b16d0f14a5c21719a9941f3395ad50388ec984a29
ce4e144f5a3dd4bc07b977eadc2f10a7b1cd069f9d114704a6f1e618c66300a6ea8b6f82b06c
ac295225ddf9017c89f15555a5ec94e9299848d0194b29c5da68d837d7b216ba43eaa97be09c
774e2db93d5fe39afa11a3e0c131dc321ca3f802cf07085c067f5867ce2550d051171e4b8264
f9175382685ebe6f1d214b5772fe68eaf70a4a12f9f383afb826cfc71e3bbf79a7f9ce255bef
3c21983d5be1f1bc693c6848ef321c673d7343a1802ee3f83ae50da149d82e4ef7f575de1fe0
352dbae96a0051973f6a7a2a0a80c6bbab36bb123f4fcc5fea36f8bec44250a219f6c7dd0735
a29e011952a29d233ec78238801850eebab6662c239241c8908b0eff03836df40d9e2bad16be
5fe7d420490f2eb891dc413275ffa816aa7fe801f914463ae8000a38c5a7b42faa849ca6e8d9
71f715ee26f6193aa3ac30366599a17df457869a3a28df4d1eadea3c73a2fab17e2d
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xfe02921efc06877b6bacf72413ed26ad
(2) Finished request
Waking up in 3.9 seconds.
(3) Received Access-Request Id 119 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267
(3) User-Name = "anonymous"
(3) Service-Type = Framed-User
(3) Cisco-AVPair = "service-type=Framed"
(3) Framed-MTU = 1500
(3) Called-Station-Id = "1C-1D-86-68-F0-05"
(3) Calling-Station-Id = "10-65-30-0F-CF-AD"
(3) EAP-Message = 0x020400061500
(3) Message-Authenticator = 0x69f837d9849e72401c77e51a5f9d3053
(3) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(3) Cisco-AVPair = "method=dot1x"
(3) Framed-IP-Address = 10.111.0.176
(3) NAS-IP-Address = 10.100.0.16
(3) NAS-Port-Id = "GigabitEthernet0/5"
(3) NAS-Port-Type = Ethernet
(3) NAS-Port = 50105
(3) State = 0xfe02921efc06877b6bacf72413ed26ad
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 1014
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(3) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xfe02921efc06877b
(3) eap: Finished EAP session with state 0xfe02921efc06877b
(3) eap: Previous EAP request found for state 0xfe02921efc06877b, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 5 length 999
(3) eap: EAP session adding &reply:State = 0xfe02921efd07877b
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 1014
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(3) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(3) Sent Access-Challenge Id 119 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1063
(3) EAP-Message =
0x010503e7158000000bc9f5b05c15f0ae9d80fb7f6549d2607f8b5803a43a84d194ee02c4ff
dc1e216fae66ecd0d89074b891785d67a9bae09ce967fecfc613537288353725672f2e209d69
42d313fc34155e5a1361cbb00085efe5b876c96ac364462384d580ebe80c95e147f3e77ba66a
df5cfb428ce85b694743e7b2b22a99ab41751031bd9aa4f45d275ab0e4f375b15b8ad7f1209b
f76ef703dbf6d78f04a56f4b2d34f6b61c8004e349338537f7c910178b25cb6addcb065b82d5
e0da810945b8605bc494ac81bb11e7f155156167dcf0d0246fbedb680253cd7e47fdf723b745
662ee142b8bf74c428944ca83349109da7b79e9bb74095ddceb897378009e96e6b591e378505
d39c60ef91f4679e04d5829aa6ea68b9fb9505703848b0c11485de27079f0a1aa72e9f7b6b94
4746d799c2415d39a4191d2e77a5b4ecab793498b835320b6b1bca58f379d94647489eb3d485
3c4eaae4be67b427adaa4b7237bf1c671e8e4159b93a049b92862af259194eba680b
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xfe02921efd07877b6bacf72413ed26ad
(3) Finished request
Waking up in 3.9 seconds.
(4) Received Access-Request Id 120 from 10.100.0.16:1645 to 10.101.0.20:1812
length 421
(4) User-Name = "anonymous"
(4) Service-Type = Framed-User
(4) Cisco-AVPair = "service-type=Framed"
(4) Framed-MTU = 1500
(4) Called-Station-Id = "1C-1D-86-68-F0-05"
(4) Calling-Station-Id = "10-65-30-0F-CF-AD"
(4) EAP-Message =
0x020500a01580000000961403030001011703030045727b7c7d139d0382232c4013124229c0
8693d0974531dbcdd3d59d210afebe1097bfc7468da2024832126365069720b2095b8049e735
9005ed64d22f9734a04ad09224a78017030300416625c5d7d0c92d892ae205010a224bd2a610
1de65acd878a2736a836174366497e0d2acbfd4a28dfd93984adcd98dc20e1b02a7f88255e01
d3b6fa21ee31b5b70e
(4) Message-Authenticator = 0x068f3eb81cbe86211779105adf4e14fe
(4) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(4) Cisco-AVPair = "method=dot1x"
(4) Framed-IP-Address = 10.111.0.176
(4) NAS-IP-Address = 10.100.0.16
(4) NAS-Port-Id = "GigabitEthernet0/5"
(4) NAS-Port-Type = Ethernet
(4) NAS-Port = 50105
(4) State = 0xfe02921efd07877b6bacf72413ed26ad
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 1014
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(4) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 160
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xfe02921efd07877b
(4) eap: Finished EAP session with state 0xfe02921efd07877b
(4) eap: Previous EAP request found for state 0xfe02921efd07877b, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: (TLS) EAP Peer says that the final record size will be 150
bytes
(4) eap_ttls: (TLS) EAP Got all data (150 bytes)
(4) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data
(4) eap_ttls: (TLS) recv TLS 1.3 Handshake, Finished
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(4) eap_ttls: (TLS) Handshake state - SSLv3/TLS write session ticket
(4) eap_ttls: Serialising session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2, and
storing in cache
(4) eap_ttls: WARNING: (TLS) Wrote session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2 to
/var/log/radius/tlscache/8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d
40a3f89ecafb2.asn1 (141 bytes)
(4) eap_ttls: (TLS) send TLS 1.3 Handshake, NewSessionTicket
(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write session ticket
(4) eap_ttls: (TLS) recv TLS 1.3 Handshake, NewSessionTicket
(4) eap_ttls: Session established. Proceeding to decode tunneled attributes
(4) eap_ttls: Got tunneled request
(4) eap_ttls: User-Name = "fvercourt"
(4) eap_ttls: User-Password = "xC#8z7p6DDB8?a67ctQ7"
