Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2023
- 45 participants
- 42 discussions
Connect Users registered on a ldaps (azure ad ds with hashed passwords ) via a local freeradius server
by Chris Nzengue - dejamobile externe 13 Mar '23
by Chris Nzengue - dejamobile externe 13 Mar '23
13 Mar '23
Dear Alan DeKok and Alan Buxey
Thank you for your answers.
Message to Alan Buxey:
i can't add "Auth-Type := LDAP" in the authorize section. i tried differents ways but i can only write a syntax like "Auth-Type := LDAP" in the auhentication section.
In the authentication section i have this:
Auth-Type LDAP {
ldap
}
Message to Alan DeKok:
I changed my default file and my inner-tunnel file to the default configuration. I also added/checked the module eap in the authtorize section. i changed and checked some elements steps by steps like recommended.
Unfortunaly my configuration still doesn't work.
my log:
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 54919
Listening on proxy address :: port 33469
Ready to process requests
(0) Received Access-Request Id 60 from 192.168.200.20:51098 to 192.168.10.124:1812 length 269
(0) User-Name = "chris.nzengue"
(0) Chargeable-User-Identity = 0x14
(0) Location-Capable = Civic-Location
(0) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(0) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(0) NAS-Port = 1
(0) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(0) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(0) NAS-IP-Address = 192.168.200.20
(0) NAS-Identifier = "Dejamobile"
(0) Airespace-Wlan-Id = 1
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) EAP-Message = 0x020100120163687269732e6e7a656e677565
(0) Message-Authenticator = 0x152d6c9151ccc00eda8651079e743f0f
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 18
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0x3928d6d2392ac3c4
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 60 from 192.168.10.124:1812 to 192.168.200.20:51098 length 64
(0) EAP-Message = 0x010200061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x3928d6d2392ac3c470d72d9dc025396c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 61 from 192.168.200.20:51098 to 192.168.10.124:1812 length 430
(1) User-Name = "chris.nzengue"
(1) Chargeable-User-Identity = 0x14
(1) Location-Capable = Civic-Location
(1) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(1) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(1) NAS-Port = 1
(1) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(1) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(1) NAS-IP-Address = 192.168.200.20
(1) NAS-Identifier = "Dejamobile"
(1) Airespace-Wlan-Id = 1
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) EAP-Message = 0x020200a115800000009716030100920100008e0303640f5f3b217e84d6eb2bb1dc0e3862e4301609d5dd8156ea582ee9e9618ce89200002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(1) State = 0x3928d6d2392ac3c470d72d9dc025396c
(1) Message-Authenticator = 0x5e4ed5f1554b77fb9eca516f0b622090
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 161
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x3928d6d2392ac3c4
(1) eap: Finished EAP session with state 0x3928d6d2392ac3c4
(1) eap: Previous EAP request found for state 0x3928d6d2392ac3c4, released from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes
(1) eap_ttls: (TLS) EAP Got all data (151 bytes)
(1) eap_ttls: (TLS) Handshake state - before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(1) eap_ttls: (TLS) In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 3 length 1004
(1) eap: EAP session adding &reply:State = 0x3928d6d2382bc3c4
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(1) Sent Access-Challenge Id 61 from 192.168.10.124:1812 to 192.168.200.20:51098 length 1068
(1) EAP-Message = 0x010303ec15c0000004b1160303003d0200003903032f11de33c426afb2d9497c86e2a911e6b439474f3cb137da7395b16ee2b50b6f00c030000011ff01000100000b00040300010200170000160303030f0b00030b00030800030530820301308201e9a00302010202140ea85d3ec7ee7aec904f3547480a14d73c892031300d06092a864886f70d01010b050030173115301306035504030c0c726164697573736572766572301e170d3232313131363134303934355a170d3332313131333134303934355a30173115301306035504030c0c72616469757373657276657230820122300d06092a864886f70d01010105000382010f003082010a0282010100adda610f374fc54e2949f1d9a7ba9ad8abf1c24a9773f9ab5fa50b43fefd07a7c61da781fd53b4277cdbe46b9964548a4125a313d4d3df6ee6593fe9dba778843c02dfa1ebceeaf17370dd8604a60085efa9d7b78b0ad571a378b30074bbabef337174fdef87ab30482289f75f3661d0b972299e9aefab
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x3928d6d2382bc3c470d72d9dc025396c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 62 from 192.168.200.20:51098 to 192.168.10.124:1812 length 275
(2) User-Name = "chris.nzengue"
(2) Chargeable-User-Identity = 0x14
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(2) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(2) NAS-Port = 1
(2) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(2) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(2) NAS-IP-Address = 192.168.200.20
(2) NAS-Identifier = "Dejamobile"
(2) Airespace-Wlan-Id = 1
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0x3928d6d2382bc3c470d72d9dc025396c
(2) Message-Authenticator = 0xf72e4e265499850d5d6421aded843c88
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x3928d6d2382bc3c4
(2) eap: Finished EAP session with state 0x3928d6d2382bc3c4
(2) eap: Previous EAP request found for state 0x3928d6d2382bc3c4, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 4 length 217
(2) eap: EAP session adding &reply:State = 0x3928d6d23b2cc3c4
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 62 from 192.168.10.124:1812 to 192.168.200.20:51098 length 275
(2) EAP-Message = 0x010400d91580000004b1bf0b7836f57013f68d84f283d18386c495f55bf6aefb9ffe13fa9ec4dc7558c1d64614cbfe1b150c6c5557eca368492d9f0703e9df123c9afa1ad66d2270997a6d9dd2108d864e63548e04e8822559864fa2763023bff6c9482116a090880534024828465510f207f1e82753981e4edfe992d2e34946f371c7b4e9ff950bffe7921daf41e7b35adcd3ed7b38ef2beb6e6c5b5797a3d3e3dcdf5e5935cb22cbbb074171beac78ba5516e39b7028280ceb40c91e5f05209cd8114a47e7c216237261cfbde7bf6b16030300040e000000
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x3928d6d23b2cc3c470d72d9dc025396c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 63 from 192.168.200.20:51098 to 192.168.10.124:1812 length 405
(3) User-Name = "chris.nzengue"
(3) Chargeable-User-Identity = 0x14
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(3) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(3) NAS-Port = 1
(3) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(3) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(3) NAS-IP-Address = 192.168.200.20
(3) NAS-Identifier = "Dejamobile"
(3) Airespace-Wlan-Id = 1
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x0204008815800000007e1603030046100000424104533ca32d47edc703e275388f1effbc8eb436405d6aa3738351c3fba56c00973994a438ee6f424fb5509e7f5f9941b6eeec7e1df3979458f10c6214296159cf5914030300010116030300287faf547f2d6fb7d3c55e5be7259a0f1cd3caafd860197082b595fe088774085dc4325485792a77bb
(3) State = 0x3928d6d23b2cc3c470d72d9dc025396c
(3) Message-Authenticator = 0x79689f3375c63ab53647785b94456026
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 136
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x3928d6d23b2cc3c4
(3) eap: Finished EAP session with state 0x3928d6d23b2cc3c4
(3) eap: Previous EAP request found for state 0x3928d6d23b2cc3c4, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes
(3) eap_ttls: (TLS) EAP Got all data (126 bytes)
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(3) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(3) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(3) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(3) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(3) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
(3) eap_ttls: (TLS) Connection Established
(3) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(3) eap_ttls: TLS-Session-Version = "TLS 1.2"
(3) eap: Sending EAP Request (code 1) ID 5 length 61
(3) eap: EAP session adding &reply:State = 0x3928d6d23a2dc3c4
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(3) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(3) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(3) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(3) TLS-Session-Version = "TLS 1.2"
(3) Sent Access-Challenge Id 63 from 192.168.10.124:1812 to 192.168.200.20:51098 length 119
(3) EAP-Message = 0x0105003d158000000033140303000101160303002860d606d18ea71d16b3c68c4ae06da363a94b18bae53e6c81c1d6858d6f02f6d40be4b094449db2d7
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3928d6d23a2dc3c470d72d9dc025396c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 64 from 192.168.200.20:51098 to 192.168.10.124:1812 length 336
(4) User-Name = "chris.nzengue"
(4) Chargeable-User-Identity = 0x14
(4) Location-Capable = Civic-Location
(4) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(4) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(4) NAS-Port = 1
(4) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(4) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(4) NAS-IP-Address = 192.168.200.20
(4) NAS-Identifier = "Dejamobile"
(4) Airespace-Wlan-Id = 1
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) EAP-Message = 0x0205004315800000003917030300347faf547f2d6fb7d49a7c5eecbf2f091d6fa4b0d4f764f0d8b00b14a40df28858de23dccc5fcc4980690298cf1097a44b39977dcd
(4) State = 0x3928d6d23a2dc3c470d72d9dc025396c
(4) Message-Authenticator = 0x7231f57f1ffe824ddc3ef6e4618cda9b
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(4) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) &session-state:TLS-Session-Version = "TLS 1.2"
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 67
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x3928d6d23a2dc3c4
(4) eap: Finished EAP session with state 0x3928d6d23a2dc3c4
(4) eap: Previous EAP request found for state 0x3928d6d23a2dc3c4, released from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes
(4) eap_ttls: (TLS) EAP Got all data (57 bytes)
(4) eap_ttls: Session established. Proceeding to decode tunneled attributes
(4) eap_ttls: Got tunneled request
(4) eap_ttls: EAP-Message = 0x020000120163687269732e6e7a656e677565
(4) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(4) eap_ttls: Got tunneled identity of chris.nzengue
(4) eap_ttls: Setting default EAP type for tunneled EAP session
(4) eap_ttls: Sending tunneled request
(4) Virtual server inner-tunnel received request
(4) EAP-Message = 0x020000120163687269732e6e7a656e677565
(4) FreeRADIUS-Proxied-To = 127.0.0.1
(4) User-Name = "chris.nzengue"
(4) WARNING: Outer and inner identities are the same. User privacy is compromised.
(4) server inner-tunnel {
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) update control {
(4) &Proxy-To-Realm := LOCAL
(4) } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 0 length 18
(4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) authenticate {
(4) eap: Peer sent packet with method EAP Identity (1)
(4) eap: Calling submodule eap_md5 to process data
(4) eap_md5: Issuing MD5 Challenge
(4) eap: Sending EAP Request (code 1) ID 1 length 22
(4) eap: EAP session adding &reply:State = 0x106ef3d5106ff7e6
(4) [eap] = handled
(4) } # authenticate = handled
(4) } # server inner-tunnel
(4) Virtual server sending reply
(4) EAP-Message = 0x010100160410a7b40954aa2a2708b16d9fcb7ef44fc8
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x106ef3d5106ff7e6264667ace5f7b4d2
(4) eap_ttls: Got tunneled Access-Challenge
(4) eap: Sending EAP Request (code 1) ID 6 length 71
(4) eap: EAP session adding &reply:State = 0x3928d6d23d2ec3c4
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 64 from 192.168.10.124:1812 to 192.168.200.20:51098 length 129
(4) EAP-Message = 0x0106004715800000003d170303003860d606d18ea71d17d954a1cc464eeb9c3042d45f159a59b49ae258e5511653994c15478a525d0883f7bf3a4cbf95ab1215fe9b9d3a4dbcd3
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x3928d6d23d2ec3c470d72d9dc025396c
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 65 from 192.168.200.20:51098 to 192.168.10.124:1812 length 352
(5) User-Name = "chris.nzengue"
(5) Chargeable-User-Identity = 0x14
(5) Location-Capable = Civic-Location
(5) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(5) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(5) NAS-Port = 1
(5) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(5) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(5) NAS-IP-Address = 192.168.200.20
(5) NAS-Identifier = "Dejamobile"
(5) Airespace-Wlan-Id = 1
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) EAP-Message = 0x0206005315800000004917030300447faf547f2d6fb7d5abcaaf1c210b8e0187dbcb790c3e36ba59060260fad4e263465a94afa3ccef5d7e76f84d6f46d3d30998f3c80c52a22e54de4e5c2a807294a4aca3db
(5) State = 0x3928d6d23d2ec3c470d72d9dc025396c
(5) Message-Authenticator = 0xa69f949d8589b0539d6e70fbcc826bc6
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 83
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x106ef3d5106ff7e6
(5) eap: Finished EAP session with state 0x3928d6d23d2ec3c4
(5) eap: Previous EAP request found for state 0x3928d6d23d2ec3c4, released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: (TLS) EAP Peer says that the final record size will be 73 bytes
(5) eap_ttls: (TLS) EAP Got all data (73 bytes)
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls: EAP-Message = 0x020100230410400fe50041a6197c7046c3839f170c2e63687269732e6e7a656e677565
(5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Sending tunneled request
(5) Virtual server inner-tunnel received request
(5) EAP-Message = 0x020100230410400fe50041a6197c7046c3839f170c2e63687269732e6e7a656e677565
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) User-Name = "chris.nzengue"
(5) State = 0x106ef3d5106ff7e6264667ace5f7b4d2
(5) WARNING: Outer and inner identities are the same. User privacy is compromised.
