Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2023
- 28 participants
- 30 discussions
Hi,
I have a freeradius server running v3.0.16 which is performing WPA2 Enterprise Authentication and VLAN assignment for a multi-tenant WiFi system.
The latest windows 11 update appears to have forced the use of TLS1.3 and clients will no longer authenticate without a registry change back to TLS1.2.
I don't have in-depth knowledge of Freeradius; I can install, configure and work with config files and debugs, so was just asking for a little advice on the best way for me to enable TLS1.3?
Do I need to upgrade? Will there be any configuration changes required? Obviously we still need to support lower TLS versions as well.
Internet searches have given me conflicting information, and I can't find when TLS 1.3 support started.
Thanks
Paul Bone
Network Consultant/Engineer
4
9
17 Jan '23
Hello,
I am trying to configure the above. Here is what I have done so far.
1) Cisco WLC was configured
2) freeradius 3.0 was installed on a Debian machine
a) Cisco WLC IPv4 address was added as a client to freeradius
/etc/freeradius/3.0/clients.conf
b) A few local users were added to users file
/etc/freeradius/3.0/users
3) whenever I try to use the below command on WLC
test aaa group radius joe.doe pa44w0rd new-code
I am successfully authenticated. However this is going as PAP.
4) any request from the wifi client is not going through cause it is
PEAP-MSCHAP
Currently 'freeradius -X' gives me the following
(39) Cisco-AVPair = "vlan-id=101"
(39) NAS-IP-Address = 172.16.100.10
(39) NAS-Port-Id = "capwap_90000004"
(39) NAS-Port-Type = Wireless-802.11
(39) NAS-Port = 5
(39) State = 0x8afb70f28ffc69b5cf854ba7abc363a9
(39) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(39) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(39) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(39) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(39) Airespace-Wlan-Id = 4
(39) NAS-Identifier = "WLC9120-NEFO"
(39) WLAN-Group-Cipher = 1027076
(39) WLAN-Pairwise-Cipher = 1027076
(39) WLAN-AKM-Suite = 1027075
(39) WLAN-Group-Mgmt-Cipher = 1027078
(39) session-state: No cached attributes
(39) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(39) authorize {
(39) policy filter_username {
(39) if (&User-Name) {
(39) if (&User-Name) -> TRUE
(39) if (&User-Name) {
(39) if (&User-Name =~ / /) {
(39) if (&User-Name =~ / /) -> FALSE
(39) if (&User-Name =~ /@[^@]*@/ ) {
(39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(39) if (&User-Name =~ /\.\./ ) {
(39) if (&User-Name =~ /\.\./ ) -> FALSE
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(39) if (&User-Name =~ /\.$/) {
(39) if (&User-Name =~ /\.$/) -> FALSE
(39) if (&User-Name =~ /(a)\./) {
(39) if (&User-Name =~ /(a)\./) -> FALSE
(39) } # if (&User-Name) = notfound
(39) } # policy filter_username = notfound
(39) [preprocess] = ok
(39) [chap] = noop
(39) [mschap] = noop
(39) [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(39) suffix: No such realm "NULL"
(39) [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 7 length 51
(39) eap: Continuing tunnel setup
(39) [eap] = ok
(39) } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) authenticate {
(39) eap: Expiring EAP session with state 0x8afb70f28ffc69b5
(39) eap: Finished EAP session with state 0x8afb70f28ffc69b5
(39) eap: Previous EAP request found for state 0x8afb70f28ffc69b5, released
from the list
(39) eap: Peer sent packet with method EAP PEAP (25)
(39) eap: Calling submodule eap_peap to process data
(39) eap_peap: Continuing EAP-TLS
(39) eap_peap: [eaptls verify] = ok
(39) eap_peap: Done initial handshake
(39) eap_peap: [eaptls process] = ok
(39) eap_peap: Session established. Decoding tunneled attributes
(39) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(39) eap_peap: Identity - joe.doe
(39) eap_peap: Got inner identity 'joe.doe'
(39) eap_peap: Setting default EAP type for tunneled EAP session
(39) eap_peap: Got tunneled request
(39) eap_peap: EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) eap_peap: Setting User-Name to joe.doe
(39) eap_peap: Sending tunneled request to inner-tunnel
(39) eap_peap: EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(39) eap_peap: User-Name = "joe.doe"
(39) Virtual server inner-tunnel received request
(39) EAP-Message = 0x02070014016d616369656a2e77616c69737a6b6f
(39) FreeRADIUS-Proxied-To = 127.0.0.1
(39) User-Name = "joe.doe"
(39) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(39) server inner-tunnel {
(39) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(39) authorize {
(39) policy filter_username {
(39) if (&User-Name) {
(39) if (&User-Name) -> TRUE
(39) if (&User-Name) {
(39) if (&User-Name =~ / /) {
(39) if (&User-Name =~ / /) -> FALSE
(39) if (&User-Name =~ /@[^@]*@/ ) {
(39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(39) if (&User-Name =~ /\.\./ ) {
(39) if (&User-Name =~ /\.\./ ) -> FALSE
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(39) if (&User-Name =~ /\.$/) {
(39) if (&User-Name =~ /\.$/) -> FALSE
(39) if (&User-Name =~ /(a)\./) {
(39) if (&User-Name =~ /(a)\./) -> FALSE
(39) } # if (&User-Name) = notfound
(39) } # policy filter_username = notfound
(39) [chap] = noop
(39) [mschap] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(39) suffix: No such realm "NULL"
(39) [suffix] = noop
(39) update control {
(39) &Proxy-To-Realm := LOCAL
(39) } # update control = noop
(39) eap: Peer sent EAP Response (code 2) ID 7 length 20
(39) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(39) [eap] = ok
(39) } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(39) authenticate {
(39) eap: Peer sent packet with method EAP Identity (1)