(4) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(4) eap_ttls: Sending tunneled request
(4) Virtual server inner-tunnel received request
(4) User-Name = "<< user_name >>"
(4) User-Password = "<< secret >>"
(4) FreeRADIUS-Proxied-To = 127.0.0.1
(4) Service-Type = Framed-User
(4) Cisco-AVPair = "service-type=Framed"
(4) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(4) Cisco-AVPair = "method=dot1x"
(4) Framed-MTU = 1500
(4) Called-Station-Id = "1C-1D-86-68-F0-05"
(4) Calling-Station-Id = "10-65-30-0F-CF-AD"
(4) Framed-IP-Address = 10.111.0.176
(4) NAS-IP-Address = 10.100.0.16
(4) NAS-Port-Id = "GigabitEthernet0/5"
(4) NAS-Port-Type = Ethernet
(4) NAS-Port = 50105
(4) Event-Timestamp = "Jan 23 2023 15:48:30 CET"
(4) server inner-tunnel {
(4) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(4) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "<< user_name >>", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) update control {
(4) &Proxy-To-Realm := LOCAL
(4) } # update control = noop
(4) eap: No EAP-Message, not doing EAP
(4) [eap] = noop
(4) [files] = noop
rlm_ldap (ldap_dauphine): Reserved connection (0)
(4) ldap_dauphine: EXPAND
(|(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}}@dauphine.fr))
(4) ldap_dauphine: --> (|(supannAliasLogin="<< user_name >>") (mail="<<
user_name >>") (mail=<<@dauphine.fr))
(4) ldap_dauphine: Performing search in "ou=people,dc=dauphine,dc=fr" with
filter "(|(supannAliasLogin="<< user_name >>") (mail="<< user_name >>")
(mail="<< user_name >>"@dauphine.fr))", scope "sub"
(4) ldap_dauphine: Waiting for search result...
ber_get_next failed, errno=0.
rlm_ldap (ldap_dauphine): Reconnecting (0)
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
(4) ldap_dauphine: WARNING: Search failed: Can't contact LDAP server. Got
new socket, retrying...
(4) ldap_dauphine: Waiting for search result...
(4) ldap_dauphine: User object found at DN
"uid=00061572,ou=people,dc=dauphine,dc=fr"
(4) ldap_dauphine: Processing user attributes
(4) ldap_dauphine: control:Password-With-Header += '<< Password_HASH >>’
rlm_ldap (ldap_dauphine): Released connection (0)
rlm_ldap (ldap_dauphine): Closing connection (1) - Too many unused
connections.
(4) [ldap_dauphine] = updated
(4) [expiration] = noop
(4) [logintime] = noop
(4) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password
(4) pap: Removing &control:Password-With-Header
(4) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes
(4) [pap] = updated
(4) } # authorize = updated
(4) Found Auth-Type = PAP
(4) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(4) Auth-Type PAP {
(4) pap: Login attempt with password
(4) pap: Comparing with "known-good" SSHA-Password
(4) pap: User authenticated successfully
(4) [pap] = ok
(4) } # Auth-Type PAP = ok
(4) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(4) post-auth {
(4) if (0) {
(4) if (0) -> FALSE
(4) } # post-auth = noop
(4) Login OK: [<< user_name >>] (from client edouard port 50105 cli
10-65-30-0F-CF-AD via TLS tunnel)
(4) } # server inner-tunnel
(4) Virtual server sending reply
(4) eap_ttls: Got tunneled Access-Accept
(4) eap_ttls: (TLS) cache - Setting up attributes for session resumption
(4) eap_ttls: caching EAP-Type = TTLS
(4) eap_ttls: Saving session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2 in the disk
cache
(4) eap: Sending EAP Success (code 3) ID 5 length 4
(4) eap: Freeing handler
(4) [eap] = ok
(4) } # authenticate = ok
(4) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(4) post-auth {
(4) update reply {
(4) Tunnel-type = VLAN
(4) Tunnel-medium-type = IEEE-802
(4) Tunnel-Private-Group-Id = 333
(4) } # update reply = noop
(4) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(4) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(4) update {
(4) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
ServerHello'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3
ChangeCipherSpec'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
EncryptedExtensions'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Certificate'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
CertificateVerify'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Finished'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
Finished'
(4) &reply::TLS-Cache-Filename += &session-state:TLS-Cache-Filename[*]
->
'/var/log/radius/tlscache/8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76
d40a3f89ecafb2.asn1'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
NewSessionTicket'
(4) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
NewSessionTicket'
(4) } # update = noop
(4) [exec] = noop
(4) policy remove_reply_message_if_eap {
(4) if (&reply:EAP-Message && &reply:Reply-Message) {
(4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(4) else {
(4) [noop] = noop
(4) } # else = noop
(4) } # policy remove_reply_message_if_eap = noop
(4) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(4) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(4) } # post-auth = noop
(4) Login OK: [anonymous] (from client edouard port 50105 cli
10-65-30-0F-CF-AD)
(4) Sent Access-Accept Id 120 from 10.101.0.20:1812 to 10.100.0.16:1645
length 195
(4) MS-MPPE-Recv-Key =
0xe8f069d02ca53749e572b46431b26292c44bba7742a8dc2ee298bf2d0204bab3
(4) MS-MPPE-Send-Key =
0x3b4174e10b09e1b4bb95d18de1176dcec746aa5097fe8932cbfa6ea96149f368
(4) EAP-Message = 0x03050004
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) User-Name = "anonymous"
(4) Tunnel-Type = VLAN
(4) Tunnel-Medium-Type = IEEE-802
(4) Tunnel-Private-Group-Id = "333"
(4) Framed-MTU += 1014
(4) Finished request
Waking up in 2.0 seconds.