(5) server inner-tunnel {
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 1 length 35
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) files: Searching for user in group "AADDC Users"
rlm_ldap (ldap): Reserved connection (0)
(5) files: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
(5) files: --> (&(objectClass=user)(sAMAccountName=chris.nzengue))
(5) files: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub"
(5) files: Waiting for search result...
(5) files: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com"
(5) files: Checking user object's memberOf attributes
(5) files: Performing unfiltered search in "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(5) files: Waiting for search result...
(5) files: Processing memberOf value "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(5) files: Resolving group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(5) files: Performing unfiltered search in "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(5) files: Waiting for search result...
(5) files: Group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "SSL_VPN_SSO"
(5) files: Processing memberOf value "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(5) files: Resolving group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(5) files: Performing unfiltered search in "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(5) files: Waiting for search result...
(5) files: Group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "DejaTeam"
(5) files: Processing memberOf value "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(5) files: Resolving group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(5) files: Performing unfiltered search in "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(5) files: Waiting for search result...
(5) files: Group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "deja-developpeur"
rlm_ldap (ldap): Released connection (0)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://aadds.dejamobile.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(5) files: User is not a member of "AADDC Users"
(5) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(5) ldap: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
(5) ldap: --> (&(objectClass=user)(sAMAccountName=chris.nzengue))
(5) ldap: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com"
(5) ldap: Processing user attributes
(5) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (1)
(5) [ldap] = ok
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Expiring EAP session with state 0x106ef3d5106ff7e6
(5) eap: Finished EAP session with state 0x106ef3d5106ff7e6
(5) eap: Previous EAP request found for state 0x106ef3d5106ff7e6, released from the list
(5) eap: Peer sent packet with method EAP MD5 (4)
(5) eap: Calling submodule eap_md5 to process data
(5) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication
(5) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 1 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> chris.nzengue
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) update outer.session-state {
(5) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap_md5: Cleartext-Password is required for EAP-MD5 authentication'
(5) } # update outer.session-state = noop
(5) } # Post-Auth-Type REJECT = updated
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) EAP-Message = 0x04010004
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_ttls: Got tunneled Access-Reject
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 6 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> chris.nzengue
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 65 from 192.168.10.124:1812 to 192.168.200.20:51098 length 44
(5) EAP-Message = 0x04060004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(0) Cleaning up request packet ID 60 with timestamp +22 due to cleanup_delay was reached
(1) Cleaning up request packet ID 61 with timestamp +22 due to cleanup_delay was reached
(2) Cleaning up request packet ID 62 with timestamp +22 due to cleanup_delay was reached
(3) Cleaning up request packet ID 63 with timestamp +22 due to cleanup_delay was reached
(4) Cleaning up request packet ID 64 with timestamp +22 due to cleanup_delay was reached
Waking up in 0.2 seconds.
(5) Cleaning up request packet ID 65 with timestamp +22 due to cleanup_delay was reached
Ready to process requests
(6) Received Access-Request Id 66 from 192.168.200.20:51098 to 192.168.10.124:1812 length 269
(6) User-Name = "chris.nzengue"
(6) Chargeable-User-Identity = 0x14
(6) Location-Capable = Civic-Location
(6) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(6) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(6) NAS-Port = 1
(6) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(6) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(6) NAS-IP-Address = 192.168.200.20
(6) NAS-Identifier = "Dejamobile"
(6) Airespace-Wlan-Id = 1
(6) Service-Type = Framed-User
(6) Framed-MTU = 1300
(6) NAS-Port-Type = Wireless-802.11
(6) EAP-Message = 0x020100120163687269732e6e7a656e677565
(6) Message-Authenticator = 0x04716ca8efc66c87deb829afd564835e
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 1 length 18
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: (TLS) Initiating new session
(6) eap: Sending EAP Request (code 1) ID 2 length 6
(6) eap: EAP session adding &reply:State = 0xb06a93a4b06886f8
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) Sent Access-Challenge Id 66 from 192.168.10.124:1812 to 192.168.200.20:51098 length 64
(6) EAP-Message = 0x010200061520
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xb06a93a4b06886f8af54277185111954
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 67 from 192.168.200.20:51098 to 192.168.10.124:1812 length 430
(7) User-Name = "chris.nzengue"
(7) Chargeable-User-Identity = 0x14
(7) Location-Capable = Civic-Location
(7) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(7) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(7) NAS-Port = 1
(7) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(7) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(7) NAS-IP-Address = 192.168.200.20
(7) NAS-Identifier = "Dejamobile"
(7) Airespace-Wlan-Id = 1
(7) Service-Type = Framed-User
(7) Framed-MTU = 1300
(7) NAS-Port-Type = Wireless-802.11
(7) EAP-Message = 0x020200a115800000009716030100920100008e0303640f5f507ddda497f89309a6801f714fc625ee51897918a136b390ed62ba730300002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(7) State = 0xb06a93a4b06886f8af54277185111954
(7) Message-Authenticator = 0xc24227a2378efffbc3b1075a04b6469a
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 2 length 161
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xb06a93a4b06886f8
(7) eap: Finished EAP session with state 0xb06a93a4b06886f8
(7) eap: Previous EAP request found for state 0xb06a93a4b06886f8, released from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes
(7) eap_ttls: (TLS) EAP Got all data (151 bytes)
(7) eap_ttls: (TLS) Handshake state - before SSL initialization
(7) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(7) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(7) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(7) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(7) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(7) eap_ttls: (TLS) In Handshake Phase
(7) eap: Sending EAP Request (code 1) ID 3 length 1004
(7) eap: EAP session adding &reply:State = 0xb06a93a4b16986f8
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Framed-MTU = 994
(7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(7) Sent Access-Challenge Id 67 from 192.168.10.124:1812 to 192.168.200.20:51098 length 1068
(7) EAP-Message = 0x010303ec15c0000004b1160303003d020000390303026be732868da5ade139a288a53f8dac55c2b3e393564573fe037abee2d494cb00c030000011ff01000100000b00040300010200170000160303030f0b00030b00030800030530820301308201e9a00302010202140ea85d3ec7ee7aec904f3547480a14d73c892031300d06092a864886f70d01010b050030173115301306035504030c0c726164697573736572766572301e170d3232313131363134303934355a170d3332313131333134303934355a30173115301306035504030c0c72616469757373657276657230820122300d06092a864886f70d01010105000382010f003082010a0282010100adda610f374fc54e2949f1d9a7ba9ad8abf1c24a9773f9ab5fa50b43fefd07a7c61da781fd53b4277cdbe46b9964548a4125a313d4d3df6ee6593fe9dba778843c02dfa1ebceeaf17370dd8604a60085efa9d7b78b0ad571a378b30074bbabef337174fdef87ab30482289f75f3661d0b972299e9aefab
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xb06a93a4b16986f8af54277185111954
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 68 from 192.168.200.20:51098 to 192.168.10.124:1812 length 275
(8) User-Name = "chris.nzengue"
(8) Chargeable-User-Identity = 0x14
(8) Location-Capable = Civic-Location
(8) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(8) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(8) NAS-Port = 1
(8) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(8) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(8) NAS-IP-Address = 192.168.200.20
(8) NAS-Identifier = "Dejamobile"
(8) Airespace-Wlan-Id = 1
(8) Service-Type = Framed-User
(8) Framed-MTU = 1300
(8) NAS-Port-Type = Wireless-802.11
(8) EAP-Message = 0x020300061500
(8) State = 0xb06a93a4b16986f8af54277185111954
(8) Message-Authenticator = 0x0aa15d8721da3796d573e74f7cb9d80a
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 994
(8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 3 length 6
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb06a93a4b16986f8
(8) eap: Finished EAP session with state 0xb06a93a4b16986f8
(8) eap: Previous EAP request found for state 0xb06a93a4b16986f8, released from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: (TLS) Peer ACKed our handshake fragment
(8) eap: Sending EAP Request (code 1) ID 4 length 217
(8) eap: EAP session adding &reply:State = 0xb06a93a4b26e86f8
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) Framed-MTU = 994
(8) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(8) Sent Access-Challenge Id 68 from 192.168.10.124:1812 to 192.168.200.20:51098 length 275
(8) EAP-Message = 0x010400d91580000004b10097f501404446d75765f353e00ba11a38c9d8b03b8130c97ab3f461a973c837c7278ca05260132dc7ffc2d9c69d6278f4caec292bbf3aff547982a6b646b89840697c34aea050230143a6f341d6e4f77d711e272bc2e5ba7f44ea03b6b7c479aa6c67a5be51d58da3f67d07e01d59ca0f334c88390e756a0c203664a2f49a9669863b039ae7aa5358457baf93418877a8fabc3f4441c6453431c6d573e831809067d2470dcbfa6812a24a9e445579080900d3582d14ad2eb69fcbadfae89ee4884679ac77d716030300040e000000
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xb06a93a4b26e86f8af54277185111954
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 69 from 192.168.200.20:51098 to 192.168.10.124:1812 length 405
(9) User-Name = "chris.nzengue"
(9) Chargeable-User-Identity = 0x14
(9) Location-Capable = Civic-Location
(9) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(9) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(9) NAS-Port = 1
(9) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(9) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(9) NAS-IP-Address = 192.168.200.20
(9) NAS-Identifier = "Dejamobile"
(9) Airespace-Wlan-Id = 1
(9) Service-Type = Framed-User
(9) Framed-MTU = 1300
(9) NAS-Port-Type = Wireless-802.11
(9) EAP-Message = 0x0204008815800000007e1603030046100000424104bcb05e9ba5ebc01969e6451ca2dd8ad3047d264fb49a0aaae1334245f3ee007cd0571e406182d4db73c00ef12beaecdfeeed8ba828f08f1da11b3823a09027061403030001011603030028055c825a7cda76658bf919b822b00a85ba2962186168f0200f034e6a59d44623e1dcb6961e119655
(9) State = 0xb06a93a4b26e86f8af54277185111954
(9) Message-Authenticator = 0xd05333313b7f97d9f662c7176758ee93
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 994
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 4 length 136
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xb06a93a4b26e86f8
(9) eap: Finished EAP session with state 0xb06a93a4b26e86f8
(9) eap: Previous EAP request found for state 0xb06a93a4b26e86f8, released from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes
(9) eap_ttls: (TLS) EAP Got all data (126 bytes)
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(9) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(9) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(9) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(9) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(9) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
(9) eap_ttls: (TLS) Connection Established
(9) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) eap_ttls: TLS-Session-Version = "TLS 1.2"
(9) eap: Sending EAP Request (code 1) ID 5 length 61
(9) eap: EAP session adding &reply:State = 0xb06a93a4b36f86f8
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9) Framed-MTU = 994
(9) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 69 from 192.168.10.124:1812 to 192.168.200.20:51098 length 119
(9) EAP-Message = 0x0105003d1580000000331403030001011603030028d24fc42abd6c93595bca05ae4f609d15cc9e9d1390c6ebadf69d8306c02f665f730329bbc16fba9b
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xb06a93a4b36f86f8af54277185111954
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 70 from 192.168.200.20:51098 to 192.168.10.124:1812 length 336
(10) User-Name = "chris.nzengue"
(10) Chargeable-User-Identity = 0x14
(10) Location-Capable = Civic-Location
(10) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(10) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(10) NAS-Port = 1
(10) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(10) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(10) NAS-IP-Address = 192.168.200.20
(10) NAS-Identifier = "Dejamobile"
(10) Airespace-Wlan-Id = 1
(10) Service-Type = Framed-User
(10) Framed-MTU = 1300
(10) NAS-Port-Type = Wireless-802.11
(10) EAP-Message = 0x020500431580000000391703030034055c825a7cda7666218232272050e9269e4ece33975dec65f19718088ca239cb67788e727536ddf614279eaea1b61c1441a4726b
(10) State = 0xb06a93a4b36f86f8af54277185111954
(10) Message-Authenticator = 0xb6621b928cfd197b4a86cdad6c58c6f9
(10) Restoring &session-state
(10) &session-state:Framed-MTU = 994
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 5 length 67
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xb06a93a4b36f86f8
(10) eap: Finished EAP session with state 0xb06a93a4b36f86f8
(10) eap: Previous EAP request found for state 0xb06a93a4b36f86f8, released from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes
(10) eap_ttls: (TLS) EAP Got all data (57 bytes)
(10) eap_ttls: Session established. Proceeding to decode tunneled attributes
(10) eap_ttls: Got tunneled request
(10) eap_ttls: EAP-Message = 0x020000120163687269732e6e7a656e677565
(10) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_ttls: Got tunneled identity of chris.nzengue
(10) eap_ttls: Setting default EAP type for tunneled EAP session
(10) eap_ttls: Sending tunneled request
(10) Virtual server inner-tunnel received request
(10) EAP-Message = 0x020000120163687269732e6e7a656e677565
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "chris.nzengue"
(10) WARNING: Outer and inner identities are the same. User privacy is compromised.