(39) eap: Calling submodule eap_mschapv2 to process data
(39) eap_mschapv2: Issuing Challenge
(39) eap: Sending EAP Request (code 1) ID 8 length 43
(39) eap: EAP session adding &reply:State = 0xa779f0bba771eab5
(39) [eap] = handled
(39) } # authenticate = handled
(39) } # server inner-tunnel
(39) Virtual server sending reply
(39) EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) Message-Authenticator = 0x00000000000000000000000000000000
(39) State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled reply code 11
(39) eap_peap: EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(39) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled reply RADIUS code 11
(39) eap_peap: EAP-Message =
0x0108002b1a01080026102e31c720efcc97f1b1344319c2717f10667265657261646975732d332e302e3137
(39) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(39) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(39) eap_peap: Got tunneled Access-Challenge
(39) eap: Sending EAP Request (code 1) ID 8 length 74
(39) eap: EAP session adding &reply:State = 0x8afb70f28cf369b5
(39) [eap] = handled
(39) } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) Challenge { ... } # empty sub-section is ignored
(39) Sent Access-Challenge Id 249 from 10.222.34.11:1812 to
172.16.100.10:65092 length 0
(39) EAP-Message =
0x0108004a1900170303003fcc5b8334628ab37aa89b123da75ca7c75fd530ecc021320acc07bdc59b19d161f36ee6151578b5fa7487e0d86eb2dee898bde53e74baca61f9c67ccd045dc0
(39) Message-Authenticator = 0x00000000000000000000000000000000
(39) State = 0x8afb70f28cf369b5cf854ba7abc363a9
(39) Finished request
Waking up in 4.9 seconds.
(38) Cleaning up request packet ID 248 with timestamp +985
(40) Received Access-Request Id 248 from 172.16.100.10:65092 to
10.222.34.11:1812 length 538
(40) User-Name = "joe.doe"
(40) Service-Type = Framed-User
(40) Cisco-AVPair = "service-type=Framed"
(40) Framed-MTU = 1485
(40) EAP-Message =
0x020800691900170303005e89bf7fdf3bb86e3e467aef6b8988848fce28ba903c8c18014db6390e35aea1dfefd7abf64b8bc29c5f574a83dc3a850169b6de84430922b3617bbd5bef2f8ab879603c7c43c1940ed4e61b724f2bfde0d24c7f7c8fc3eb9c05f74ce8cccd
(40) Message-Authenticator = 0x928deedf5800d89e75d47b6c4ff5f004
(40) Cisco-AVPair = "audit-session-id=0A6410AC00001FAE74DE0A43"
(40) Cisco-AVPair = "method=dot1x"
(40) Cisco-AVPair = "client-iif-id=2852134698"
(40) Cisco-AVPair = "vlan-id=101"
(40) NAS-IP-Address = 172.16.100.10
(40) NAS-Port-Id = "capwap_90000004"
(40) NAS-Port-Type = Wireless-802.11
(40) NAS-Port = 5
(40) State = 0x8afb70f28cf369b5cf854ba7abc363a9
(40) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(40) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(40) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(40) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(40) Airespace-Wlan-Id = 4
(40) NAS-Identifier = "WLC9120-NEFO"
(40) WLAN-Group-Cipher = 1027076
(40) WLAN-Pairwise-Cipher = 1027076
(40) WLAN-AKM-Suite = 1027075
(40) WLAN-Group-Mgmt-Cipher = 1027078
(40) session-state: No cached attributes
(40) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /(a)\./) {
(40) if (&User-Name =~ /(a)\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [preprocess] = ok
(40) [chap] = noop
(40) [mschap] = noop
(40) [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 8 length 105
(40) eap: Continuing tunnel setup
(40) [eap] = ok
(40) } # authorize = ok
(40) Found Auth-Type = eap
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) authenticate {
(40) eap: Expiring EAP session with state 0xa779f0bba771eab5
(40) eap: Finished EAP session with state 0x8afb70f28cf369b5
(40) eap: Previous EAP request found for state 0x8afb70f28cf369b5, released
from the list
(40) eap: Peer sent packet with method EAP PEAP (25)
(40) eap: Calling submodule eap_peap to process data
(40) eap_peap: Continuing EAP-TLS
(40) eap_peap: [eaptls verify] = ok
(40) eap_peap: Done initial handshake
(40) eap_peap: [eaptls process] = ok
(40) eap_peap: Session established. Decoding tunneled attributes
(40) eap_peap: PEAP state phase2
(40) eap_peap: EAP method MSCHAPv2 (26)
(40) eap_peap: Got tunneled request
(40) eap_peap: EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) eap_peap: Setting User-Name to joe.doe
(40) eap_peap: Sending tunneled request to inner-tunnel
(40) eap_peap: EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(40) eap_peap: User-Name = "joe.doe"
(40) eap_peap: State = 0xa779f0bba771eab5fa1472a70f642a70
(40) Virtual server inner-tunnel received request
(40) EAP-Message =
0x0208004a1a0208004531ac16e2ad0f43ee8ec9bdd2aad3c5deda0000000000000000e4fff9f3543da30667451659b4a7598166306e0f8b66215c006d616369656a2e77616c69737a6b6f
(40) FreeRADIUS-Proxied-To = 127.0.0.1
(40) User-Name = "joe.doe"
(40) State = 0xa779f0bba771eab5fa1472a70f642a70
(40) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(40) server inner-tunnel {
(40) session-state: No cached attributes
(40) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /(a)\./) {
(40) if (&User-Name =~ /(a)\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [chap] = noop
(40) [mschap] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) update control {
(40) &Proxy-To-Realm := LOCAL
(40) } # update control = noop
(40) eap: Peer sent EAP Response (code 2) ID 8 length 74
(40) eap: No EAP Start, assuming it's an on-going EAP conversation
(40) [eap] = updated
(40) files: users: Matched entry joe.doe at line 91
(40) [files] = ok
rlm_ldap (ldap): Reserved connection (17)
(40) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(40) ldap: --> (uid=joe.doe)
(40) ldap: Performing search in "dc=netformers,dc=local" with filter
"(uid=joe.doe)", scope "sub"
(40) ldap: Waiting for search result...