(5) Received Accounting-Request Id 77 from 10.100.0.16:1646 to
10.101.0.20:1813 length 229
(5) Framed-IP-Address = 10.111.0.176
(5) User-Name = "anonymous"
(5) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(5) Cisco-AVPair = "vlan-id=333"
(5) Cisco-AVPair = "method=dot1x"
(5) Called-Station-Id = "1C-1D-86-68-F0-05"
(5) Calling-Station-Id = "10-65-30-0F-CF-AD"
(5) NAS-IP-Address = 10.100.0.16
(5) NAS-Port-Id = "GigabitEthernet0/5"
(5) NAS-Port-Type = Ethernet
(5) NAS-Port = 50105
(5) Acct-Session-Id = "0000007E"
(5) Acct-Status-Type = Start
(5) Event-Timestamp = "Jan 23 2023 15:48:31 CET"
(5) Acct-Delay-Time = 0
(5) # Executing section preacct from file /etc/raddb/sites-enabled/default
(5) preacct {
(5) [preprocess] = ok
(5) policy acct_unique {
(5) update request {
(5) &Tmp-String-9 := "ai:"
(5) } # update request = noop
(5) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(5) EXPAND %{hex:&Class}
(5) -->
(5) EXPAND ^%{hex:&Tmp-String-9}
(5) --> ^61693a
(5) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(5) else {
(5) update request {
(5) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(5) --> 26336d4848cc85848291b9aff73b07c4
(5) &Acct-Unique-Session-Id := 26336d4848cc85848291b9aff73b07c4
(5) } # update request = noop
(5) } # else = noop
(5) update request {
(5) &Tmp-String-9 !* ANY
(5) } # update request = noop
(5) } # policy acct_unique = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) [files] = noop
(5) } # preacct = ok
(5) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(5) accounting {
(5) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(5) detail: --> /var/log/radius/radacct/10.100.0.16/detail-20230123
(5) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123
(5) detail: EXPAND %t
(5) detail: --> Mon Jan 23 15:48:31 2023
(5) [detail] = ok
(5) [unix] = ok
(5) [exec] = noop
(5) attr_filter.accounting_response: EXPAND %{User-Name}
(5) attr_filter.accounting_response: --> anonymous
(5) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(5) [attr_filter.accounting_response] = updated
(5) } # accounting = updated
(5) Sent Accounting-Response Id 77 from 10.101.0.20:1813 to 10.100.0.16:1646
length 20
(5) Finished request
(5) Cleaning up request packet ID 77 with timestamp +46 due to done
Waking up in 1.0 seconds.
(0) Cleaning up request packet ID 116 with timestamp +43 due to
cleanup_delay was reached
(1) Cleaning up request packet ID 117 with timestamp +43 due to
cleanup_delay was reached
(2) Cleaning up request packet ID 118 with timestamp +43 due to
cleanup_delay was reached
(3) Cleaning up request packet ID 119 with timestamp +43 due to
cleanup_delay was reached
Waking up in 1.8 seconds.
(4) Cleaning up request packet ID 120 with timestamp +45 due to
cleanup_delay was reached
Ready to process requests
(6) Received Accounting-Request Id 78 from 10.100.0.16:1646 to
10.101.0.20:1813 length 265
(6) Framed-IP-Address = 10.111.0.176
(6) User-Name = "anonymous"
(6) Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"
(6) Cisco-AVPair = "vlan-id=333"
(6) Cisco-AVPair = "method=dot1x"
(6) Called-Station-Id = "1C-1D-86-68-F0-05"
(6) Calling-Station-Id = "10-65-30-0F-CF-AD"
(6) NAS-IP-Address = 10.100.0.16
(6) NAS-Port-Id = "GigabitEthernet0/5"
(6) NAS-Port-Type = Ethernet
(6) NAS-Port = 50105
(6) Acct-Session-Id = "0000007E"
(6) Acct-Terminate-Cause = Lost-Carrier
(6) Acct-Status-Type = Stop
(6) Event-Timestamp = "Jan 23 2023 15:51:31 CET"
(6) Acct-Session-Time = 180
(6) Acct-Input-Octets = 20194364
(6) Acct-Output-Octets = 1261011568
(6) Acct-Input-Packets = 184950
(6) Acct-Output-Packets = 899478
(6) Acct-Delay-Time = 0
(6) # Executing section preacct from file /etc/raddb/sites-enabled/default
(6) preacct {
(6) [preprocess] = ok
(6) policy acct_unique {
(6) update request {
(6) &Tmp-String-9 := "ai:"
(6) } # update request = noop
(6) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(6) EXPAND %{hex:&Class}
(6) -->
(6) EXPAND ^%{hex:&Tmp-String-9}
(6) --> ^61693a
(6) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(6) else {
(6) update request {
(6) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(6) --> 26336d4848cc85848291b9aff73b07c4
(6) &Acct-Unique-Session-Id := 26336d4848cc85848291b9aff73b07c4
(6) } # update request = noop
(6) } # else = noop
(6) update request {
(6) &Tmp-String-9 !* ANY
(6) } # update request = noop
(6) } # policy acct_unique = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) [files] = noop
(6) } # preacct = ok
(6) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(6) accounting {
(6) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(6) detail: --> /var/log/radius/radacct/10.100.0.16/detail-20230123
(6) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123
(6) detail: EXPAND %t
(6) detail: --> Mon Jan 23 15:51:31 2023
(6) [detail] = ok
(6) [unix] = ok
(6) [exec] = noop
(6) attr_filter.accounting_response: EXPAND %{User-Name}
(6) attr_filter.accounting_response: --> anonymous
(6) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(6) [attr_filter.accounting_response] = updated
(6) } # accounting = updated
(6) Sent Accounting-Response Id 78 from 10.101.0.20:1813 to 10.100.0.16:1646
length 20
(6) Finished request
(6) Cleaning up request packet ID 78 with timestamp +226 due to done
Ready to process requests
(7) Received Access-Request Id 121 from 10.100.0.16:1645 to 10.101.0.20:1812
length 257
(7) User-Name = "anonymous"
(7) Service-Type = Framed-User
(7) Cisco-AVPair = "service-type=Framed"
(7) Framed-MTU = 1500
(7) Called-Station-Id = "1C-1D-86-68-F0-05"
(7) Calling-Station-Id = "10-65-30-0F-CF-AD"
(7) EAP-Message = 0x0201000e01616e6f6e796d6f7573
(7) Message-Authenticator = 0x95fbe1a2b99598e655d08d4d335dc5bd
(7) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(7) Cisco-AVPair = "method=dot1x"
(7) Framed-IP-Address = 10.111.0.176
(7) NAS-IP-Address = 10.100.0.16
(7) NAS-Port-Id = "GigabitEthernet0/5"
(7) NAS-Port-Type = Ethernet
(7) NAS-Port = 50105
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(7) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 14
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: (TLS) Initiating new session
(7) eap: Sending EAP Request (code 1) ID 2 length 6
(7) eap: EAP session adding &reply:State = 0xbb455463bb474125
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Framed-MTU = 1014
(7) Sent Access-Challenge Id 121 from 10.101.0.20:1812 to 10.100.0.16:1645
length 64
(7) EAP-Message = 0x010200061520
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xbb455463bb4741259c77a610d5caea1f
(7) Finished request
Waking up in 3.9 seconds.