(10) server inner-tunnel {
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) update control {
(10) &Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 0 length 18
(10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap: Peer sent packet with method EAP Identity (1)
(10) eap: Calling submodule eap_md5 to process data
(10) eap_md5: Issuing MD5 Challenge
(10) eap: Sending EAP Request (code 1) ID 1 length 22
(10) eap: EAP session adding &reply:State = 0x4402aae04403aead
(10) [eap] = handled
(10) } # authenticate = handled
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10) EAP-Message = 0x0101001604102159bde60b2e60420dd98342dac2e574
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x4402aae04403aead50a58e9ebcef6551
(10) eap_ttls: Got tunneled Access-Challenge
(10) eap: Sending EAP Request (code 1) ID 6 length 71
(10) eap: EAP session adding &reply:State = 0xb06a93a4b46c86f8
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) session-state: Saving cached attributes
(10) Framed-MTU = 994
(10) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) TLS-Session-Version = "TLS 1.2"
(10) Sent Access-Challenge Id 70 from 192.168.10.124:1812 to 192.168.200.20:51098 length 129
(10) EAP-Message = 0x0106004715800000003d1703030038d24fc42abd6c935a2809ce7be46cc5d28f9e549f3edb4ca54df04a5f174a5c1cdd6f37b0d9fbc84103a89bdcdfb38565a66a5bc2dfb19654
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xb06a93a4b46c86f8af54277185111954
(10) Finished request
Waking up in 4.9 seconds.
(11) Received Access-Request Id 71 from 192.168.200.20:51098 to 192.168.10.124:1812 length 352
(11) User-Name = "chris.nzengue"
(11) Chargeable-User-Identity = 0x14
(11) Location-Capable = Civic-Location
(11) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(11) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(11) NAS-Port = 1
(11) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(11) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(11) NAS-IP-Address = 192.168.200.20
(11) NAS-Identifier = "Dejamobile"
(11) Airespace-Wlan-Id = 1
(11) Service-Type = Framed-User
(11) Framed-MTU = 1300
(11) NAS-Port-Type = Wireless-802.11
(11) EAP-Message = 0x020600531580000000491703030044055c825a7cda7667c7154a803cd94615441be6ab0d2222f75f36d997c204e0545d45ab5925417126f12750a01296cd1c296d4dc91bf7d63e7573fa858f504a3c9b0fdf50
(11) State = 0xb06a93a4b46c86f8af54277185111954
(11) Message-Authenticator = 0xbc7275f34cf240da340a2c24f6b95a75
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 994
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 6 length 83
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0x4402aae04403aead
(11) eap: Finished EAP session with state 0xb06a93a4b46c86f8
(11) eap: Previous EAP request found for state 0xb06a93a4b46c86f8, released from the list
(11) eap: Peer sent packet with method EAP TTLS (21)
(11) eap: Calling submodule eap_ttls to process data
(11) eap_ttls: Authenticate
(11) eap_ttls: (TLS) EAP Peer says that the final record size will be 73 bytes
(11) eap_ttls: (TLS) EAP Got all data (73 bytes)
(11) eap_ttls: Session established. Proceeding to decode tunneled attributes
(11) eap_ttls: Got tunneled request
(11) eap_ttls: EAP-Message = 0x020100230410c7fd95c7eb515678451ac8a352b9078363687269732e6e7a656e677565
(11) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(11) eap_ttls: Sending tunneled request
(11) Virtual server inner-tunnel received request
(11) EAP-Message = 0x020100230410c7fd95c7eb515678451ac8a352b9078363687269732e6e7a656e677565
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) User-Name = "chris.nzengue"
(11) State = 0x4402aae04403aead50a58e9ebcef6551
(11) WARNING: Outer and inner identities are the same. User privacy is compromised.
(11) server inner-tunnel {
(11) session-state: No cached attributes
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) update control {
(11) &Proxy-To-Realm := LOCAL
(11) } # update control = noop
(11) eap: Peer sent EAP Response (code 2) ID 1 length 35
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) files: Searching for user in group "AADDC Users"
rlm_ldap (ldap): Reserved connection (2)
(11) files: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
(11) files: --> (&(objectClass=user)(sAMAccountName=chris.nzengue))
(11) files: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub"
(11) files: Waiting for search result...
(11) files: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com"
(11) files: Checking user object's memberOf attributes
(11) files: Performing unfiltered search in "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(11) files: Waiting for search result...
(11) files: Processing memberOf value "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(11) files: Resolving group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(11) files: Performing unfiltered search in "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(11) files: Waiting for search result...
(11) files: Group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "SSL_VPN_SSO"
(11) files: Processing memberOf value "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(11) files: Resolving group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(11) files: Performing unfiltered search in "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(11) files: Waiting for search result...
(11) files: Group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "DejaTeam"
(11) files: Processing memberOf value "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(11) files: Resolving group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(11) files: Performing unfiltered search in "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(11) files: Waiting for search result...
(11) files: Group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "deja-developpeur"
rlm_ldap (ldap): Released connection (2)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://aadds.dejamobile.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(11) files: User is not a member of "AADDC Users"
(11) [files] = noop
rlm_ldap (ldap): Reserved connection (3)
(11) ldap: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
(11) ldap: --> (&(objectClass=user)(sAMAccountName=chris.nzengue))
(11) ldap: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub"
(11) ldap: Waiting for search result...
(11) ldap: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com"
(11) ldap: Processing user attributes
(11) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(11) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (3)
(11) [ldap] = ok
(11) [expiration] = noop
(11) [logintime] = noop
(11) [pap] = noop
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) authenticate {
(11) eap: Expiring EAP session with state 0x4402aae04403aead
(11) eap: Finished EAP session with state 0x4402aae04403aead
(11) eap: Previous EAP request found for state 0x4402aae04403aead, released from the list
(11) eap: Peer sent packet with method EAP MD5 (4)
(11) eap: Calling submodule eap_md5 to process data
(11) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication
(11) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 1 length 4
(11) eap: Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) Post-Auth-Type REJECT {
(11) attr_filter.access_reject: EXPAND %{User-Name}
(11) attr_filter.access_reject: --> chris.nzengue
(11) attr_filter.access_reject: Matched entry DEFAULT at line 11
(11) [attr_filter.access_reject] = updated
(11) update outer.session-state {
(11) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap_md5: Cleartext-Password is required for EAP-MD5 authentication'
(11) } # update outer.session-state = noop
(11) } # Post-Auth-Type REJECT = updated
(11) } # server inner-tunnel
(11) Virtual server sending reply
(11) EAP-Message = 0x04010004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) eap_ttls: Got tunneled Access-Reject
(11) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 6 length 4
(11) eap: Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) Post-Auth-Type REJECT {
(11) attr_filter.access_reject: EXPAND %{User-Name}
(11) attr_filter.access_reject: --> chris.nzengue
(11) attr_filter.access_reject: Matched entry DEFAULT at line 11
(11) [attr_filter.access_reject] = updated
(11) [eap] = noop
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) } # Post-Auth-Type REJECT = updated
(11) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(11) Sending delayed response
(11) Sent Access-Reject Id 71 from 192.168.10.124:1812 to 192.168.200.20:51098 length 44
(11) EAP-Message = 0x04060004
(11) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(6) Cleaning up request packet ID 66 with timestamp +42 due to cleanup_delay was reached
(7) Cleaning up request packet ID 67 with timestamp +42 due to cleanup_delay was reached
(8) Cleaning up request packet ID 68 with timestamp +42 due to cleanup_delay was reached
(9) Cleaning up request packet ID 69 with timestamp +43 due to cleanup_delay was reached
(10) Cleaning up request packet ID 70 with timestamp +43 due to cleanup_delay was reached
Waking up in 0.2 seconds.
(11) Cleaning up request packet ID 71 with timestamp +43 due to cleanup_delay was reached
Ready to process requests
Chris Nzengue
Stagiaire DEVOPS
DEVOPS internship
Fixe / Office: +33(2)14747500
chris.nzengue(a)dejamobile.com<mailto:%7BE-mail%7D>
[cid:logo-500x500_8c612466-939f-4f99-8d85-3affb0831c87.png]
[cid:SocialLink_Linkedin_32x32_44e008ea-1b1a-4fa0-b32f-2c845382148a.png] <https://www.linkedin.com/company/dejamobile/> [cid:SocialLink_Twitter_32x32_082f5645-c4de-4011-bd63-3d63208f4a3e.png] <https://twitter.com/dejamobile>
<https://www.linkedin.com/company/dejamobile/><https://www.linkedin.com/company/dejamobile/>[cid:mpe23mail_8ab29f82-07d3-4119-943b-776a4cea5fb3.png]<https://www.merchantpaymentsecosystem.com/>
2
1
Hi,
I tried to build freeradius from rel 3.2.2 package but could not find 3.2.2
freeradius-devel online.
Where can I download it? Thanks
Peter
3
5
help required - freerdius 3 - accounting to fortigate - user group name not received on fortigate
by Eby Mani 11 Mar '23
by Eby Mani 11 Mar '23
11 Mar '23
I've migrated from Freeradius 2.x.x to Freeradius 3.0.16 on ubuntu.
FR2 was configured to sent accounting to Fortigate firewall for RSSO Groups using "copy-acct-to-home-server" section.
I have re-configured freeradus 3 and restored mysql db, accounting packets are being sent to fortigate. However user group is not received by fortigate.
Cant seem to find how it was done on FR2 or how to do the same in FR3.
Any hints will be helpful.
Will post debug if required.
Thanks,
1, testing from freradius server,
echo "User-Name="wireless_admin",Framed-IP-Address="10.225.251.22",Class="PG_Support",Acct-Status-Type=Start" | radclient -q 172.16.2.254 acct test
Fortigate.
Add/Update auth logon for IP 10.225.251.22 for user wireless_admin
DB 0 insert [ep='wireless_admin' pg='PG_Support' ip='10.225.251.22/32'] success
2, Connecting from wireless result user group not received from radius server, thus no internet access
Fortigate.
Add/Update auth logon for IP 10.225.251.22 for user wireless_admin
DB 0 insert [ep='wireless_admin' pg='n/a' ip='10.225.251.22/32'] success
2
7
FreeRADIUS keeps complaining about TLS 1.0/1.1, despite tls_min_version setting has been set to 1.2
by Viacheslav Mikhailow 11 Mar '23
by Viacheslav Mikhailow 11 Mar '23
11 Mar '23
Hi everyone
I've published an issue on a question board
<https://serverfault.com/questions/1125788/freeradius-keeps-complaining-abou…>,
concerning the FreeRADIUS server. Could anyone answer it?
Thank you
--
*BR,*
*Václav*
1
0
Fwd: Way to configure logging to emit SSL Certificate info with a failure message?
by Andy Arp 09 Mar '23
by Andy Arp 09 Mar '23
09 Mar '23
Looking for ways to configure version 3.0.x to emit additional log data
when an SSL error occurs. Specifically looking for ways to emit the SAN or
even the ID of the certificate being presented to make it easier to track
down badly configured clients without having to turn on debug mode.
Example of log message we're seeing as too generic currently:
Mon Mar 6 10:32:59 2023 : ERROR: (0) ERROR: SSL says error 23 :
certificate revoked
2
4
hello list.
On my last freeradius upgrade (to Version 3.2.1) I changed config files
to reach this goal :
Force the vlan for unknown mac adresses OR eduroam SSID
use user's one (comming from ldap module) for known mac adresses
(yes it looks like a small network access control)
That for, I add this unlang command in default site :
authorize {
.....
authorized_macs
if (!ok) {
update reply {
Tunnel-Private-Group-Id := 602
}
} else {
if (Called-Station-Id =~ /.*eduroam.*/i ) {
update reply {
Tunnel-Private-Group-Id := 602
}
}
}
and of course in ldap module :
reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivateGroupId'
Not shure why but sometimes, known mac addresses fall in vlan 602.
reading debug log, I see that access-accept request has 2
Tunnel-Private-Group-Id values.
(917721) Login OK: [anonymous] (from client APs port 0 cli 9C-B6-D0-93-43-9B)
(917721) Sent Access-Accept Id 235 from 10..x.x.x:1812 to 10.y.y.y:34406 length 206
(917721)*Tunnel-Private-Group-Id := "602"*
(917721) MS-MPPE-Recv-Key = 0x8b027fe2eb7a469ab2511b31ea16e1ea2c6f11b9846db09dce876d4333d99077
(917721) MS-MPPE-Send-Key = 0xc9b83651e9ff3adefbdf2371f127d2fbdc2b5334f3ed37c0729a1e4b468945ab
(917721) EAP-Message = 0x03170004
(917721) Message-Authenticator = 0x00000000000000000000000000000000
(917721) User-Name = "anonymous"
(917721) Framed-MTU += 1014
(917721) Tunnel-Type += VLAN
(917721) Tunnel-Medium-Type += IEEE-802
(917721)*Tunnel-Private-Group-Id += "1001"*
(917721) Service-Type += Administrative-User
(917721) Finished request
How can the WAP know which one apply ???