(40) ldap: User object found at DN "uid=joe.doe,dc=netformers,dc=local"
(40) ldap: Processing user attributes
rlm_ldap (ldap): Released connection (17)
(40) [ldap] = ok
(40) [expiration] = noop
(40) [logintime] = noop
(40) pap: WARNING: Auth-Type already set. Not setting to PAP
(40) [pap] = noop
(40) } # authorize = updated
(40) Found Auth-Type = eap
(40) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) authenticate {
(40) eap: Expiring EAP session with state 0xa779f0bba771eab5
(40) eap: Finished EAP session with state 0xa779f0bba771eab5
(40) eap: Previous EAP request found for state 0xa779f0bba771eab5, released
from the list
(40) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(40) eap: Calling submodule eap_mschapv2 to process data
(40) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) eap_mschapv2: authenticate {
(40) mschap: Found Cleartext-Password, hashing to create NT-Password
(40) mschap: Found Cleartext-Password, hashing to create LM-Password
(40) mschap: Creating challenge hash with username: joe.doe
(40) mschap: Client is using MS-CHAPv2
(40) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(40) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(40) mschap: --> --username=joe.doe
(40) mschap: Creating challenge hash with username: joe.doe
(40) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(40) mschap: --> --challenge=ab5d475d8e18b55f
(40) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(40) mschap: -->
--nt-response=e4fff9f3543da30667451659b4a7598166306e0f8b66215c
(40) mschap: ERROR: Program returned code (1) and output 'The attempted
logon is invalid. This is either due to a bad username or authentication
information. (0xc000006d)'
(40) mschap: External script failed
(40) mschap: ERROR: External script says: The attempted logon is invalid.
This is either due to a bad username or authentication information.
(0xc000006d)
(40) mschap: ERROR: MS-CHAP2-Response is incorrect
(40) [mschap] = reject
(40) } # authenticate = reject
(40) eap: Sending EAP Failure (code 4) ID 8 length 4
(40) eap: Freeing handler
(40) [eap] = reject
(40) } # authenticate = reject
(40) Failed to authenticate the user
(40) Using Post-Auth-Type Reject
(40) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(40) Post-Auth-Type REJECT {
(40) attr_filter.access_reject: EXPAND %{User-Name}
(40) attr_filter.access_reject: --> joe.doe
(40) attr_filter.access_reject: Matched entry DEFAULT at line 11
(40) [attr_filter.access_reject] = updated
(40) update outer.session-state {
(40) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: Program returned code (1) and output \'The attempted logon is
invalid. This is either due to a bad username or authentication
information. (0xc000006d)\''
(40) } # update outer.session-state = noop
(40) } # Post-Auth-Type REJECT = updated
(40) } # server inner-tunnel
(40) Virtual server sending reply
(40) MS-CHAP-Error = "\010E=691 R=1 C=1985ba6f4d3735081b98c08700af1b01
V=3 M=Authentication rejected"
(40) EAP-Message = 0x04080004
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Got tunneled reply code 3
(40) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected"
(40) eap_peap: EAP-Message = 0x04080004
(40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Got tunneled reply RADIUS code 3
(40) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=1985ba6f4d3735081b98c08700af1b01 V=3 M=Authentication rejected"
(40) eap_peap: EAP-Message = 0x04080004
(40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: Tunneled authentication was rejected
(40) eap_peap: FAILURE
(40) eap: Sending EAP Request (code 1) ID 9 length 46
(40) eap: EAP session adding &reply:State = 0x8afb70f28df269b5
(40) [eap] = handled
(40) } # authenticate = handled
(40) Using Post-Auth-Type Challenge
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) Challenge { ... } # empty sub-section is ignored
(40) session-state: Saving cached attributes
(40) Module-Failure-Message := "mschap: Program returned code (1) and
output 'The attempted logon is invalid. This is either due to a bad
username or authentication information. (0xc000006d)'"
(40) Sent Access-Challenge Id 248 from 10.222.34.11:1812 to
172.16.100.10:65092 length 0
(40) EAP-Message =
0x0109002e19001703030023cc5b8334628ab37bb472f1e4b99ece77d59027ce510b3ac1d5025c03cc60b794d73259
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) State = 0x8afb70f28df269b5cf854ba7abc363a9
(40) Finished request
Waking up in 4.9 seconds.