(8) Received Access-Request Id 122 from 10.100.0.16:1645 to 10.101.0.20:1812
length 524
(8) User-Name = "anonymous"
(8) Service-Type = Framed-User
(8) Cisco-AVPair = "service-type=Framed"
(8) Framed-MTU = 1500
(8) Called-Station-Id = "1C-1D-86-68-F0-05"
(8) Calling-Station-Id = "10-65-30-0F-CF-AD"
(8) EAP-Message =
0x020201051580000000fb16030100f6010000f20303bc7cb74fc4e656b719b2b4aea42da3dc
ab905197e53228b91170245440171b25202eca8734fde773de82eb9ce9b5a54084c899da401f
baecdf67e065ff118c5026002813021301c02cc02bc030c02fc024c023c028c027c00ac009c0
14c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303
020301000d001a00180804080508060401050102010403050302030202060106030023000000
0a00080006001d00170018003300260024001d002045478a7ec1699508b4546bde4c1692e625
2630658b936ae3289d11ba3ce90d380031000000170000ff01000100002d00020101
(8) Message-Authenticator = 0xe1a588f3c4720ed8de29e1e948d11116
(8) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(8) Cisco-AVPair = "method=dot1x"
(8) Framed-IP-Address = 10.111.0.176
(8) NAS-IP-Address = 10.100.0.16
(8) NAS-Port-Id = "GigabitEthernet0/5"
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50105
(8) State = 0xbb455463bb4741259c77a610d5caea1f
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 1014
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(8) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 2 length 261
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xbb455463bb474125
(8) eap: Finished EAP session with state 0xbb455463bb474125
(8) eap: Previous EAP request found for state 0xbb455463bb474125, released
from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: (TLS) EAP Peer says that the final record size will be 251
bytes
(8) eap_ttls: (TLS) EAP Got all data (251 bytes)
(8) eap_ttls: (TLS) Handshake state - before SSL initialization
(8) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(8) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(8) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, ServerHello
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(8) eap_ttls: (TLS) send TLS 1.3 ChangeCipherSpec
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, EncryptedExtensions
(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write encrypted
extensions
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, Certificate
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, CertificateVerify
(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write server
certificate verify
(8) eap_ttls: (TLS) send TLS 1.3 Handshake, Finished
(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data
(8) eap_ttls: (TLS) Server : Need to read more data: TLSv1.3 early data
(8) eap_ttls: (TLS) In Handshake Phase
(8) eap: Sending EAP Request (code 1) ID 3 length 1024
(8) eap: EAP session adding &reply:State = 0xbb455463ba464125
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) Framed-MTU = 1014
(8) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(8) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(8) Sent Access-Challenge Id 122 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090
(8) EAP-Message =
0x0103040015c000000bc9160303007a020000760303770024854f0856f5a9aa4433bd168a8c
1663b8864fab363383e1f0c48b01e4c5202eca8734fde773de82eb9ce9b5a54084c899da401f
baecdf67e065ff118c5026130200002e002b0002030400330024001d0020eb1d7c9a661dbb80
87e6e503dfec301a45369a25fa9e9629450e499e45c4c83714030300010117030300175e2aa3
5daab2e2c1e777265f7c05aaf59a9952866a99f317030309bbfd1f007754fa0dd33e6f75f2a6
5b42c25bec9b25dd1385f3a3751f06bac475df736093e7dbd5e54646bc9172c7a865d05a646b
6a0d973b82988ad50faf2223fdb02451847eef9ac19930e0928e8d3dd7573d7d7396f914d0f6
df7253e91a634fd678e75694d26b0322e162d7c496eae3cb1cee84e9af371b2b682666ef8f46
f3667c806a8b470d8e6988a41f9df82a3740a325d9d7f7c7d49a8d4eeb15c3dbe8d799dfc39f
588fdc75380c1bd5657c77c0610440293c69e81f37a27ca086579651f458ab6eb3de
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbb455463ba4641259c77a610d5caea1f
(8) Finished request
Waking up in 3.9 seconds.
(9) Received Access-Request Id 123 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267
(9) User-Name = "anonymous"
(9) Service-Type = Framed-User
(9) Cisco-AVPair = "service-type=Framed"
(9) Framed-MTU = 1500
(9) Called-Station-Id = "1C-1D-86-68-F0-05"
(9) Calling-Station-Id = "10-65-30-0F-CF-AD"
(9) EAP-Message = 0x020300061500
(9) Message-Authenticator = 0x2230b850fae1f735dff59252f552a475
(9) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(9) Cisco-AVPair = "method=dot1x"
(9) Framed-IP-Address = 10.111.0.176
(9) NAS-IP-Address = 10.100.0.16
(9) NAS-Port-Id = "GigabitEthernet0/5"
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50105
(9) State = 0xbb455463ba4641259c77a610d5caea1f
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 1014
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(9) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 3 length 6
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xbb455463ba464125
(9) eap: Finished EAP session with state 0xbb455463ba464125
(9) eap: Previous EAP request found for state 0xbb455463ba464125, released
from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: (TLS) Peer ACKed our handshake fragment
(9) eap: Sending EAP Request (code 1) ID 4 length 1024
(9) eap: EAP session adding &reply:State = 0xbb455463b9414125
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9) Framed-MTU = 1014
(9) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(9) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(9) Sent Access-Challenge Id 123 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090
(9) EAP-Message =
0x0104040015c000000bc95c6adce2df0918de28872f44b0532fc184381223951f6a6203a1f9
1e2282872f2ca960a9866f1e84e8a30448781f7ce81fc0a4f3786e6e58161ad9b35f33bd2cef
6cf972c7458b0dae8ef799b2596063c40f67d54a62f8dc0ca06649343a758b17e9e77044f57f
fd239786df3da73c6cab18965541976d7fa1653efeb62c5048bcc0de713371ed2528ebb50726
f0ed6dfb32c53a898d2f2d0d315210e4ed8dd33d3d69cbd223d95cbc5f86dddf78f1ac963f50
2f2a910e7922a444c8a58e125b4eaf95e9b3075122cfe83a0e088176d072dd9fbaec52ad93da
3e90725c2835a74c4dd5a649f180526e16c22b7890f498b7112439af08e3e0e36c1d431ff635
5c12d6426de65021aca7dffe91316af2e526b6e2da8b881f9daf49f2bc66d370d9a909b36a0c
610f8ea9a995e0380ef9fc5c2f208ea20079e2c5ef1adef8b7fc55e68ff6296572a736248a2f
ddb9c4bc3cc343f6bfb33321cae0b2fcd0c4dfdba8392eefd789782343155bb333c9
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xbb455463b94141259c77a610d5caea1f
(9) Finished request
Waking up in 3.9 seconds.