My questions are :
- Is that method a valid one ? If not, how to ?
- should I use an other operator to set Tunnel-Private-Group-Id value ?
- why is the attribute present twice even if := operator is always used
and wiki says :
*:=* Attribute := value Always matches as a check item, and replaces
in the configuration items any attribute of the same name. If no
attribute of that name appears in the request, then this attribute is
added.
Thanks for your attention.
Cédric
--
*Cédric Delaunay
*
*Service Infrastructure Systèmes et Réseaux / Direction du Système
d'Information*
*RSSI Suppléant *
Tel. : +33 (0)2 23 23 8568
*INSA Rennes*
20 avenue des Buttes de Coêsmes
CS 70839 - 35 708 RENNES Cedex 7
www.insa-rennes.fr <http://www.insa-rennes.fr/>
3
7
Hello,
I started to learn network authentication and I want to setup a litle poc with Freeradius and EAP-TLS.
I have previously tested my working configuration with the bob user as in the freeradius docker example.
I use freeradius docker image https://hub.docker.com/r/freeradius/freeradius-server/ in a container.
The configs files have been extracted to be configured in my host system and mounted at container's start.
I have follow this tutorial for the radiusd.conf file : https://www.dslreports.com/forum/r9286052-FreeRADIUS-WinXP-Authentication-S…
As I use the container's default keys, the user file is just a line :
user(a)example.org Auth-Type := EAP, EAP-Type := EAP-TLS
On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X.
The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it.
The username I use on the phone side is "user(a)example.org", the domain is "example.org".
When I click on connect on my phone, I get an access reject as shown in the debug output below.
I wanted to know if I am doing wrong somewhere and possibly where ?
(Freeradius Version 3.2.0)
(0) Received Access-Request Id 0 from 10.17.30.60:1061 to 172.17.0.2:1812 length 212
(0) Message-Authenticator = 0x46c9071611e746712984ef9165b516eb
(0) Service-Type = Framed-User
(0) User-Name = "user(a)example.org"
(0) Framed-MTU = 1488
(0) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(0) Calling-Station-Id = "22-85-59-7C-27-7A"
(0) NAS-Identifier = "D-Link Access Point"
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 54Mbps 802.11g"
(0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(0) NAS-IP-Address = 10.17.30.60
(0) NAS-Port = 1
(0) NAS-Port-Id = "STA port # 1"
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(0) suffix: No such realm "example.org"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 21
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) Initiating new session
(0) eap_tls: (TLS) Setting verify mode to require certificate from client
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xbced3a8cbcec3700
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1061 length 64
(0) EAP-Message = 0x010100060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xbced3a8cbcec37005a032dcfba50bf3a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 10.17.30.60:1061 to 172.17.0.2:1812 length 215
(1) Message-Authenticator = 0x2660937420c3367bd057db626b743cc5
(1) Service-Type = Framed-User
(1) User-Name = "user(a)example.org"
(1) Framed-MTU = 1488
(1) State = 0xbced3a8cbcec37005a032dcfba50bf3a
(1) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(1) Calling-Station-Id = "22-85-59-7C-27-7A"
(1) NAS-Identifier = "D-Link Access Point"
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 54Mbps 802.11g"
(1) EAP-Message = 0x020100060300
(1) NAS-IP-Address = 10.17.30.60
(1) NAS-Port = 1
(1) NAS-Port-Id = "STA port # 1"
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(1) suffix: No such realm "example.org"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry user(a)example.org at line 2
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xbced3a8cbcec3700
(1) eap: Finished EAP session with state 0xbced3a8cbcec3700
(1) eap: Previous EAP request found for state 0xbced3a8cbcec3700, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Peer NAK'd indicating it is not willing to continue
(1) eap: Sending EAP Failure (code 4) ID 1 length 4
(1) eap: Failed in EAP select
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject: --> user(a)example.org
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) [eap] = noop
(1) policy remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(1) else {
(1) [noop] = noop
(1) } # else = noop
(1) } # policy remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1061 length 44
(1) EAP-Message = 0x04010004
(1) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(2) Received Access-Request Id 0 from 10.17.30.60:1063 to 172.17.0.2:1812 length 212
(2) Message-Authenticator = 0x10dad86d8ca96900ee9e41a3f3215e04
(2) Service-Type = Framed-User
(2) User-Name = "user(a)example.org"
(2) Framed-MTU = 1488
(2) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(2) Calling-Station-Id = "22-85-59-7C-27-7A"
(2) NAS-Identifier = "D-Link Access Point"
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 54Mbps 802.11g"
(2) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(2) NAS-IP-Address = 10.17.30.60
(2) NAS-Port = 1
(2) NAS-Port-Id = "STA port # 1"
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(2) suffix: No such realm "example.org"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 0 length 21
(2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: (TLS) Initiating new session
(2) eap_tls: (TLS) Setting verify mode to require certificate from client
(2) eap: Sending EAP Request (code 1) ID 1 length 6
(2) eap: EAP session adding &reply:State = 0x61a7200961a62df0
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1063 length 64
(2) EAP-Message = 0x010100060d20
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x61a7200961a62df0743c98b3a07aed8f
(2) Finished request
Waking up in 1.9 seconds.
(3) Received Access-Request Id 1 from 10.17.30.60:1063 to 172.17.0.2:1812 length 215
(3) Message-Authenticator = 0x2946bae5a640bdd89ef938aa738b4b94
(3) Service-Type = Framed-User
(3) User-Name = "user(a)example.org"
(3) Framed-MTU = 1488
(3) State = 0x61a7200961a62df0743c98b3a07aed8f
(3) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(3) Calling-Station-Id = "22-85-59-7C-27-7A"
(3) NAS-Identifier = "D-Link Access Point"
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 54Mbps 802.11g"
(3) EAP-Message = 0x020100060300
(3) NAS-IP-Address = 10.17.30.60
(3) NAS-Port = 1
(3) NAS-Port-Id = "STA port # 1"
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(3) suffix: No such realm "example.org"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 1 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) files: users: Matched entry user(a)example.org at line 2
(3) [files] = ok
(3) [expiration] = noop
(3) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x61a7200961a62df0
(3) eap: Finished EAP session with state 0x61a7200961a62df0
(3) eap: Previous EAP request found for state 0x61a7200961a62df0, released from the list
(3) eap: Peer sent packet with method EAP NAK (3)
(3) eap: Peer NAK'd indicating it is not willing to continue
(3) eap: Sending EAP Failure (code 4) ID 1 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> user(a)example.org
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1063 length 44
(3) EAP-Message = 0x04010004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.8 seconds.
(0) Cleaning up request packet ID 0 with timestamp +74 due to cleanup_delay was reached
(1) Cleaning up request packet ID 1 with timestamp +74 due to cleanup_delay was reached
Waking up in 3.0 seconds.
(4) Received Access-Request Id 0 from 10.17.30.60:1065 to 172.17.0.2:1812 length 212
(4) Message-Authenticator = 0x7e90cef35650d96b0188a6bcc9040100
(4) Service-Type = Framed-User
(4) User-Name = "user(a)example.org"
(4) Framed-MTU = 1488
(4) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(4) Calling-Station-Id = "22-85-59-7C-27-7A"
(4) NAS-Identifier = "D-Link Access Point"
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 54Mbps 802.11g"
(4) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(4) NAS-IP-Address = 10.17.30.60
(4) NAS-Port = 1
(4) NAS-Port-Id = "STA port # 1"
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(4) suffix: No such realm "example.org"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 0 length 21
(4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Peer sent packet with method EAP Identity (1)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: (TLS) Initiating new session
(4) eap_tls: (TLS) Setting verify mode to require certificate from client
(4) eap: Sending EAP Request (code 1) ID 1 length 6
(4) eap: EAP session adding &reply:State = 0x10b8d47310b9d97a
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1065 length 64
(4) EAP-Message = 0x010100060d20
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x10b8d47310b9d97a65ed29a95486330e
(4) Finished request
Waking up in 1.8 seconds.
(5) Received Access-Request Id 1 from 10.17.30.60:1065 to 172.17.0.2:1812 length 215
(5) Message-Authenticator = 0x4024c8a365e14657a651ceb71b9f5f61
(5) Service-Type = Framed-User
(5) User-Name = "user(a)example.org"
(5) Framed-MTU = 1488
(5) State = 0x10b8d47310b9d97a65ed29a95486330e
(5) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(5) Calling-Station-Id = "22-85-59-7C-27-7A"
(5) NAS-Identifier = "D-Link Access Point"
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 54Mbps 802.11g"
(5) EAP-Message = 0x020100060300
(5) NAS-IP-Address = 10.17.30.60
(5) NAS-Port = 1
(5) NAS-Port-Id = "STA port # 1"
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "example.org" for User-Name = "user(a)example.org"
(5) suffix: No such realm "example.org"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 1 length 6
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) files: users: Matched entry user(a)example.org at line 2
(5) [files] = ok
(5) [expiration] = noop
(5) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x10b8d47310b9d97a
(5) eap: Finished EAP session with state 0x10b8d47310b9d97a
(5) eap: Previous EAP request found for state 0x10b8d47310b9d97a, released from the list
(5) eap: Peer sent packet with method EAP NAK (3)
(5) eap: Peer NAK'd indicating it is not willing to continue
(5) eap: Sending EAP Failure (code 4) ID 1 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> user(a)example.org
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1065 length 44
(5) EAP-Message = 0x04010004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.8 seconds.
(2) Cleaning up request packet ID 0 with timestamp +77 due to cleanup_delay was reached
(3) Cleaning up request packet ID 1 with timestamp +77 due to cleanup_delay was reached
Waking up in 3.1 seconds.
(4) Cleaning up request packet ID 0 with timestamp +80 due to cleanup_delay was reached
(5) Cleaning up request packet ID 1 with timestamp +80 due to cleanup_delay was reached
Ready to process requests
Thanks,
Clément
Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires.
Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur par e-mail.
Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Les communications sur Internet n'etant pas securisees, l'expediteur informe qu'il ne peut accepter aucune responsabilite quant au contenu de ce message.
This mail message and attachments (the "message") are solely intended for the addresses. It is confidential in nature.
If you receive this message in error, please delete it and immediately notify the sender by e-mail.
Any use other than its intended purpose, dissemination or disclosure, either whole or partial, is prohibited except if formal approval is granted. As communication on the Internet is not secure, the sender does not accept responsibility for the content of this message.
2
6
Hello,
My FreeRADIUS is talking to an LDAP directory (OpenLDAP) over TLS and I need to check the revocation status of the LDAP server's certificate using a CRL.
I tried adding check_crl in the tls section (of the LDAP module) but to no avail (see debug output below : check_crl is ignored when parsing the configuration) :
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls = yes
# ca_file = /etc/ssl/certs/ca-bundle.crt
ca_path = /etc/ssl/certs
certificate_file = ${certdir}/radsrv1.crt
private_key_file = ${certdir}/radsrv1.key
check_crl = yes
# random_file = /dev/urandom
# Certificate Verification requirements. Can be:
# 'never' (do not even bother trying)
# 'allow' (try, but don't fail if the certificate
# cannot be verified)
# 'demand' (fail if the certificate does not verify)
# 'hard' (similar to 'demand' but fails if TLS
# cannot negotiate)
#
# The default is libldap's default, which varies based
# on the contents of ldap.conf.
require_cert = 'demand'
}
Verifying the LDAP server's certificate using OpenSSL (using the -crl_check option) works as expected (the certificate is flagged as revoked) as everything (CRL and CA) has been c_rehash'd in /etc/ssl/certs.