(39) Cleaning up request packet ID 249 with timestamp +985
(41) Received Access-Request Id 249 from 172.16.100.10:65092 to
10.222.34.11:1812 length 479
(41) User-Name = "joe.doe"
(41) Service-Type = Framed-User
(41) Cisco-AVPair = "service-type=Framed"
(41) Framed-MTU = 1485
(41) EAP-Message =
0x0209002e1900170303002389bf7fdf3bb86e3fb7a4f82750437b28a44f01b7420ad299cf3bc0490d9e73ab33590b
(41) Message-Authenticator = 0xa8d0b6155902a4394dfc46e21888f099
(41) Cisco-AVPair = "audit-session-id=0A6410AC00001FAE74DE0A43"
(41) Cisco-AVPair = "method=dot1x"
(41) Cisco-AVPair = "client-iif-id=2852134698"
(41) Cisco-AVPair = "vlan-id=101"
(41) NAS-IP-Address = 172.16.100.10
(41) NAS-Port-Id = "capwap_90000004"
(41) NAS-Port-Type = Wireless-802.11
(41) NAS-Port = 5
(41) State = 0x8afb70f28df269b5cf854ba7abc363a9
(41) Cisco-AVPair = "cisco-wlan-ssid=NEFO1x"
(41) Cisco-AVPair = "wlan-profile-name=NEFO-802.1x"
(41) Called-Station-Id = "24-36-da-17-30-00:NEFO1x"
(41) Calling-Station-Id = "7a-be-3e-4d-a8-62"
(41) Airespace-Wlan-Id = 4
(41) NAS-Identifier = "WLC9120-NEFO"
(41) WLAN-Group-Cipher = 1027076
(41) WLAN-Pairwise-Cipher = 1027076
(41) WLAN-AKM-Suite = 1027075
(41) WLAN-Group-Mgmt-Cipher = 1027078
(41) Restoring &session-state
(41) &session-state:Module-Failure-Message := "mschap: Program returned
code (1) and output 'The attempted logon is invalid. This is either due to
a bad username or authentication information. (0xc000006d)'"
(41) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(41) authorize {
(41) policy filter_username {
(41) if (&User-Name) {
(41) if (&User-Name) -> TRUE
(41) if (&User-Name) {
(41) if (&User-Name =~ / /) {
(41) if (&User-Name =~ / /) -> FALSE
(41) if (&User-Name =~ /@[^@]*@/ ) {
(41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(41) if (&User-Name =~ /\.\./ ) {
(41) if (&User-Name =~ /\.\./ ) -> FALSE
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(41) if (&User-Name =~ /\.$/) {
(41) if (&User-Name =~ /\.$/) -> FALSE
(41) if (&User-Name =~ /(a)\./) {
(41) if (&User-Name =~ /(a)\./) -> FALSE
(41) } # if (&User-Name) = notfound
(41) } # policy filter_username = notfound
(41) [preprocess] = ok
(41) [chap] = noop
(41) [mschap] = noop
(41) [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "joe.doe", looking up realm NULL
(41) suffix: No such realm "NULL"
(41) [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 9 length 46
(41) eap: Continuing tunnel setup
(41) [eap] = ok
(41) } # authorize = ok
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) authenticate {
(41) eap: Expiring EAP session with state 0x8afb70f28df269b5
(41) eap: Finished EAP session with state 0x8afb70f28df269b5
(41) eap: Previous EAP request found for state 0x8afb70f28df269b5, released
from the list
(41) eap: Peer sent packet with method EAP PEAP (25)
(41) eap: Calling submodule eap_peap to process data
(41) eap_peap: Continuing EAP-TLS
(41) eap_peap: [eaptls verify] = ok
(41) eap_peap: Done initial handshake
(41) eap_peap: [eaptls process] = ok
(41) eap_peap: Session established. Decoding tunneled attributes
(41) eap_peap: PEAP state send tlv failure
(41) eap_peap: Received EAP-TLV response
(41) eap_peap: ERROR: The users session was previously rejected:
returning reject (again.)
(41) eap_peap: This means you need to read the PREVIOUS messages in the
debug output
(41) eap_peap: to find out the reason why the user was rejected
(41) eap_peap: Look for "reject" or "fail". Those earlier messages will
tell you
(41) eap_peap: what went wrong, and how to fix the problem
(41) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(41) eap: Sending EAP Failure (code 4) ID 9 length 4
(41) eap: Failed in EAP select
(41) [eap] = invalid
(41) } # authenticate = invalid
(41) Failed to authenticate the user
(41) Using Post-Auth-Type Reject
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) Post-Auth-Type REJECT {
(41) attr_filter.access_reject: EXPAND %{User-Name}
(41) attr_filter.access_reject: --> joe.doe
(41) attr_filter.access_reject: Matched entry DEFAULT at line 11
(41) [attr_filter.access_reject] = updated
(41) [eap] = noop
(41) policy remove_reply_message_if_eap {
(41) if (&reply:EAP-Message && &reply:Reply-Message) {
(41) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(41) else {
(41) [noop] = noop
(41) } # else = noop
(41) } # policy remove_reply_message_if_eap = noop
(41) } # Post-Auth-Type REJECT = updated
(41) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(41) Sending delayed response
(41) Sent Access-Reject Id 249 from 10.222.34.11:1812 to 172.16.100.10:65092
length 44
(41) EAP-Message = 0x04090004
(41) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Can anyone shed some light on this and point me in the right direction what
else should I do?