(10) Received Access-Request Id 124 from 10.100.0.16:1645 to
10.101.0.20:1812 length 267
(10) User-Name = "anonymous"
(10) Service-Type = Framed-User
(10) Cisco-AVPair = "service-type=Framed"
(10) Framed-MTU = 1500
(10) Called-Station-Id = "1C-1D-86-68-F0-05"
(10) Calling-Station-Id = "10-65-30-0F-CF-AD"
(10) EAP-Message = 0x020400061500
(10) Message-Authenticator = 0xcf01c3ce8e8c77c72ffbd3cb7f4df406
(10) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(10) Cisco-AVPair = "method=dot1x"
(10) Framed-IP-Address = 10.111.0.176
(10) NAS-IP-Address = 10.100.0.16
(10) NAS-Port-Id = "GigabitEthernet0/5"
(10) NAS-Port-Type = Ethernet
(10) NAS-Port = 50105
(10) State = 0xbb455463b94141259c77a610d5caea1f
(10) Restoring &session-state
(10) &session-state:Framed-MTU = 1014
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(10) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 4 length 6
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xbb455463b9414125
(10) eap: Finished EAP session with state 0xbb455463b9414125
(10) eap: Previous EAP request found for state 0xbb455463b9414125, released
from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: (TLS) Peer ACKed our handshake fragment
(10) eap: Sending EAP Request (code 1) ID 5 length 999
(10) eap: EAP session adding &reply:State = 0xbb455463b8404125
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) session-state: Saving cached attributes
(10) Framed-MTU = 1014
(10) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"
(10) TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"
(10) Sent Access-Challenge Id 124 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1063
(10) EAP-Message =
0x010503e7158000000bc9d9ab09bcb961adae0a3f7517ba8cf219156a8645871001f01b9a48
1a98d7386ebede08d1235a47d1c068dee101bd2c8e568fb55e4f110b1ce27fd37b16cecc3944
274430f835717ae26145c0f6d748240d91650e9fac6ecd002cc723efda237b47b0ee041ec63a
686b92e664de819d2b9e5439f4f9de7a2cc4eda2057c7447dad43fc1aaad003b665e9a463bdd
07ca61b3edae4139d7f80977c247a45697ca33aae4c8ea6d03e021804be9eeed4cc433334fd6
25c62a5e7859f52fecc302ac83a6058bac46d982e98f1d0773a26be0cbe62271b45f50c9353d
a5d6c1fb28ee5aa127845a83030875fd6028e63194c03640150d5388df8887ca0f87b1311b02
243a67abc28794570e167eff0e4bce726ce8c373cb52a4fc9df5d65649cd1c9eba97adf15ac8
d5d27608ccab68ed4181e085f7c53c373395f6f707807f46effe7b929d31a5b696fbe78ab29e
e9de654a8c9b895a464fe35cddaba5607efbb4eae4ee6cd03f0534307ab9fbbfae14
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xbb455463b84041259c77a610d5caea1f
(10) Finished request
Waking up in 3.9 seconds.
(11) Received Access-Request Id 125 from 10.100.0.16:1645 to
10.101.0.20:1812 length 421
(11) User-Name = "anonymous"
(11) Service-Type = Framed-User
(11) Cisco-AVPair = "service-type=Framed"
(11) Framed-MTU = 1500
(11) Called-Station-Id = "1C-1D-86-68-F0-05"
(11) Calling-Station-Id = "10-65-30-0F-CF-AD"
(11) EAP-Message =
0x020500a0158000000096140303000101170303004518b03cdd7a3d877bd60d15b6c2d39bab
0896169fa3a2785f9e9c7d9ce2bdf71a87f5a05131f4e1d69945506abd38566012c910e16c52
13ad8f23f8a05a0ad3f3e8f7f93604170303004108be289a7c3651f4ccd6edf31fc1cc525c81
7e1950bf1645734a55231d01342bfb85f7c5a84cbdec624146ace4253f22f1605faba5d4ba6c
154c38ff03b80de5a2
(11) Message-Authenticator = 0xe7411a65948c81a8068f05ec25501b56
(11) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(11) Cisco-AVPair = "method=dot1x"
(11) Framed-IP-Address = 10.111.0.176
(11) NAS-IP-Address = 10.100.0.16
(11) NAS-Port-Id = "GigabitEthernet0/5"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50105
(11) State = 0xbb455463b84041259c77a610d5caea1f
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 1014
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(11) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 5 length 160
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0xbb455463b8404125
(11) eap: Finished EAP session with state 0xbb455463b8404125
(11) eap: Previous EAP request found for state 0xbb455463b8404125, released
from the list
(11) eap: Peer sent packet with method EAP TTLS (21)
(11) eap: Calling submodule eap_ttls to process data
(11) eap_ttls: Authenticate
(11) eap_ttls: (TLS) EAP Peer says that the final record size will be 150
bytes
(11) eap_ttls: (TLS) EAP Got all data (150 bytes)
(11) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data
(11) eap_ttls: (TLS) recv TLS 1.3 Handshake, Finished
(11) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(11) eap_ttls: (TLS) Handshake state - SSLv3/TLS write session ticket
(11) eap_ttls: Serialising session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911, and
storing in cache
(11) eap_ttls: WARNING: (TLS) Wrote session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911 to
/var/log/radius/tlscache/630d327a8dd0ab555038688964549f6090d80b50941ec0460f3
0dc622db74911.asn1 (140 bytes)
(11) eap_ttls: (TLS) send TLS 1.3 Handshake, NewSessionTicket
(11) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write session ticket
(11) eap_ttls: (TLS) recv TLS 1.3 Handshake, NewSessionTicket
(11) eap_ttls: Session established. Proceeding to decode tunneled
attributes
(11) eap_ttls: Got tunneled request
(11) eap_ttls: User-Name = "fvercourt"
(11) eap_ttls: User-Password = "xC#8z7p6DDB8?a67ctQ7"
(11) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(11) eap_ttls: Sending tunneled request
(11) Virtual server inner-tunnel received request
(11) User-Name = "<< user_name >>"
(11) User-Password = "<< secret >>"
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) Service-Type = Framed-User