The full debug output when I start FreeRADIUS is the following (using -xX because the line stating that check_crl is ignored is not included with just -X) :
Wed Mar 8 11:03:22 2023 : Debug: Server was built with:
Wed Mar 8 11:03:22 2023 : Debug: accounting : yes
Wed Mar 8 11:03:22 2023 : Debug: authentication : yes
Wed Mar 8 11:03:22 2023 : Debug: ascend-binary-attributes : yes
Wed Mar 8 11:03:22 2023 : Debug: coa : yes
Wed Mar 8 11:03:22 2023 : Debug: control-socket : yes
Wed Mar 8 11:03:22 2023 : Debug: detail : yes
Wed Mar 8 11:03:22 2023 : Debug: dhcp : yes
Wed Mar 8 11:03:22 2023 : Debug: dynamic-clients : yes
Wed Mar 8 11:03:22 2023 : Debug: osfc2 : no
Wed Mar 8 11:03:22 2023 : Debug: proxy : yes
Wed Mar 8 11:03:22 2023 : Debug: regex-pcre : yes
Wed Mar 8 11:03:22 2023 : Debug: regex-posix : no
Wed Mar 8 11:03:22 2023 : Debug: regex-posix-extended : no
Wed Mar 8 11:03:22 2023 : Debug: session-management : yes
Wed Mar 8 11:03:22 2023 : Debug: stats : yes
Wed Mar 8 11:03:22 2023 : Debug: systemd : no
Wed Mar 8 11:03:22 2023 : Debug: tcp : yes
Wed Mar 8 11:03:22 2023 : Debug: threads : yes
Wed Mar 8 11:03:22 2023 : Debug: tls : yes
Wed Mar 8 11:03:22 2023 : Debug: unlang : yes
Wed Mar 8 11:03:22 2023 : Debug: vmps : yes
Wed Mar 8 11:03:22 2023 : Debug: developer : no
Wed Mar 8 11:03:22 2023 : Debug: Server core libs:
Wed Mar 8 11:03:22 2023 : Debug: freeradius-server : 3.0.20
Wed Mar 8 11:03:22 2023 : Debug: talloc : 2.3.*
Wed Mar 8 11:03:22 2023 : Debug: ssl : 1.1.1k release
Wed Mar 8 11:03:22 2023 : Debug: pcre : 8.42 2018-03-20
Wed Mar 8 11:03:22 2023 : Debug: Endianness:
Wed Mar 8 11:03:22 2023 : Debug: little
Wed Mar 8 11:03:22 2023 : Debug: Compilation flags:
Wed Mar 8 11:03:22 2023 : Debug: cppflags :
Wed Mar 8 11:03:22 2023 : Debug: cflags : -I. -Isrc -include src/freeradius-devel/autoconf.h -include src/freeradius-devel/build.h -include src/freeradius-devel/features.h -include src/freeradius-devel/radpaths.h -fno-strict-aliasing -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
Wed Mar 8 11:03:22 2023 : Debug: ldflags : -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
Wed Mar 8 11:03:22 2023 : Debug: libs : -lcrypto -lssl -ltalloc -lpcre -lresolv -ldl -lpthread -lreadline
Wed Mar 8 11:03:22 2023 : Debug:
Wed Mar 8 11:03:22 2023 : Info: FreeRADIUS Version 3.0.20
Wed Mar 8 11:03:22 2023 : Info: Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
Wed Mar 8 11:03:22 2023 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Wed Mar 8 11:03:22 2023 : Info: PARTICULAR PURPOSE
Wed Mar 8 11:03:22 2023 : Info: You may redistribute copies of FreeRADIUS under the terms of the
Wed Mar 8 11:03:22 2023 : Info: GNU General Public License
Wed Mar 8 11:03:22 2023 : Info: For more information about these matters, see the file named COPYRIGHT
Wed Mar 8 11:03:22 2023 : Info: Starting - reading configuration files ...
Wed Mar 8 11:03:22 2023 : Debug: including dictionary file /usr/share/freeradius/dictionary
Wed Mar 8 11:03:22 2023 : Debug: including dictionary file /usr/share/freeradius/dictionary.dhcp
Wed Mar 8 11:03:22 2023 : Debug: including dictionary file /usr/share/freeradius/dictionary.vqp
Wed Mar 8 11:03:22 2023 : Debug: including dictionary file /etc/raddb/dictionary
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/radiusd.conf
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/proxy.conf
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/clients.conf
Wed Mar 8 11:03:22 2023 : Debug: including files in directory /etc/raddb/mods-enabled/
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/cache_eap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/chap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/date
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/detail
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/digest
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/dynamic_clients
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/eap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/echo
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/exec
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/expiration
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/expr
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/files
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/logintime
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/mschap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/ntlm_auth
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/pap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/passwd
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/preprocess
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/radutmp
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/replicate
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/soh
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/sradutmp
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/unix
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/unpack
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/utf8
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/mods-enabled/ldap
Wed Mar 8 11:03:22 2023 : Debug: including files in directory /etc/raddb/policy.d/
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/accounting
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/canonicalization
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/control
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/cui
Wed Mar 8 11:03:22 2023 : Debug: OPTIMIZING (${policy.cui_require_operator_name} == yes) --> FALSE
Wed Mar 8 11:03:22 2023 : Debug: OPTIMIZING (no == yes) --> FALSE
Wed Mar 8 11:03:22 2023 : Debug: OPTIMIZING (${policy.cui_require_operator_name} == yes) --> FALSE
Wed Mar 8 11:03:22 2023 : Debug: OPTIMIZING (no == yes) --> FALSE
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/debug
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/dhcp
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/eap
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/filter
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/operator-name
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/policy.d/rfc7542
Wed Mar 8 11:03:22 2023 : Debug: including files in directory /etc/raddb/sites-enabled/
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/sites-enabled/default
Wed Mar 8 11:03:22 2023 : Debug: including configuration file /etc/raddb/sites-enabled/inner-tunnel
Wed Mar 8 11:03:22 2023 : Debug: main {
Wed Mar 8 11:03:22 2023 : Debug: security {
Wed Mar 8 11:03:22 2023 : Debug: user = "radiusd"
Wed Mar 8 11:03:22 2023 : Debug: group = "radiusd"
Wed Mar 8 11:03:22 2023 : Debug: allow_core_dumps = no
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[526]: The item 'max_attributes' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[544]: The item 'reject_delay' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[564]: The item 'status_server' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: name = "radiusd"
Wed Mar 8 11:03:22 2023 : Debug: prefix = "/usr"
Wed Mar 8 11:03:22 2023 : Debug: localstatedir = "/var"
Wed Mar 8 11:03:22 2023 : Debug: logdir = "/var/log/radius"
Wed Mar 8 11:03:22 2023 : Debug: run_dir = "/var/run/radiusd"
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[84]: The item 'exec_prefix' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[97]: The item 'confdir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[103]: The item 'db_dir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[137]: The item 'libdir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[148]: The item 'pidfile' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[169]: The item 'correct_escapes' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[223]: The item 'max_request_time' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[242]: The item 'cleanup_delay' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[279]: The item 'hostname_lookups' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[382]: The item 'checkrad' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[585]: The item 'proxy_requests' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: main {
Wed Mar 8 11:03:22 2023 : Debug: name = "radiusd"
Wed Mar 8 11:03:22 2023 : Debug: prefix = "/usr"
Wed Mar 8 11:03:22 2023 : Debug: localstatedir = "/var"
Wed Mar 8 11:03:22 2023 : Debug: sbindir = "/usr/sbin"
Wed Mar 8 11:03:22 2023 : Debug: logdir = "/var/log/radius"
Wed Mar 8 11:03:22 2023 : Debug: run_dir = "/var/run/radiusd"
Wed Mar 8 11:03:22 2023 : Debug: libdir = "/usr/lib64/freeradius"
Wed Mar 8 11:03:22 2023 : Debug: radacctdir = "/var/log/radius/radacct"
Wed Mar 8 11:03:22 2023 : Debug: hostname_lookups = no
Wed Mar 8 11:03:22 2023 : Debug: max_request_time = 30
Wed Mar 8 11:03:22 2023 : Debug: cleanup_delay = 5
Wed Mar 8 11:03:22 2023 : Debug: max_requests = 16384
Wed Mar 8 11:03:22 2023 : Debug: pidfile = "/var/run/radiusd/radiusd.pid"
Wed Mar 8 11:03:22 2023 : Debug: checkrad = "/usr/sbin/checkrad"
Wed Mar 8 11:03:22 2023 : Debug: debug_level = 0
Wed Mar 8 11:03:22 2023 : Debug: proxy_requests = yes
Wed Mar 8 11:03:22 2023 : Debug: log {
Wed Mar 8 11:03:22 2023 : Debug: stripped_names = no
Wed Mar 8 11:03:22 2023 : Debug: auth = no
Wed Mar 8 11:03:22 2023 : Debug: auth_badpass = no
Wed Mar 8 11:03:22 2023 : Debug: auth_goodpass = no
Wed Mar 8 11:03:22 2023 : Debug: colourise = yes
Wed Mar 8 11:03:22 2023 : Debug: msg_denied = "You are already logged in - access denied"
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[297]: The item 'destination' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[314]: The item 'file' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[322]: The item 'syslog_facility' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: resources {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: security {
Wed Mar 8 11:03:22 2023 : Debug: max_attributes = 200
Wed Mar 8 11:03:22 2023 : Debug: reject_delay = 1.000000
Wed Mar 8 11:03:22 2023 : Debug: status_server = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[84]: The item 'exec_prefix' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[97]: The item 'confdir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[103]: The item 'db_dir' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/radiusd.conf[169]: The item 'correct_escapes' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: radiusd: #### Loading Realms and Home Servers ####
Wed Mar 8 11:03:22 2023 : Debug: proxy server {
Wed Mar 8 11:03:22 2023 : Debug: retry_delay = 5
Wed Mar 8 11:03:22 2023 : Debug: retry_count = 3
Wed Mar 8 11:03:22 2023 : Debug: default_fallback = no
Wed Mar 8 11:03:22 2023 : Debug: dead_time = 120
Wed Mar 8 11:03:22 2023 : Debug: wake_all_if_all_dead = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: home_server localhost {
Wed Mar 8 11:03:22 2023 : Debug: ipaddr = 127.0.0.1
Wed Mar 8 11:03:22 2023 : Debug: port = 1812
Wed Mar 8 11:03:22 2023 : Debug: type = "auth"
Wed Mar 8 11:03:22 2023 : Debug: secret = "testing123"
Wed Mar 8 11:03:22 2023 : Debug: response_window = 20.000000
Wed Mar 8 11:03:22 2023 : Debug: response_timeouts = 1
Wed Mar 8 11:03:22 2023 : Debug: max_outstanding = 65536
Wed Mar 8 11:03:22 2023 : Debug: zombie_period = 40
Wed Mar 8 11:03:22 2023 : Debug: status_check = "status-server"
Wed Mar 8 11:03:22 2023 : Debug: ping_interval = 30
Wed Mar 8 11:03:22 2023 : Debug: check_interval = 30
Wed Mar 8 11:03:22 2023 : Debug: check_timeout = 4
Wed Mar 8 11:03:22 2023 : Debug: num_answers_to_alive = 3
Wed Mar 8 11:03:22 2023 : Debug: revive_interval = 120
Wed Mar 8 11:03:22 2023 : Debug: limit {
Wed Mar 8 11:03:22 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:22 2023 : Debug: max_requests = 0
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:22 2023 : Debug: idle_timeout = 0
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: coa {
Wed Mar 8 11:03:22 2023 : Debug: irt = 2
Wed Mar 8 11:03:22 2023 : Debug: mrt = 16
Wed Mar 8 11:03:22 2023 : Debug: mrc = 5
Wed Mar 8 11:03:22 2023 : Debug: mrd = 30
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: home_server_pool my_auth_failover {
Wed Mar 8 11:03:22 2023 : Debug: type = fail-over
Wed Mar 8 11:03:22 2023 : Debug: home_server = localhost
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: realm example.com {
Wed Mar 8 11:03:22 2023 : Debug: auth_pool = my_auth_failover
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: realm LOCAL {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: radiusd: #### Loading Clients ####
Wed Mar 8 11:03:22 2023 : Debug: client localhost {
Wed Mar 8 11:03:22 2023 : Debug: ipaddr = 127.0.0.1
Wed Mar 8 11:03:22 2023 : Debug: require_message_authenticator = no
Wed Mar 8 11:03:22 2023 : Debug: secret = "testing123"
Wed Mar 8 11:03:22 2023 : Debug: nas_type = "other"
Wed Mar 8 11:03:22 2023 : Debug: proto = "*"
Wed Mar 8 11:03:22 2023 : Debug: limit {
Wed Mar 8 11:03:22 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:22 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Adding client 127.0.0.1/32 (127.0.0.1) to prefix tree 32
Wed Mar 8 11:03:22 2023 : Debug: client localhost_ipv6 {
Wed Mar 8 11:03:22 2023 : Debug: ipv6addr = ::1
Wed Mar 8 11:03:22 2023 : Debug: require_message_authenticator = no
Wed Mar 8 11:03:22 2023 : Debug: secret = "testing123"
Wed Mar 8 11:03:22 2023 : Debug: limit {
Wed Mar 8 11:03:22 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:22 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Adding client ::1/128 (::1) to prefix tree 128
Wed Mar 8 11:03:22 2023 : Debug: client radclient {
Wed Mar 8 11:03:22 2023 : Debug: ipaddr = 192.168.222.131
Wed Mar 8 11:03:22 2023 : Debug: require_message_authenticator = no
Wed Mar 8 11:03:22 2023 : Debug: secret = "radsecret"
Wed Mar 8 11:03:22 2023 : Debug: limit {
Wed Mar 8 11:03:22 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:22 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Adding client 192.168.222.131/32 (192.168.222.131) to prefix tree 32
Wed Mar 8 11:03:22 2023 : Info: Debugger not attached
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = mschap
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = digest
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = eap
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = PAP
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = CHAP
Wed Mar 8 11:03:22 2023 : Debug: # Creating Auth-Type = MS-CHAP
Wed Mar 8 11:03:22 2023 : Debug: radiusd: #### Instantiating modules ####
Wed Mar 8 11:03:22 2023 : Debug: modules {
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_always, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_always