All the examples I am able to find on the internet are using AD/samba as
database for freeradius which is not the case here.
2
2
AD-integration working well - questions about risk/exposure and related mechanisms
by Dag B 16 Jan '23
by Dag B 16 Jan '23
16 Jan '23
So, after some fiddling, I can now authenticate users of our network
gear (network admins) with AD, via freeradius. Thank you to any and all
who have made that possible. It is truly appreciated.
Arriving here, I just wanted to ask if there is any document discussing
any additional risk or exposure for the AD-accounts by doing this.
Note: I am not trying to imply there is one, nor am I trying to sell
five feathers as whole chicken in a bag or however that analogy goes. I
am merely acknowledging my relative ignorance w.r.t. how AD and RADIUS
works and what security mechanisms it has in place for preventing abuse.
From the top of my head:
- Can someone use freeradius for unlimited tries at guessing an AD password?
- If the radius secret becomes known to a bad actor, could they set up a
'farm' of radius clients in the defined client address spaces to bypass
rate limits?
- And likewise, could they instrument their radius client to reveal more
information than we intend to?
- Is there a better way to define clients than defining static hosts or
networks in clients.conf? (We have an IPAM with an API. Could we employ
this to only permit radius requests from known (expected) radius clients?)
And I am certain there are more questions I should be asking. Conscious
Incompetence and all that jazz....
Thanks,
Dag B
2
1
Greetings FR-users,
I am attempting to fold the functionality of a 2.0 FR system into an
existing 3.0 system.
I've configured the 2.0 system to proxy to the 3.0 system and this works -
call this scenario A:
UPS (client)
|
v
FR 2.0
|
v
FR 3.0
works!!
However if I attempt to auth directly from the UPS to the 3.0 system, it
does not work - call this scenario B:
UPS (client)
|
v
FR 3.0
no works. :(
Here are the debug logs for scenario A (working):
2.0 system:
rad_recv: Access-Request packet from host 100.73.8.85 port 44482, id=41,
length=113
User-Name = "foo"
User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
NAS-IP-Address = 100.73.8.85
NAS-Identifier = "apcE89163.d.umn.edu"
NAS-Port = 0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "foo", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "foo"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user foo to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 230 to 10.212.109.12 port 1812
User-Name = "foo"
User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
NAS-IP-Address = 100.73.8.85
NAS-Identifier = "apcE89163.d.umn.edu"
NAS-Port = 0
Proxy-State = 0x3431
Proxying request 0 to home server 10.212.109.12 port 1812
Sending Access-Request of id 230 to 10.212.109.12 port 1812
User-Name = "foo"
User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
NAS-IP-Address = 100.73.8.85
NAS-Identifier = "apcE89163.d.umn.edu"
NAS-Port = 0
Proxy-State = 0x3431
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.212.109.12 port 1812, id=230,
length=30
Proxy-State = 0x3431
Service-Type = Administrative-User
# Executing section post-proxy from file
/etc/freeradius/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [foo] (from client apc-UPS-network-1 port 0)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 41 to 100.73.8.85 port 44482
Service-Type = Administrative-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 41 with timestamp +10
3.0 system:
(0) Received Access-Request Id 230 from 10.212.109.94:1814 to
10.212.109.12:1812 length 117
(0) User-Name = "foo"
(0) User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
(0) NAS-IP-Address = 100.73.8.85
(0) NAS-Identifier = "apcE89163.d.umn.edu"
(0) NAS-Port = 0
(0) Proxy-State = 0x3431
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "foo", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0) [pap] = noop
(0) if ("%{client:group}" == 'two-factor-authentication-group') {
(0) EXPAND %{client:group}
(0) --> default-authentication-group
(0) if ("%{client:group}" == 'two-factor-authentication-group') ->
FALSE
(0) else {
(0) update control {
(0) Proxy-To-Realm := 'default-authentication-realm'
(0) } # update control = noop
(0) } # else = noop
(0) } # authorize = ok
(0) Starting proxy to home server 10.84.192.196 port 1812
(0) server default {
(0) }
(0) Proxying request to home server 10.84.192.196 port 1812 timeout
60.000000
(0) Sent Access-Request Id 13 from 0.0.0.0:42276 to 10.84.192.196:1812
length 146
(0) User-Name = "foo"
(0) User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
(0) NAS-IP-Address = 100.73.8.85
(0) NAS-Identifier = "apcE89163.d.umn.edu"
(0) NAS-Port = 0
(0) Proxy-State = 0x3431
(0) Event-Timestamp = "Jan 12 2023 16:33:29 CST"
(0) Message-Authenticator := 0x00
(0) Proxy-State = 0x323330
Waking up in 0.3 seconds.