(11) Cisco-AVPair = "service-type=Framed"
(11) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(11) Cisco-AVPair = "method=dot1x"
(11) Framed-MTU = 1500
(11) Called-Station-Id = "1C-1D-86-68-F0-05"
(11) Calling-Station-Id = "10-65-30-0F-CF-AD"
(11) Framed-IP-Address = 10.111.0.176
(11) NAS-IP-Address = 10.100.0.16
(11) NAS-Port-Id = "GigabitEthernet0/5"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50105
(11) Event-Timestamp = "Jan 23 2023 15:52:03 CET"
(11) server inner-tunnel {
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ <mailto:/@\./> /(a)\./) {
(11) if (&User-Name =~ <mailto:/@\./> /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "<< user_name >>", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) update control {
(11) &Proxy-To-Realm := LOCAL
(11) } # update control = noop
(11) eap: No EAP-Message, not doing EAP
(11) [eap] = noop
(11) [files] = noop
rlm_ldap (ldap_dauphine): Reserved connection (2)
(11) ldap_dauphine: EXPAND
(|(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}}@dauphine.fr))
(11) ldap_dauphine: --> (|(supannAliasLogin="<< user_name >>") (mail="<<
user_name >>") (mail="<< user_name >>"@dauphine.fr))
(11) ldap_dauphine: Performing search in "ou=people,dc=dauphine,dc=fr" with
filter "(|(supannAliasLogin="<< user_name >>") (mail="<< user_name >>")
(mail="<< user_name >>"@dauphine.fr))", scope "sub"
(11) ldap_dauphine: Waiting for search result...
rlm_ldap (ldap_dauphine): Reconnecting (2)
rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389
rlm_ldap (ldap_dauphine): Waiting for bind result...
rlm_ldap (ldap_dauphine): Bind successful
(11) ldap_dauphine: WARNING: Search failed: Can't contact LDAP server. Got
new socket, retrying...
(11) ldap_dauphine: Waiting for search result...
(11) ldap_dauphine: User object found at DN
"uid=00061572,ou=people,dc=dauphine,dc=fr"
(11) ldap_dauphine: Processing user attributes
(11) ldap_dauphine: control:Password-With-Header += '<< passord_HASH >>’
rlm_ldap (ldap_dauphine): Released connection (2)
rlm_ldap (ldap_dauphine): You probably need to lower "min"
rlm_ldap (ldap_dauphine): Closing expired connection (4) - Hit idle_timeout
limit
rlm_ldap (ldap_dauphine): You probably need to lower "min"
rlm_ldap (ldap_dauphine): Closing expired connection (3) - Hit idle_timeout
limit
rlm_ldap (ldap_dauphine): You probably need to lower "min"
rlm_ldap (ldap_dauphine): Closing expired connection (0) - Hit idle_timeout
limit
(11) [ldap_dauphine] = updated
(11) [expiration] = noop
(11) [logintime] = noop
(11) pap: Converted: &control:Password-With-Header ->
&control:SSHA1-Password
(11) pap: Removing &control:Password-With-Header
(11) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes
(11) [pap] = updated
(11) } # authorize = updated
(11) Found Auth-Type = PAP
(11) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(11) Auth-Type PAP {
(11) pap: Login attempt with password
(11) pap: Comparing with "known-good" SSHA-Password
(11) pap: User authenticated successfully
(11) [pap] = ok
(11) } # Auth-Type PAP = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(11) post-auth {
(11) if (0) {
(11) if (0) -> FALSE
(11) } # post-auth = noop
(11) Login OK: ["<< user_name >>"] (from client edouard port 50105 cli
10-65-30-0F-CF-AD via TLS tunnel)
(11) } # server inner-tunnel
(11) Virtual server sending reply
(11) eap_ttls: Got tunneled Access-Accept
(11) eap_ttls: (TLS) cache - Setting up attributes for session resumption
(11) eap_ttls: caching EAP-Type = TTLS
(11) eap_ttls: Saving session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911 in the disk
cache
(11) eap: Sending EAP Success (code 3) ID 5 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(11) post-auth {
(11) update reply {
(11) Tunnel-type = VLAN
(11) Tunnel-medium-type = IEEE-802
(11) Tunnel-Private-Group-Id = 333
(11) } # update reply = noop
(11) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(11) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(11) update {
(11) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
ServerHello'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3
ChangeCipherSpec'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
EncryptedExtensions'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Certificate'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
CertificateVerify'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Finished'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
Finished'
(11) &reply::TLS-Cache-Filename +=
&session-state:TLS-Cache-Filename[*] ->
'/var/log/radius/tlscache/630d327a8dd0ab555038688964549f6090d80b50941ec0460f
30dc622db74911.asn1'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
NewSessionTicket'
(11) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
NewSessionTicket'
(11) } # update = noop
(11) [exec] = noop
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(11) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(11) } # post-auth = noop
(11) Login OK: [anonymous] (from client edouard port 50105 cli
10-65-30-0F-CF-AD)
(11) Sent Access-Accept Id 125 from 10.101.0.20:1812 to 10.100.0.16:1645
length 195
(11) MS-MPPE-Recv-Key =
0x971459cad430f53406113b465e8c9823c41fc43a70860e1a4e13d42ebb1bb5df
(11) MS-MPPE-Send-Key =
0x689cf83adf94820be1e34f1507c3856aa88dd9f210d177af62a82344aea19fc9
(11) EAP-Message = 0x03050004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "anonymous"
(11) Tunnel-Type = VLAN
(11) Tunnel-Medium-Type = IEEE-802
(11) Tunnel-Private-Group-Id = "333"
(11) Framed-MTU += 1014
(11) Finished request
Waking up in 3.9 seconds.