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "reject" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always reject {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "reject"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "fail" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always fail {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "fail"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "ok" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always ok {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "ok"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "handled" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always handled {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "handled"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "invalid" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always invalid {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "invalid"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "userlock" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always userlock {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "userlock"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "notfound" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always notfound {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "notfound"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "noop" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always noop {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "noop"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "updated" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: always updated {
Wed Mar 8 11:03:22 2023 : Debug: rcode = "updated"
Wed Mar 8 11:03:22 2023 : Debug: simulcount = 0
Wed Mar 8 11:03:22 2023 : Debug: mpp = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_attr_filter, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_attr_filter
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.post-proxy {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{Realm}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.pre-proxy {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{Realm}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.access_reject {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/access_reject"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.access_challenge {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: attr_filter attr_filter.accounting_response {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: relaxed = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_cache, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_cache
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
Wed Mar 8 11:03:22 2023 : Debug: cache cache_eap {
Wed Mar 8 11:03:22 2023 : Debug: driver = "rlm_cache_rbtree"
Wed Mar 8 11:03:22 2023 : Debug: key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
Wed Mar 8 11:03:22 2023 : Debug: ttl = 15
Wed Mar 8 11:03:22 2023 : Debug: max_entries = 0
Wed Mar 8 11:03:22 2023 : Debug: epoch = 0
Wed Mar 8 11:03:22 2023 : Debug: add_stats = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_chap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_chap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "chap" from file /etc/raddb/mods-enabled/chap
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_date, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_date
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "date" from file /etc/raddb/mods-enabled/date
Wed Mar 8 11:03:22 2023 : Debug: date {
Wed Mar 8 11:03:22 2023 : Debug: format = "%b %e %Y %H:%M:%S %Z"
Wed Mar 8 11:03:22 2023 : Debug: utc = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
Wed Mar 8 11:03:22 2023 : Debug: date wispr2date {
Wed Mar 8 11:03:22 2023 : Debug: format = "%Y-%m-%dT%H:%M:%S"
Wed Mar 8 11:03:22 2023 : Debug: utc = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_detail, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_detail
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "detail" from file /etc/raddb/mods-enabled/detail
Wed Mar 8 11:03:22 2023 : Debug: detail {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: detail auth_log {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: detail reply_log {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: detail pre_proxy_log {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: detail post_proxy_log {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
Wed Mar 8 11:03:22 2023 : Debug: header = "%t"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: locking = no
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: log_packet_header = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_digest, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_digest
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "digest" from file /etc/raddb/mods-enabled/digest
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_dynamic_clients, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_dynamic_clients
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_eap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_eap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "eap" from file /etc/raddb/mods-enabled/eap
Wed Mar 8 11:03:22 2023 : Debug: eap {
Wed Mar 8 11:03:22 2023 : Debug: default_eap_type = "md5"
Wed Mar 8 11:03:22 2023 : Debug: timer_expire = 60
Wed Mar 8 11:03:22 2023 : Debug: ignore_unknown_eap_types = no
Wed Mar 8 11:03:22 2023 : Debug: cisco_accounting_username_bug = no
Wed Mar 8 11:03:22 2023 : Debug: max_sessions = 16384
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_exec, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_exec
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "echo" from file /etc/raddb/mods-enabled/echo
Wed Mar 8 11:03:22 2023 : Debug: exec echo {
Wed Mar 8 11:03:22 2023 : Debug: wait = yes
Wed Mar 8 11:03:22 2023 : Debug: program = "/bin/echo %{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: input_pairs = "request"
Wed Mar 8 11:03:22 2023 : Debug: output_pairs = "reply"
Wed Mar 8 11:03:22 2023 : Debug: shell_escape = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "exec" from file /etc/raddb/mods-enabled/exec
Wed Mar 8 11:03:22 2023 : Debug: exec {
Wed Mar 8 11:03:22 2023 : Debug: wait = no
Wed Mar 8 11:03:22 2023 : Debug: input_pairs = "request"
Wed Mar 8 11:03:22 2023 : Debug: shell_escape = yes
Wed Mar 8 11:03:22 2023 : Debug: timeout = 10
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_expiration, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_expiration
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_expr, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_expr
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "expr" from file /etc/raddb/mods-enabled/expr
Wed Mar 8 11:03:22 2023 : Debug: expr {
Wed Mar 8 11:03:22 2023 : Debug: safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_files, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_files
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "files" from file /etc/raddb/mods-enabled/files
Wed Mar 8 11:03:22 2023 : Debug: files {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/raddb/mods-config/files/authorize"
Wed Mar 8 11:03:22 2023 : Debug: acctusersfile = "/etc/raddb/mods-config/files/accounting"
Wed Mar 8 11:03:22 2023 : Debug: preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_linelog, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_linelog
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: linelog {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/linelog"
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: syslog_severity = "info"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: format = "This is a log message for %{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: reference = "messages.%{%{reply:Packet-Type}:-default}"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: linelog log_accounting {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/linelog-accounting"
Wed Mar 8 11:03:22 2023 : Debug: escape_filenames = no
Wed Mar 8 11:03:22 2023 : Debug: syslog_severity = "info"
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: format = ""
Wed Mar 8 11:03:22 2023 : Debug: reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_logintime, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_logintime
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
Wed Mar 8 11:03:22 2023 : Debug: logintime {
Wed Mar 8 11:03:22 2023 : Debug: minimum_timeout = 60
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_mschap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_mschap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
Wed Mar 8 11:03:22 2023 : Debug: mschap {
Wed Mar 8 11:03:22 2023 : Debug: use_mppe = yes
Wed Mar 8 11:03:22 2023 : Debug: require_encryption = no
Wed Mar 8 11:03:22 2023 : Debug: require_strong = no
Wed Mar 8 11:03:22 2023 : Debug: with_ntdomain_hack = yes
Wed Mar 8 11:03:22 2023 : Debug: passchange {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: allow_retry = yes
Wed Mar 8 11:03:22 2023 : Debug: winbind_retry_with_normalised_username = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
Wed Mar 8 11:03:22 2023 : Debug: exec ntlm_auth {
Wed Mar 8 11:03:22 2023 : Debug: wait = yes
Wed Mar 8 11:03:22 2023 : Debug: program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
Wed Mar 8 11:03:22 2023 : Debug: shell_escape = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_pap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_pap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "pap" from file /etc/raddb/mods-enabled/pap
Wed Mar 8 11:03:22 2023 : Debug: pap {
Wed Mar 8 11:03:22 2023 : Debug: normalise = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_passwd, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_passwd
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
Wed Mar 8 11:03:22 2023 : Debug: passwd etc_passwd {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/etc/passwd"
Wed Mar 8 11:03:22 2023 : Debug: format = "*User-Name:Crypt-Password:"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = ":"
Wed Mar 8 11:03:22 2023 : Debug: ignore_nislike = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_empty = yes
Wed Mar 8 11:03:22 2023 : Debug: allow_multiple_keys = no
Wed Mar 8 11:03:22 2023 : Debug: hash_size = 100
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_preprocess, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_preprocess
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
Wed Mar 8 11:03:22 2023 : Debug: preprocess {
Wed Mar 8 11:03:22 2023 : Debug: huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
Wed Mar 8 11:03:22 2023 : Debug: hints = "/etc/raddb/mods-config/preprocess/hints"
Wed Mar 8 11:03:22 2023 : Debug: with_ascend_hack = no
Wed Mar 8 11:03:22 2023 : Debug: ascend_channels_per_line = 23
Wed Mar 8 11:03:22 2023 : Debug: with_ntdomain_hack = no
Wed Mar 8 11:03:22 2023 : Debug: with_specialix_jetstream_hack = no
Wed Mar 8 11:03:22 2023 : Debug: with_cisco_vsa_hack = no
Wed Mar 8 11:03:22 2023 : Debug: with_alvarion_vsa_hack = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_radutmp, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_radutmp
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
Wed Mar 8 11:03:22 2023 : Debug: radutmp {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/radutmp"
Wed Mar 8 11:03:22 2023 : Debug: username = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: case_sensitive = yes
Wed Mar 8 11:03:22 2023 : Debug: check_with_nas = yes
Wed Mar 8 11:03:22 2023 : Debug: permissions = 384
Wed Mar 8 11:03:22 2023 : Debug: caller_id = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_realm, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_realm
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm IPASS {
Wed Mar 8 11:03:22 2023 : Debug: format = "prefix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "/"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm suffix {
Wed Mar 8 11:03:22 2023 : Debug: format = "suffix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "@"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm bangpath {
Wed Mar 8 11:03:22 2023 : Debug: format = "prefix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "!"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm realmpercent {
Wed Mar 8 11:03:22 2023 : Debug: format = "suffix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "%"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: realm ntdomain {
Wed Mar 8 11:03:22 2023 : Debug: format = "prefix"
Wed Mar 8 11:03:22 2023 : Debug: delimiter = "\\"
Wed Mar 8 11:03:22 2023 : Debug: ignore_default = no
Wed Mar 8 11:03:22 2023 : Debug: ignore_null = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_replicate, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_replicate
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_soh, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_soh
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "soh" from file /etc/raddb/mods-enabled/soh
Wed Mar 8 11:03:22 2023 : Debug: soh {
Wed Mar 8 11:03:22 2023 : Debug: dhcp = yes
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
Wed Mar 8 11:03:22 2023 : Debug: radutmp sradutmp {
Wed Mar 8 11:03:22 2023 : Debug: filename = "/var/log/radius/sradutmp"
Wed Mar 8 11:03:22 2023 : Debug: username = "%{User-Name}"
Wed Mar 8 11:03:22 2023 : Debug: case_sensitive = yes
Wed Mar 8 11:03:22 2023 : Debug: check_with_nas = yes
Wed Mar 8 11:03:22 2023 : Debug: permissions = 420
Wed Mar 8 11:03:22 2023 : Debug: caller_id = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_unix, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_unix
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "unix" from file /etc/raddb/mods-enabled/unix
Wed Mar 8 11:03:22 2023 : Debug: unix {
Wed Mar 8 11:03:22 2023 : Debug: radwtmp = "/var/log/radius/radwtmp"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Creating attribute Unix-Group
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_unpack, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_unpack
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_utf8, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_utf8
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
Wed Mar 8 11:03:22 2023 : Debug: Loaded rlm_ldap, checking if it's valid
Wed Mar 8 11:03:22 2023 : Debug: # Loaded module rlm_ldap
Wed Mar 8 11:03:22 2023 : Debug: # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
Wed Mar 8 11:03:22 2023 : Debug: ldap {
Wed Mar 8 11:03:22 2023 : Debug: server = "ldapsrv1.lab.fr"
Wed Mar 8 11:03:22 2023 : Debug: identity = "cn=manager,o=lab"
Wed Mar 8 11:03:22 2023 : Debug: password = "manager"
Wed Mar 8 11:03:22 2023 : Debug: sasl {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: user_dn = "LDAP-UserDn"
Wed Mar 8 11:03:22 2023 : Debug: user {
Wed Mar 8 11:03:22 2023 : Debug: scope = "sub"
Wed Mar 8 11:03:22 2023 : Debug: access_positive = yes
Wed Mar 8 11:03:22 2023 : Debug: sasl {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: group {
Wed Mar 8 11:03:22 2023 : Debug: filter = "(objectClass=posixGroup)"
Wed Mar 8 11:03:22 2023 : Debug: scope = "sub"
Wed Mar 8 11:03:22 2023 : Debug: name_attribute = "cn"
Wed Mar 8 11:03:22 2023 : Debug: membership_attribute = "memberOf"
Wed Mar 8 11:03:22 2023 : Debug: cacheable_name = no
Wed Mar 8 11:03:22 2023 : Debug: cacheable_dn = no
Wed Mar 8 11:03:22 2023 : Debug: allow_dangling_group_ref = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: client {
Wed Mar 8 11:03:22 2023 : Debug: filter = "(objectClass=radiusClient)"
Wed Mar 8 11:03:22 2023 : Debug: scope = "sub"
Wed Mar 8 11:03:22 2023 : Debug: base_dn = "o=lab"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: profile {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: options {
Wed Mar 8 11:03:22 2023 : Debug: ldap_debug = 40
Wed Mar 8 11:03:22 2023 : Debug: chase_referrals = yes
Wed Mar 8 11:03:22 2023 : Debug: rebind = yes
Wed Mar 8 11:03:22 2023 : Debug: net_timeout = 1
Wed Mar 8 11:03:22 2023 : Debug: res_timeout = 10
Wed Mar 8 11:03:22 2023 : Debug: srv_timelimit = 3
Wed Mar 8 11:03:22 2023 : Debug: idle = 60
Wed Mar 8 11:03:22 2023 : Debug: probes = 3
Wed Mar 8 11:03:22 2023 : Debug: interval = 3