(0) Marking home server 10.84.192.196 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 13 from 10.84.192.196:1812 to
10.212.109.12:42276 length 29
(0) Proxy-State = 0x3431
(0) Proxy-State = 0x323330
(0) server default {
(0) # Executing section post-proxy from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-proxy {
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) }
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) update reply {
(0) Service-Type = Administrative-User
(0) } # update reply = noop
(0) } # post-auth = noop
(0) Login OK: [foo] (from client radius-netgear.d.umn.edu_10.212.109.94
port 0)
(0) Sent Access-Accept Id 230 from 10.212.109.12:1812 to 10.212.109.94:1814
length 0
(0) Proxy-State = 0x3431
(0) Service-Type = Administrative-User
(0) Finished request
and the scenario B (not working) debug:
(0) Received Access-Request Id 45 from 100.73.8.85:55435 to
10.212.109.12:1812 length 113
(0) User-Name = "foo"
(0) User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
(0) NAS-IP-Address = 100.73.8.85
(0) NAS-Identifier = "apcE89163.d.umn.edu"
(0) NAS-Port = 0
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "foo", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0) [pap] = noop
(0) if ("%{client:group}" == 'two-factor-authentication-group') {
(0) EXPAND %{client:group}
(0) -->
(0) if ("%{client:group}" == 'two-factor-authentication-group') ->
FALSE
(0) else {
(0) update control {
(0) Proxy-To-Realm := 'default-authentication-realm'
(0) } # update control = noop
(0) } # else = noop
(0) } # authorize = ok
(0) Starting proxy to home server 10.84.192.196 port 1812
(0) server default {
(0) }
(0) Proxying request to home server 10.84.192.196 port 1812 timeout
60.000000
(0) Sent Access-Request Id 206 from 0.0.0.0:57643 to 10.84.192.196:1812
length 141
(0) User-Name = "foo"
(0) User-Password = "__REDACTED_BUT_VERIFIED_CORRECT_CLEARTEXT__"
(0) NAS-IP-Address = 100.73.8.85
(0) NAS-Identifier = "apcE89163.d.umn.edu"
(0) NAS-Port = 0
(0) Event-Timestamp = "Jan 12 2023 16:36:29 CST"
(0) Message-Authenticator := 0x00
(0) Proxy-State = 0x3435
Waking up in 0.3 seconds.
(0) Marking home server 10.84.192.196 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 206 from 10.84.192.196:1812 to
10.212.109.12:57643 length 24
(0) Proxy-State = 0x3435
(0) server default {
(0) # Executing section post-proxy from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-proxy {
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) }
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) update reply {
(0) Service-Type = Administrative-User
(0) } # update reply = noop
(0) } # post-auth = noop
(0) Login OK: [foo] (from client 100.73.8.0/23_100.73.8.0/23 port 0)
(0) Sent Access-Accept Id 45 from 10.212.109.12:1812 to 100.73.8.85:55435
length 0
(0) Service-Type = Administrative-User
(0) Finished request
Both scenarios send Access-Accept and the Service-Type back to the client.
I'm not sure if there is more to look at between the 2.0 and 3.0 systems.
It is difficult to do any debugging on the UPS, so I was hoping to figure
out the issue on the FR systems.
I've performed a diff of the scenario A and B 3.0 debug outputs and I don't
see anything significant in the difference.
I have removed the Service-Type from the configurations and I still get a
success authentication, I am just entered into a non-administrative role on
the UPS.
Does anyone have any ideas for further debugging?
Thanks for any pointers or help!
-m
3
5
I have setup my Unifi network to connect to a Raspberry Pi 2 hosting
FreeRadius 3.2.0 with MAC authentication. That all seems to work now,
however I've run into an issue where it seems the FreeRadius service
needs to be restarted fairly frequently, at least multiple times a
day. From what I can tell, the Pi is fine and there's plenty of
storage and resources. Restarting the service allows anything that was
having issues to connect, such as if it's been disconnected for a bit
(e.g., my phone when I go out and come back) but even devices that
don't leave the house and stay on sometimes lose connection until a
service restart. I know I could probably setup a cron job that
restarts the service every 30 minutes or so, but I wanted to check if
people had ideas on how to fix it. Here's my freeradius -X output with
one example of a device connecting successfully.
FreeRADIUS Version 3.2.0
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/filter
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client unifi {
ipaddr = 24.34.239.95
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dmwan"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client unifi {
ipaddr = 192.168.1.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dmlan"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client unifi_1_ap {
ipaddr = 192.168.1.46
require_message_authenticator = no
secret = <<< secret >>>
shortname = "1ap"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client unifi_2_ap {
ipaddr = 192.168.1.230
require_message_authenticator = no
secret = <<< secret >>>
shortname = "2ap"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
instantiate {
}
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 56081
Listening on proxy address :: port 34301
Ready to process requests
(0) Received Access-Request Id 71 from 192.168.1.1:47441 to
192.168.1.25:1812 length 187
(0) User-Name = "58:24:29:57:e1:f1"
(0) User-Password = "58:24:29:57:e1:f1"
(0) NAS-IP-Address = 192.168.1.1
(0) NAS-Identifier = "68d79a41138e"
(0) Called-Station-Id = "68-D7-9A-41-13-8E:Chomper"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "58-24-29-57-E1-F1"
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) Message-Authenticator = 0x4fedc4ffc0daa97f3ae1029e31881b94
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) update request {
(0) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 58-24-29-57-e1-f1
(0) &Calling-Station-Id := 58-24-29-57-e1-f1
(0) } # update request = noop
(0) [updated] = updated
(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_calling_station_id = updated