(12) Received Accounting-Request Id 79 from 10.100.0.16:1646 to
10.101.0.20:1813 length 229
(12) Framed-IP-Address = 10.111.0.176
(12) User-Name = "anonymous"
(12) Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"
(12) Cisco-AVPair = "vlan-id=333"
(12) Cisco-AVPair = "method=dot1x"
(12) Called-Station-Id = "1C-1D-86-68-F0-05"
(12) Calling-Station-Id = "10-65-30-0F-CF-AD"
(12) NAS-IP-Address = 10.100.0.16
(12) NAS-Port-Id = "GigabitEthernet0/5"
(12) NAS-Port-Type = Ethernet
(12) NAS-Port = 50105
(12) Acct-Session-Id = "0000007F"
(12) Acct-Status-Type = Start
(12) Event-Timestamp = "Jan 23 2023 15:52:04 CET"
(12) Acct-Delay-Time = 0
(12) # Executing section preacct from file /etc/raddb/sites-enabled/default
(12) preacct {
(12) [preprocess] = ok
(12) policy acct_unique {
(12) update request {
(12) &Tmp-String-9 := "ai:"
(12) } # update request = noop
(12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(12) EXPAND %{hex:&Class}
(12) -->
(12) EXPAND ^%{hex:&Tmp-String-9}
(12) --> ^61693a
(12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(12) else {
(12) update request {
(12) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(12) --> 7fa8680a9de8af271866a0b2a998c629
(12) &Acct-Unique-Session-Id := 7fa8680a9de8af271866a0b2a998c629
(12) } # update request = noop
(12) } # else = noop
(12) update request {
(12) &Tmp-String-9 !* ANY
(12) } # update request = noop
(12) } # policy acct_unique = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) [files] = noop
(12) } # preacct = ok
(12) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(12) accounting {
(12) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(12) detail: --> /var/log/radius/radacct/10.100.0.16/detail-20230123
(12) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123
(12) detail: EXPAND %t
(12) detail: --> Mon Jan 23 15:52:04 2023
(12) [detail] = ok
(12) [unix] = ok
(12) [exec] = noop
(12) attr_filter.accounting_response: EXPAND %{User-Name}
(12) attr_filter.accounting_response: --> anonymous
(12) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(12) [attr_filter.accounting_response] = updated
(12) } # accounting = updated
(12) Sent Accounting-Response Id 79 from 10.101.0.20:1813 to
10.100.0.16:1646 length 20
(12) Finished request
(12) Cleaning up request packet ID 79 with timestamp +259 due to done
Waking up in 2.8 seconds.
(7) Cleaning up request packet ID 121 with timestamp +258 due to
cleanup_delay was reached
(8) Cleaning up request packet ID 122 with timestamp +258 due to
cleanup_delay was reached
(9) Cleaning up request packet ID 123 with timestamp +258 due to
cleanup_delay was reached
(10) Cleaning up request packet ID 124 with timestamp +258 due to
cleanup_delay was reached
(11) Cleaning up request packet ID 125 with timestamp +258 due to
cleanup_delay was reached
Thank you all for your help and advice,
Florent VERCOURT
3
2
Hello Support team,
I recently download the FR packages from your CentOS 7 repository, and I noticed that the 3.0.26 server was built with OpenSSL 1.0.2k (see below). Should the server be built with OpenSSL 1.1.1 to support TLS 1.3? Please excuse my ignorance if I've asked a stupid question.
Thanks,
Chris Howley
Mon Jan 23 13:50:17 2023 : Debug: Server was built with:
Mon Jan 23 13:50:17 2023 : Debug: accounting : yes
Mon Jan 23 13:50:17 2023 : Debug: authentication : yes
Mon Jan 23 13:50:17 2023 : Debug: ascend-binary-attributes : yes
Mon Jan 23 13:50:17 2023 : Debug: coa : yes
Mon Jan 23 13:50:17 2023 : Debug: control-socket : yes
Mon Jan 23 13:50:17 2023 : Debug: detail : yes
Mon Jan 23 13:50:17 2023 : Debug: dhcp : yes
Mon Jan 23 13:50:17 2023 : Debug: dynamic-clients : yes
Mon Jan 23 13:50:17 2023 : Debug: osfc2 : no
Mon Jan 23 13:50:17 2023 : Debug: proxy : yes
Mon Jan 23 13:50:17 2023 : Debug: regex-pcre : yes
Mon Jan 23 13:50:17 2023 : Debug: regex-posix : no
Mon Jan 23 13:50:17 2023 : Debug: regex-posix-extended : no
Mon Jan 23 13:50:17 2023 : Debug: session-management : yes
Mon Jan 23 13:50:17 2023 : Debug: stats : yes
Mon Jan 23 13:50:17 2023 : Debug: systemd : yes
Mon Jan 23 13:50:17 2023 : Debug: tcp : yes
Mon Jan 23 13:50:17 2023 : Debug: threads : yes
Mon Jan 23 13:50:17 2023 : Debug: tls : yes
Mon Jan 23 13:50:17 2023 : Debug: unlang : yes
Mon Jan 23 13:50:17 2023 : Debug: vmps : yes
Mon Jan 23 13:50:17 2023 : Debug: developer : no
Mon Jan 23 13:50:17 2023 : Debug: Server core libs:
Mon Jan 23 13:50:17 2023 : Debug: freeradius-server : 3.0.26
Mon Jan 23 13:50:17 2023 : Debug: talloc : 2.1.*
Mon Jan 23 13:50:17 2023 : Debug: ssl : 1.0.2k release
Mon Jan 23 13:50:17 2023 : Debug: pcre : 8.32 2012-11-30
Mon Jan 23 13:50:17 2023 : Debug: Endianness:
Mon Jan 23 13:50:17 2023 : Debug: little
Mon Jan 23 13:50:17 2023 : Debug: Compilation flags:
Mon Jan 23 13:50:17 2023 : Debug: cppflags :
Mon Jan 23 13:50:17 2023 : Debug: cflags : -I. -Isrc -include src/freeradius-devel/autoconf.h -include src/freeradius-devel/build.h -include src/freeradius-devel/featur
es.h -include src/freeradius-devel/radpaths.h -fno-strict-aliasing -Wno-date-time -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=s
sp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
Mon Jan 23 13:50:17 2023 : Debug: ldflags : -Wl,--build-id
Mon Jan 23 13:50:17 2023 : Debug: libs : -lcrypto -lssl -ltalloc -lpcre -lnsl -lresolv -ldl -lpthread -lreadline
Mon Jan 23 13:50:17 2023 : Debug:
Mon Jan 23 13:50:17 2023 : Info: FreeRADIUS Version 3.0.26
2
1
1
0
Hi,
I'm trying to get Freeradius statistics but I can see that the Queue
statistics are always 0.