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: tls {
Wed Mar 8 11:03:22 2023 : Debug: ca_path = "/etc/ssl/certs"
Wed Mar 8 11:03:22 2023 : Debug: certificate_file = "/etc/raddb/certs/radsrv1.crt"
Wed Mar 8 11:03:22 2023 : Debug: private_key_file = "/etc/raddb/certs/radsrv1.key"
Wed Mar 8 11:03:22 2023 : Debug: start_tls = yes
Wed Mar 8 11:03:22 2023 : Debug: require_cert = "demand"
Wed Mar 8 11:03:22 2023 : Warning: /etc/raddb/mods-enabled/ldap[564]: The item 'check_crl' is defined, but is unused by the configuration
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: Creating attribute LDAP-Group
Wed Mar 8 11:03:22 2023 : Debug: instantiate {
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
Wed Mar 8 11:03:22 2023 : Debug: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_md5
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_leap
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_gtc
Wed Mar 8 11:03:22 2023 : Debug: gtc {
Wed Mar 8 11:03:22 2023 : Debug: challenge = "Password: "
Wed Mar 8 11:03:22 2023 : Debug: auth_type = "PAP"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_tls
Wed Mar 8 11:03:22 2023 : Debug: tls {
Wed Mar 8 11:03:22 2023 : Debug: tls = "tls-common"
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: tls-config tls-common {
Wed Mar 8 11:03:22 2023 : Debug: verify_depth = 0
Wed Mar 8 11:03:22 2023 : Debug: ca_path = "/etc/raddb/certs"
Wed Mar 8 11:03:22 2023 : Debug: pem_file_type = yes
Wed Mar 8 11:03:22 2023 : Debug: private_key_file = "/etc/raddb/certs/server.pem"
Wed Mar 8 11:03:22 2023 : Debug: certificate_file = "/etc/raddb/certs/server.pem"
Wed Mar 8 11:03:22 2023 : Debug: ca_file = "/etc/raddb/certs/ca.pem"
Wed Mar 8 11:03:22 2023 : Debug: private_key_password = "whatever"
Wed Mar 8 11:03:22 2023 : Debug: dh_file = "/etc/raddb/certs/dh"
Wed Mar 8 11:03:22 2023 : Debug: fragment_size = 1024
Wed Mar 8 11:03:22 2023 : Debug: include_length = yes
Wed Mar 8 11:03:22 2023 : Debug: auto_chain = yes
Wed Mar 8 11:03:22 2023 : Debug: check_crl = no
Wed Mar 8 11:03:22 2023 : Debug: check_all_crl = no
Wed Mar 8 11:03:22 2023 : Debug: cipher_list = "PROFILE=SYSTEM"
Wed Mar 8 11:03:22 2023 : Debug: cipher_server_preference = no
Wed Mar 8 11:03:22 2023 : Debug: ecdh_curve = "prime256v1"
Wed Mar 8 11:03:22 2023 : Debug: disable_tlsv1 = yes
Wed Mar 8 11:03:22 2023 : Debug: disable_tlsv1_1 = yes
Wed Mar 8 11:03:22 2023 : Debug: tls_max_version = "1.2"
Wed Mar 8 11:03:22 2023 : Debug: tls_min_version = "1.2"
Wed Mar 8 11:03:22 2023 : Debug: cache {
Wed Mar 8 11:03:22 2023 : Debug: enable = no
Wed Mar 8 11:03:22 2023 : Debug: lifetime = 24
Wed Mar 8 11:03:22 2023 : Debug: max_entries = 255
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: verify {
Wed Mar 8 11:03:22 2023 : Debug: skip_if_ocsp_ok = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: ocsp {
Wed Mar 8 11:03:22 2023 : Debug: enable = no
Wed Mar 8 11:03:22 2023 : Debug: override_cert_url = yes
Wed Mar 8 11:03:22 2023 : Debug: url = "http://127.0.0.1/ocsp/"
Wed Mar 8 11:03:22 2023 : Debug: use_nonce = yes
Wed Mar 8 11:03:22 2023 : Debug: timeout = 0
Wed Mar 8 11:03:22 2023 : Debug: softfail = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Warning: Please use tls_min_version and tls_max_version instead of disable_tlsv1
Wed Mar 8 11:03:22 2023 : Warning: Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_ttls
Wed Mar 8 11:03:22 2023 : Debug: ttls {
Wed Mar 8 11:03:22 2023 : Debug: tls = "tls-common"
Wed Mar 8 11:03:22 2023 : Debug: default_eap_type = "md5"
Wed Mar 8 11:03:22 2023 : Debug: copy_request_to_tunnel = no
Wed Mar 8 11:03:22 2023 : Debug: use_tunneled_reply = no
Wed Mar 8 11:03:22 2023 : Debug: virtual_server = "inner-tunnel"
Wed Mar 8 11:03:22 2023 : Debug: include_length = yes
Wed Mar 8 11:03:22 2023 : Debug: require_client_cert = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: tls: Using cached TLS configuration from previous invocation
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_peap
Wed Mar 8 11:03:22 2023 : Debug: peap {
Wed Mar 8 11:03:22 2023 : Debug: tls = "tls-common"
Wed Mar 8 11:03:22 2023 : Debug: default_eap_type = "mschapv2"
Wed Mar 8 11:03:22 2023 : Debug: copy_request_to_tunnel = no
Wed Mar 8 11:03:22 2023 : Debug: use_tunneled_reply = no
Wed Mar 8 11:03:22 2023 : Debug: proxy_tunneled_request_as_eap = yes
Wed Mar 8 11:03:22 2023 : Debug: virtual_server = "inner-tunnel"
Wed Mar 8 11:03:22 2023 : Debug: soh = no
Wed Mar 8 11:03:22 2023 : Debug: require_client_cert = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: tls: Using cached TLS configuration from previous invocation
Wed Mar 8 11:03:22 2023 : Debug: # Linked to sub-module rlm_eap_mschapv2
Wed Mar 8 11:03:22 2023 : Debug: mschapv2 {
Wed Mar 8 11:03:22 2023 : Debug: with_ntdomain_hack = no
Wed Mar 8 11:03:22 2023 : Debug: send_error = no
Wed Mar 8 11:03:22 2023 : Debug: }
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "files" from file /etc/raddb/mods-enabled/files
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/files/authorize
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/files/accounting
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/files/pre-proxy
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
Wed Mar 8 11:03:22 2023 : Debug: rlm_mschap (mschap): using internal authentication
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
Wed Mar 8 11:03:22 2023 : Debug: rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
Wed Mar 8 11:03:22 2023 : Debug: reading pairlist file /etc/raddb/mods-config/preprocess/hints
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
Wed Mar 8 11:03:22 2023 : Debug: # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20446
Wed Mar 8 11:03:42 2023 : Debug: accounting {
Wed Mar 8 11:03:42 2023 : Debug: reference = "%{tolower:type.%{Acct-Status-Type}}"
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: post-auth {
Wed Mar 8 11:03:42 2023 : Debug: reference = "."
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Initialising connection pool
Wed Mar 8 11:03:42 2023 : Debug: pool {
Wed Mar 8 11:03:42 2023 : Debug: start = 5
Wed Mar 8 11:03:42 2023 : Debug: min = 3
Wed Mar 8 11:03:42 2023 : Debug: max = 32
Wed Mar 8 11:03:42 2023 : Debug: spare = 10
Wed Mar 8 11:03:42 2023 : Debug: uses = 0
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: cleanup_interval = 30
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 60
Wed Mar 8 11:03:42 2023 : Debug: retry_delay = 30
Wed Mar 8 11:03:42 2023 : Debug: spread = no
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f13631fd30
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f136364840
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f13644b720
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f136531400
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Info: rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Connecting to ldap://ldapsrv1.lab.fr:389
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): New libldap handle 0x55f1366178a0
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Waiting for bind result...
Wed Mar 8 11:03:42 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Mar 8 11:03:42 2023 : Debug: } # modules
Wed Mar 8 11:03:42 2023 : Debug: radiusd: #### Loading Virtual Servers ####
Wed Mar 8 11:03:42 2023 : Debug: server { # from file /etc/raddb/radiusd.conf
Wed Mar 8 11:03:42 2023 : Debug: } # server
Wed Mar 8 11:03:42 2023 : Debug: server default { # from file /etc/raddb/sites-enabled/default
Wed Mar 8 11:03:42 2023 : Debug: # Loading authenticate {...}
Wed Mar 8 11:03:42 2023 : Debug: mschap
Wed Mar 8 11:03:42 2023 : Debug: digest
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: # Loading authorize {...}
Wed Mar 8 11:03:42 2023 : Debug: policy filter_username {
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name) {
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ / /) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: User-Name contains whitespace'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /@[^@]*@/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Multiple @ in User-Name'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /\.\./) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /@/ && !&User-Name =~ /(a)(.+)\.(.+)$/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm does not have at least one dot separator'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /\.$/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm ends with a dot'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /(a)\./) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm begins with a dot'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: preprocess
Wed Mar 8 11:03:42 2023 : Debug: chap
Wed Mar 8 11:03:42 2023 : Debug: mschap
Wed Mar 8 11:03:42 2023 : Debug: digest
Wed Mar 8 11:03:42 2023 : Debug: suffix
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: files
Wed Mar 8 11:03:42 2023 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Wed Mar 8 11:03:42 2023 : Debug: ldap
Wed Mar 8 11:03:42 2023 : Debug: expiration
Wed Mar 8 11:03:42 2023 : Debug: logintime
Wed Mar 8 11:03:42 2023 : Debug: pap
Wed Mar 8 11:03:42 2023 : Debug: # Loading preacct {...}
Wed Mar 8 11:03:42 2023 : Debug: preprocess
Wed Mar 8 11:03:42 2023 : Debug: policy acct_unique {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Tmp-String-9 := "ai:"
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if ("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/ && "%{string:&Class}" =~ /^ai:([0-9a-f]{32})/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: else {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: suffix
Wed Mar 8 11:03:42 2023 : Debug: files
Wed Mar 8 11:03:42 2023 : Debug: # Loading accounting {...}
Wed Mar 8 11:03:42 2023 : Debug: detail
Wed Mar 8 11:03:42 2023 : Debug: unix
Wed Mar 8 11:03:42 2023 : Debug: exec
Wed Mar 8 11:03:42 2023 : Debug: attr_filter.accounting_response
Wed Mar 8 11:03:42 2023 : Debug: # Loading post-proxy {...}
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: # Loading post-auth {...}
Wed Mar 8 11:03:42 2023 : Debug: if (&session-state:User-Name && &reply:User-Name && &User-Name && &reply:User-Name == &User-Name) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &reply:User-Name !* ANY
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &reply:[*] += &session-state:[*]
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: exec
Wed Mar 8 11:03:42 2023 : Debug: policy remove_reply_message_if_eap {
Wed Mar 8 11:03:42 2023 : Debug: if (&reply:EAP-Message && &reply:Reply-Message) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &reply:Reply-Message !* ANY
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: else {
Wed Mar 8 11:03:42 2023 : Debug: noop
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: } # server default
Wed Mar 8 11:03:42 2023 : Debug: server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
Wed Mar 8 11:03:42 2023 : Debug: # Loading authenticate {...}
Wed Mar 8 11:03:42 2023 : Debug: mschap
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: # Loading authorize {...}
Wed Mar 8 11:03:42 2023 : Debug: policy filter_username {
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name) {
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ / /) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: User-Name contains whitespace'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /@[^@]*@/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Multiple @ in User-Name'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /\.\./) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /@/ && !&User-Name =~ /(a)(.+)\.(.+)$/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm does not have at least one dot separator'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /\.$/) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm ends with a dot'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: if (&User-Name =~ /(a)\./) {
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &Module-Failure-Message += 'Rejected: Realm begins with a dot'
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: reject
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: chap
Wed Mar 8 11:03:42 2023 : Debug: mschap
Wed Mar 8 11:03:42 2023 : Debug: suffix
Wed Mar 8 11:03:42 2023 : Debug: update {
Wed Mar 8 11:03:42 2023 : Debug: &control:Proxy-To-Realm := LOCAL
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: files
Wed Mar 8 11:03:42 2023 : Debug: ldap
Wed Mar 8 11:03:42 2023 : Debug: expiration
Wed Mar 8 11:03:42 2023 : Debug: logintime
Wed Mar 8 11:03:42 2023 : Debug: pap
Wed Mar 8 11:03:42 2023 : Debug: # Loading session {...}
Wed Mar 8 11:03:42 2023 : Debug: radutmp
Wed Mar 8 11:03:42 2023 : Debug: # Loading post-proxy {...}
Wed Mar 8 11:03:42 2023 : Debug: eap
Wed Mar 8 11:03:42 2023 : Debug: # Loading post-auth {...}
Wed Mar 8 11:03:42 2023 : Info: # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:336
Wed Mar 8 11:03:42 2023 : Debug: if (false) {
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: } # server inner-tunnel
Wed Mar 8 11:03:42 2023 : Debug: radiusd: #### Opening IP addresses and Ports ####
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "auth"
Wed Mar 8 11:03:42 2023 : Debug: ipaddr = *
Wed Mar 8 11:03:42 2023 : Debug: port = 0
Wed Mar 8 11:03:42 2023 : Debug: limit {
Wed Mar 8 11:03:42 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "acct"
Wed Mar 8 11:03:42 2023 : Debug: ipaddr = *
Wed Mar 8 11:03:42 2023 : Debug: port = 0
Wed Mar 8 11:03:42 2023 : Debug: limit {
Wed Mar 8 11:03:42 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "auth"
Wed Mar 8 11:03:42 2023 : Debug: ipv6addr = ::
Wed Mar 8 11:03:42 2023 : Debug: port = 0
Wed Mar 8 11:03:42 2023 : Debug: limit {
Wed Mar 8 11:03:42 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "acct"
Wed Mar 8 11:03:42 2023 : Debug: ipv6addr = ::
Wed Mar 8 11:03:42 2023 : Debug: port = 0
Wed Mar 8 11:03:42 2023 : Debug: limit {
Wed Mar 8 11:03:42 2023 : Debug: max_connections = 16
Wed Mar 8 11:03:42 2023 : Debug: lifetime = 0
Wed Mar 8 11:03:42 2023 : Debug: idle_timeout = 30
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: listen {
Wed Mar 8 11:03:42 2023 : Debug: type = "auth"
Wed Mar 8 11:03:42 2023 : Debug: ipaddr = 127.0.0.1
Wed Mar 8 11:03:42 2023 : Debug: port = 18120
Wed Mar 8 11:03:42 2023 : Debug: }
Wed Mar 8 11:03:42 2023 : Debug: Listening on auth address * port 1812 bound to server default
Wed Mar 8 11:03:42 2023 : Debug: Listening on acct address * port 1813 bound to server default
Wed Mar 8 11:03:42 2023 : Debug: Listening on auth address :: port 1812 bound to server default
Wed Mar 8 11:03:42 2023 : Debug: Listening on acct address :: port 1813 bound to server default
Wed Mar 8 11:03:42 2023 : Debug: Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Wed Mar 8 11:03:42 2023 : Debug: Opened new proxy socket 'proxy address * port 33378'
Wed Mar 8 11:03:42 2023 : Debug: Listening on proxy address * port 33378
Wed Mar 8 11:03:42 2023 : Debug: Opened new proxy socket 'proxy address :: port 33848'
Wed Mar 8 11:03:42 2023 : Debug: Listening on proxy address :: port 33848
Wed Mar 8 11:03:42 2023 : Info: Ready to process requests
I know checking the revocation status of EAP client's certificate is well supported (in mods-available/eap) but I was wondering whether checking the revocation status of "backend" servers' certificates was as well and if so what I did wrong.