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "58:24:29:57:e1:f1", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry 58:24:29:57:e1:f1 at line 68
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(0) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(0) } # post-auth = noop
(0) Sent Access-Accept Id 71 from 192.168.1.25:1812 to
192.168.1.1:47441 length 35
(0) Tunnel-Type = VLAN
(0) Tunnel-Medium-Type = IEEE-802
(0) Tunnel-Private-Group-Id = "1"
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Accounting-Request Id 72 from 192.168.1.1:58228 to
192.168.1.25:1813 length 206
(1) Acct-Status-Type = Start
(1) Acct-Authentic = Local
(1) User-Name = "58:24:29:57:e1:f1"
(1) NAS-IP-Address = 192.168.1.1
(1) Framed-IP-Address = 192.168.1.209
(1) NAS-Identifier = "68d79a41138e"
(1) Called-Station-Id = "68-D7-9A-41-13-8E:Chomper"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "58-24-29-57-E1-F1"
(1) Connect-Info = "CONNECT 0Mbps 802.11a"
(1) Acct-Session-Id = "5DFBEAF391253B0C"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027074
(1) Event-Timestamp = "Jan 12 2023 14:36:24 EST"
(1) Acct-Delay-Time = 0
(1) # Executing section preacct from file
/etc/freeradius/3.0/sites-enabled/default
(1) preacct {
(1) [preprocess] = ok
(1) policy acct_unique {
(1) update request {
(1) &Tmp-String-9 := "ai:"
(1) } # update request = noop
(1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(1) EXPAND %{hex:&Class}
(1) -->
(1) EXPAND ^%{hex:&Tmp-String-9}
(1) --> ^61693a
(1) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(1) else {
(1) update request {
(1) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(1) --> 8ad2d8c86863f64eeaaea4c131b46e1f
(1) &Acct-Unique-Session-Id := 8ad2d8c86863f64eeaaea4c131b46e1f
(1) } # update request = noop
(1) } # else = noop
(1) update request {
(1) &Tmp-String-9 !* ANY
(1) } # update request = noop
(1) } # policy acct_unique = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "58:24:29:57:e1:f1", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) [files] = noop
(1) } # preacct = ok
(1) # Executing section accounting from file
/etc/freeradius/3.0/sites-enabled/default
(1) accounting {
(1) detail: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(1) detail: --> /var/log/freeradius/radacct/192.168.1.1/detail-20230112
(1) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.1.1/detail-20230112
(1) detail: EXPAND %t
(1) detail: --> Thu Jan 12 14:36:24 2023
(1) [detail] = ok
(1) [unix] = ok
(1) [exec] = noop
(1) attr_filter.accounting_response: EXPAND %{User-Name}
(1) attr_filter.accounting_response: --> 58:24:29:57:e1:f1
(1) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(1) [attr_filter.accounting_response] = updated
(1) } # accounting = updated
(1) Sent Accounting-Response Id 72 from 192.168.1.25:1813 to
192.168.1.1:58228 length 20
(1) Finished request
(1) Cleaning up request packet ID 72 with timestamp +8 due to done
2
2
Freeradius keep statistics (number of request/reply/acct and etc) for each
NAS. But is it possible to separate stats for some subscribers from same
NAS by assign them another client-ip-address ?
I tried to update Client-IP-Address attribute, but this does not help.
1
0
Hi Marco,
Thank you for your response. From your response I understand, even if my AD Domain is running on MS (Microsoft), I can join the RHEL to AD domain using 'winbind daemon', which I did.
After joining the RHEL 8 Server to domain, 'winbind' is still not working, it's giving the below error.
[root(a)localhost.domain.com]# wbinfo -a FreeRADIUSdev2
Enter FreeRADIUSdev2's password:
plaintext password authentication failed
Could not authenticate user FreeRADIUSdev2 with plaintext password
Enter FreeRADIUSdev2's password:
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind separator!
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind netbios name!
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Failed to get domain from winbindd
Could not authenticate user FreeRADIUSdev2 with challenge/response
Regards
Raman Singh
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: FreeRadius Integration with Microsoft Active Directory
(Marco Gaiarin)
----------------------------------------------------------------------
Message: 1
Date: Sun, 8 Jan 2023 18:09:08 +0100
From: Marco Gaiarin <gaio(a)lilliput.linux.it>
To: "Singh, Ramanpreet via Freeradius-Users"
<freeradius-users(a)lists.freeradius.org>
Cc: freeradius-users(a)lists.freeradius.org
Subject: Re: FreeRadius Integration with Microsoft Active Directory
Message-ID: <iu9r8j-qi55.ln1(a)hermione.lilliput.linux.it>
Mandi! Singh, Ramanpreet via Freeradius-Users
In chel di` si favelave...
> I read above links where it has been mentioned to used samba for AD integration, however this requires SAMBA AD-DC, which we don't have in our enviornment.
No, you need an AD domain (samba or MS, it is the same) and a linux box with a winbind daemon running: both the domain member and domain controller configuration work, but it suffices you install winbind, configure samba
(smb.conf) as domain member and join the domain.
--
There are only 10 kinds of people in the world --
Those who understand binary, and those who don't. (Roberto Maglica)
------------------------------
Subject: Digest Footer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 213, Issue 5
************************************************
------------------------------------------------------------------------------
External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints
2
1
08 Jan '23
Hi Team,
What's the ideal way for integration of FreeRadius with Microsoft Active Directory - Is it using Samba/Winbind or SSSD??
http://deployingradius.com/documents/configuration/active_directory.html
https://networkradius.com/articles/2021/02/04/active-directory-with-FreeRAD…
https://wiki.freeradius.org/guide/freeradius-active-directory-integration-h…
I read above links where it has been mentioned to used samba for AD integration, however this requires SAMBA AD-DC, which we don't have in our enviornment.
We only got Micrsoft AD Server. Can the integration be done between FreeRADIUS and Microsoft AD?