I tried to add some delay between the Freeradius server and the back-end to
force the server to queue the packets and I can see in the log files that
the queue is full and can't handle more requests, but still, the statistics
show 0 queues, what could be the problem? Freeardius version 3.2.1-1
Mon Jan 23 01:36:19 2023 : Error: !!! ERROR !!! Failed inserting request
586295 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586296 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586297 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586298 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586299 into the queue
Mon Jan 23 01:36:20 2023 : Error: 1 requests have been waiting in the
processing queue for 7 seconds. Check that all databases are running
properly!
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586321 into the queue
Mon Jan 23 01:36:20 2023 : Error: !!! ERROR !!! Failed inserting request
586322 into the queue
Mon Jan 23 01:36:25 2023 : Error: Received conflicting packet from client
vMX1 port 40710 - ID: 33 due to unfinished request in module
<queue>. Giving up on old request.
[root@localhost dropwatch]# echo "Message-Authenticator =
0x00,FreeRADIUS-Statistics-Type = 19" | radclient -x localhost:18121 status
adminsecret
Sent Status-Server Id 101 from 0.0.0.0:45296 to 127.0.0.1:18121 length 50
Message-Authenticator = 0x00
FreeRADIUS-Statistics-Type = 19
Received Access-Accept Id 101 from 127.0.0.1:18121 to 127.0.0.1:45296 length
356
FreeRADIUS-Total-Access-Requests = 7
FreeRADIUS-Total-Access-Accepts = 0
FreeRADIUS-Total-Access-Rejects = 0
FreeRADIUS-Total-Access-Challenges = 0
FreeRADIUS-Total-Auth-Responses = 0
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Auth-Unknown-Types = 0
FreeRADIUS-Total-Auth-Conflicts = 0
FreeRADIUS-Total-Accounting-Requests = 655923
FreeRADIUS-Total-Accounting-Responses = 583903
FreeRADIUS-Total-Acct-Duplicate-Requests = 0
FreeRADIUS-Total-Acct-Malformed-Requests = 0
FreeRADIUS-Total-Acct-Invalid-Requests = 0
FreeRADIUS-Total-Acct-Dropped-Requests = 27543
FreeRADIUS-Total-Acct-Unknown-Types = 0
FreeRADIUS-Total-Acct-Conflicts = 343
FreeRADIUS-Stats-Start-Time = "Jan 23 2023 01:16:33 EST"
FreeRADIUS-Stats-HUP-Time = "Jan 23 2023 01:16:33 EST"
FreeRADIUS-Queue-Len-Internal = 0
FreeRADIUS-Queue-Len-Proxy = 0
FreeRADIUS-Queue-Len-Auth = 0
* FreeRADIUS-Queue-Len-Acct = 0*
FreeRADIUS-Queue-Len-Detail = 0
FreeRADIUS-Queue-PPS-In = 0
FreeRADIUS-Queue-PPS-Out = 0
--
Best regards,
Ashraf Al-Basti
2
1
I was pondering rewriting my rlm_attr_filter sets as unlang policy.
If there is an elegant way in unlang to remove all attributes from a list except the ones you want, I'm having trouble finding it.
In unlang you seem to need to know the name of an attribute to do anything to it.
If there was a temporary list, one could maybe (not sure if !* ANY works on lists):
update {
&tmp: !* ANY
&tmp: += &reply:
&reply: !* ANY
}
update reply {
# add the ones you want back in from &tmp:, perhaps with alterations
}
... but so far I only have found the Tmp-* attributes, no temporary list.
Maybe this is just one of the cases where we still need rlm_attr_filter?
Or maybe someone with more unlang-foo than me knows a magic incantation?
2
1
Hi list,
I updated freeradius on an Devuan machine from 3.0.17 to 3.2.1.
Formerly I checked the client certificate in the virtual server
check-eap-tls with the following unlang construct to extract the real
User-Name from the certificate:
...
if ((&TLS-Client-Cert-Subject-Alt-Name-Email) &&
(&TLS-Client-Cert-Subject-Alt-Name-Email =~ /@/)) {
update request {
&User-Name :=
&TLS-Client-Cert-Subject-Alt-Name-Email
}
} elsif (&TLS-Client-Cert-Common-Name) {
update request {
&User-Name := &TLS-Client-Cert-Common-Name
}
} else {
reject
}
...
In the client certificate file there is also the root ca certificate,
and in the former version the second certificate was the client
certificate and the code evaluates correct without thoroughly thinking
about. Now, the attributes like TLS-Client-Cert-Serial evaluate to the
first certificate ie the root ca certificate and the above unlang code
return the false User-Name.
I want to improve the code and need some hints.
I want to iterate over eg &TLS-Client-Cert-Serial[*],
search the cert with
&TLS-Client-Cert-X509v3-Basic-Constraints[i] =~ /CA:FALSE/,
and then extract the User-Name from
&TLS-Client-Cert-Subject-Alt-Name-Email[i] or
&TLS-Client-Cert-Common-Name[i]
How can I get the correct index i from eg foreach
&TLS-Client-Cert-Serial to reference to the
&TLS-Client-Cert-Subject-Alt-Name-Email[i], for example.
A quick fix was to use [n] and choose the last certificate in the file,
but this is not clean.
--
stefan hartmann
3
3