Please advise
[cid:image001.png@01D921DE.93CCF740]
Regards
Raman Singh
RAN Solutions
5099 Creekbank Road, Mississauga, Ontario L4W 5N2
Raman.Singh(a)bell.ca<mailto:Raman.Singh@bell.ca>
-----Original Message-----
From: Alan DeKok <aland(a)deployingradius.com<mailto:aland@deployingradius.com>>
Sent: Thursday, December 29, 2022 8:16 AM
To: Singh, Ramanpreet <raman.singh(a)bell.ca<mailto:raman.singh@bell.ca>>
Cc: freeradius-users-owner(a)lists.freeradius.org<mailto:freeradius-users-owner@lists.freeradius.org>
Subject: [EXT]Re: Please add me to the mailing list
You can subscribe yourself. See the web site.
> On Dec 28, 2022, at 5:17 PM, Singh, Ramanpreet <raman.singh(a)bell.ca<mailto:raman.singh@bell.ca>> wrote:
>
>
> Please add me to the mailing list
>
> Regards
> Raman Singh
> RAN Solutions
> 5099 Creekbank Road, Mississauga, Ontario L4W 5N2 Raman.Singh(a)bell.ca<mailto:Raman.Singh@bell.ca>
>
> <image001.png>
------------------------------------------------------------------------------
External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints
3
2
Good day
Freeraius service auto stops and cannot be started. the following is the log record, please help to check.
#systemctl status freeradius.service
freeradius.service - FreeRADIUS multi-protocol policy server Loaded: loaded (/lib/systemd/system/freeradius.service; disabled; vendor preset: enabled)
Active: activating (start-pre) since Fri 2023-01-06 08:11:17 CST; 100ms ago
Docs: man:radiusd(8)
man:radiusd.conf(5)
http://wiki.freeradius.org/
http://networkradius.com/doc/
Main PID: 2519 (code=killed, signal=SEGV); Control PID: 1631 (freeradius)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/freeradius.service
└─1631 /usr/sbin/freeradius -Cxm -lstdout
# systemctl start freeradius.service
Job for freeradius.service failed because the control process exited with error code.
See "systemctl status freeradius.service" and "journalctl -xe" for details.
# journalctl -xe-- Subject: Unit freeradius.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit freeradius.service has failed.
--
-- The result is RESULT.
freeradius.service: Service hold-off time over, scheduling restart.
freeradius.service: Scheduled restart job, restart counter is at 1441.
-- Subject: Automatic restarting of a unit has been scheduled-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Automatic restarting of the unit freeradius.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Stopped FreeRADIUS multi-protocol policy server.-- Subject: Unit freeradius.service has finished shutting down
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit freeradius.service has finished shutting down.
Starting FreeRADIUS multi-protocol policy server...-- Subject: Unit freeradius.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit freeradius.service has begun starting up.
: FreeRADIUS Version 3.0.16: Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
: PARTICULAR PURPOSE
: You may redistribute copies of FreeRADIUS under the terms of the
: GNU General Public License
: For more information about these matters, see the file named COPYRIGHT
: Starting - reading configuration files ...
: Debugger not attached
: Creating attribute Unix-Group
: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
: rlm_mschap (mschap): using internal authentication
: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
: /etc/freeradius/3.0/sites-enabled/inner-tunnel[250]: Failed to find "eap" as a module or policy.
: /etc/freeradius/3.0/sites-enabled/inner-tunnel[250]: Please verify that the configuration exists in /etc/freeradius/3.0/mods-enabled/eap.
: /etc/freeradius/3.0/sites-enabled/inner-tunnel[200]: Errors parsing authenticate section.
: freeradius.service: Control process exited, code=exited status=1
: freeradius.service: Failed with result 'exit-code'.
: Failed to start FreeRADIUS multi-protocol policy server.
2
1
Renaming of radusergroup table is not bound to the sql mod file definition
by Conrad Classen 04 Jan '23
by Conrad Classen 04 Jan '23
04 Jan '23
Good day
I need to rename the radusergroup and radreply tables in order to ensure
that different radius servers using a common database do not hand out he
incorrect Framed-Ip-Address attribute as well as the group used for each
specific radius server.
I have many thousands of SIM's being authenticated and need to ensure
that there is a separation on the common database server.
The radreply table rename works correctly in that the name defined for
the table in the sql mod is what will be used.
However, the table name I have defined in the sql mod file for the
radusergroup table is not being used by queries, and it still continues
to look for the original table name. I suspect that the table names are
hard coded and the FreeRadius server is using that.
I am using FreeRadius 3.2.1
radiusd -v
radiusd: FreeRADIUS Version 3.2.1, for host x86_64-redhat-linux-gnu,
built on Oct 3 2022 at 22:07:38
FreeRADIUS Version 3.2.1
Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
The following from the radiusd -X debug output shows that the table name
I have set is not being used.
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: 42P01: UNDEFINED TABLE
(5) sql: rlm_sql_postgresql: ERROR: relation "radusergroup" does not exist
(5) sql: rlm_sql_postgresql: LINE 1: SELECT GroupName FROM radusergroup
WHERE Us...
(5) sql:
rlm_sql_postgresql: ^
(5) sql: rlm_sql_postgresql: QUERY: SELECT GroupName FROM radusergroup
WHERE UserName = NEW.UserName
(5) sql: rlm_sql_postgresql: CONTEXT: PL/pgSQL function upd_radgroups()
line 7 at SQL statement
(5) sql: SQL query returned: need alt query
Thanks
--
Conrad
2
1