Have a good day,
Benjamin
2
2
Re: Freeradius-Users Digest, Vol 214, Issue 31 Re: pam_radius with only otp (Jorge Pereira)
by Joe Jones 05 Mar '23
by Joe Jones 05 Mar '23
05 Mar '23
On Tue, Feb 28, 2023, 3:45 AM <freeradius-users-request(a)lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users(a)lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request(a)lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner(a)lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: pam_radius with only otp (Jorge Pereira)
> 2. Re: How to check the Extended Key Usage in freeradius?
> (Alan DeKok)
> 3. EAP-TLS default config (clement.legoffic(a)kelio.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 27 Feb 2023 14:36:08 -0300
> From: Jorge Pereira <jpereira(a)freeradius.org>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: pam_radius with only otp
> Message-ID: <216B4E15-D452-448B-B9A5-163889996A25(a)freeradius.org>
> Content-Type: text/plain; charset=us-ascii
>
> The pam_radius just forward to the FreeRADIUS. In that case, you should do
> that trick there.
>
Thank you for the reply. I do not understand what is mean, can you please
elaborate?
I am using a 3rd party radius server. O ce again, the password + otp works
fine but username + otp does not.
Thanks
>
> > On 23 Feb 2023, at 19:31, Joe Jones <09cicada(a)gmail.com> wrote:
> >
> > Hi all,
> >
> > Is it possible to use the pam_radius .so module with only a otp? It works
> > fine with a password+otp but I cannot get it working with only otp.
> >
> > Thanks
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Jorge Pereira
> jpereira(a)networkradius.com
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 27 Feb 2023 13:34:02 -0500
> From: Alan DeKok <aland(a)deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users(a)lists.freeradius.org>
> Subject: Re: How to check the Extended Key Usage in freeradius?
> Message-ID: <9ED0EA34-872E-4445-88E0-BC3A4AE4F241(a)deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer(a)cpa.de> wrote:
> > It seems that this doesn't work for me.
>
> Read the debug log. If there's an extended key usage OID, it will show
> up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
>
> If there's no extended key usage OID, them it won't show up.
>
> > In the session-state is only TLS-Session-Information,
> TLS-Session-Cipher-Suite, TLS-Session-Version.
> > But it seems I can work directly with TLS-Client-Cert-Issuer and
> TLS-Client-Cert-Subject-Alt-Name-Dns, but not with
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
>
> Does it exist?
>
> Does it show up in the debug log?
>
> The debug log shows every TLS related attribute it creates.
>
> > Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
> > - in the session-state
>
> Does it exist?
>
> > (see below ' (11) policy debug_session_state {')
> > Or
> > - like TLS-Client-Cert-Issuer to use it directly
>
> Does TLS-Client-Cert-Issuer exist?
>
> > ...
> > freeradius | (10) eap_tls: (TLS) Creating attributes from server
> certificate
> > freeradius | (10) eap_tls: TLS-Cert-Serial :=
> "1400000002219c173715ec84d9000000000002"
> > freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z"
> > freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z"
> > freeradius | (10) eap_tls: TLS-Cert-Subject :=
> "/DC=org/DC=example/CN=XY Sub CA"
> > freeradius | (10) eap_tls: TLS-Cert-Issuer :=
> "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA"
> > freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA"
> > freeradius | (10) eap_tls: (TLS) Creating attributes from client
> certificate
> > freeradius | (10) eap_tls: TLS-Client-Cert-Serial :=
> "16000028666eef874492e150cd000000002866"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Expiration :=
> "240209105026Z"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since :=
> "230209105026Z"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Issuer :=
> "/DC=org/DC=example/CN=XY Sub CA"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "
> host1.XY.example.org"
> > freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage
> += "TLS Web Client Authentication,
> 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
> "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
> "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
> "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
>
> OK, that's good. For the initial creation, those attributes are in the
> request. For subsequent packets, they should be in the session-state list.
>
> > ...
> > freeradius | (11) Restoring &session-state
> > freeradius | (11) &session-state:Framed-MTU = 1014
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.3 Handshake, ClientHello"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerHello"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, Certificate"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerKeyExchange"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, CertificateRequest"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerHelloDone"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, Certificate"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, ClientKeyExchange"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, CertificateVerify"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, Finished"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 ChangeCipherSpec"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, Finished"
> > freeradius | (11) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> > freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
>
> Hmm... you can always copy the attributes to the session-state list,
> where they will automatically be stored and restored.
>
> I'll have to check what's going on behind the scenes. It's been a while
> since I used v3 like this.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 28 Feb 2023 10:44:38 +0000
> From: "clement.legoffic(a)kelio.com" <clement.legoffic(a)kelio.com>
> To: "freeradius-users(a)lists.freeradius.org"
> <freeradius-users(a)lists.freeradius.org>
> Subject: EAP-TLS default config
> Message-ID: <0c68af239c1c4ccea93f58f34928defd(a)kelio.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
> I started to learn network authentication and I want to setup a litle poc
> with Freeradius and EAP-TLS.
> I have previously tested my working configuration with the bob user as in
> the freeradius docker example.
>
> I use freeradius docker image
> https://hub.docker.com/r/freeradius/freeradius-server/ in a container.
> The configs files have been extracted to be configured in my host system
> and mounted at container's start.
>
> I have follow this tutorial for the radiusd.conf file :
> https://www.dslreports.com/forum/r9286052-FreeRADIUS-WinXP-Authentication-S…
>
> As I use the container's default keys, the user file is just a line :
>
> user(a)example.org Auth-Type := EAP, EAP-Type := EAP-TLS
>
> On my android phone, I connect to a dlink wifi access point (DWL-2100AP)
> configured for 802.1X.
> The ca.pem has been installed on my phone in order to use it for EAP-TLS
> when I select it.
> The username I use on the phone side is "user(a)example.org", the domain is
> "example.org".
>
> When I click on connect on my phone, I get an access reject as shown in
> the debug output below.
> I wanted to know if I am doing wrong somewhere and possibly where ?
>
> (Freeradius Version 3.2.0)
>
> (0) Received Access-Request Id 0 from 10.17.30.60:1061 to 172.17.0.2:1812
> length 212
> (0) Message-Authenticator = 0x46c9071611e746712984ef9165b516eb
> (0) Service-Type = Framed-User
> (0) User-Name = "user(a)example.org"
> (0) Framed-MTU = 1488
> (0) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (0) Calling-Station-Id = "22-85-59-7C-27-7A"
> (0) NAS-Identifier = "D-Link Access Point"
> (0) NAS-Port-Type = Wireless-802.11
> (0) Connect-Info = "CONNECT 54Mbps 802.11g"
> (0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (0) NAS-IP-Address = 10.17.30.60
> (0) NAS-Port = 1
> (0) NAS-Port-Id = "STA port # 1"
> (0) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /(a)\./) {
> (0) if (&User-Name =~ /(a)\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (0) suffix: No such realm "example.org"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_tls to process data
> (0) eap_tls: (TLS) Initiating new session
> (0) eap_tls: (TLS) Setting verify mode to require certificate from client
> (0) eap: Sending EAP Request (code 1) ID 1 length 6
> (0) eap: EAP session adding &reply:State = 0xbced3a8cbcec3700
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) Challenge { ... } # empty sub-section is ignored
> (0) session-state: Saving cached attributes
> (0) Framed-MTU = 994
> (0) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1061
> length 64
> (0) EAP-Message = 0x010100060d20
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xbced3a8cbcec37005a032dcfba50bf3a
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 1 from 10.17.30.60:1061 to 172.17.0.2:1812
> length 215
> (1) Message-Authenticator = 0x2660937420c3367bd057db626b743cc5
> (1) Service-Type = Framed-User
> (1) User-Name = "user(a)example.org"
> (1) Framed-MTU = 1488
> (1) State = 0xbced3a8cbcec37005a032dcfba50bf3a
> (1) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (1) Calling-Station-Id = "22-85-59-7C-27-7A"
> (1) NAS-Identifier = "D-Link Access Point"
> (1) NAS-Port-Type = Wireless-802.11
> (1) Connect-Info = "CONNECT 54Mbps 802.11g"
> (1) EAP-Message = 0x020100060300
> (1) NAS-IP-Address = 10.17.30.60
> (1) NAS-Port = 1
> (1) NAS-Port-Id = "STA port # 1"
> (1) Restoring &session-state
> (1) &session-state:Framed-MTU = 994
> (1) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /(a)\./) {
> (1) if (&User-Name =~ /(a)\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (1) suffix: No such realm "example.org"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) files: users: Matched entry user(a)example.org at line 2
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0xbced3a8cbcec3700
> (1) eap: Finished EAP session with state 0xbced3a8cbcec3700
> (1) eap: Previous EAP request found for state 0xbced3a8cbcec3700, released
> from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Peer NAK'd indicating it is not willing to continue
> (1) eap: Sending EAP Failure (code 4) ID 1 length 4
> (1) eap: Failed in EAP select
> (1) [eap] = invalid
> (1) } # authenticate = invalid
> (1) Failed to authenticate the user
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject: --> user(a)example.org
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1) [attr_filter.access_reject] = updated
> (1) [eap] = noop
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (1) Sending delayed response
> (1) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1061
> length 44
> (1) EAP-Message = 0x04010004
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> (2) Received Access-Request Id 0 from 10.17.30.60:1063 to 172.17.0.2:1812
> length 212
> (2) Message-Authenticator = 0x10dad86d8ca96900ee9e41a3f3215e04
> (2) Service-Type = Framed-User
> (2) User-Name = "user(a)example.org"
> (2) Framed-MTU = 1488
> (2) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (2) Calling-Station-Id = "22-85-59-7C-27-7A"
> (2) NAS-Identifier = "D-Link Access Point"
> (2) NAS-Port-Type = Wireless-802.11
> (2) Connect-Info = "CONNECT 54Mbps 802.11g"
> (2) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (2) NAS-IP-Address = 10.17.30.60
> (2) NAS-Port = 1
> (2) NAS-Port-Id = "STA port # 1"
> (2) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /(a)\./) {
> (2) if (&User-Name =~ /(a)\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (2) suffix: No such realm "example.org"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) authenticate {
> (2) eap: Peer sent packet with method EAP Identity (1)
> (2) eap: Calling submodule eap_tls to process data
> (2) eap_tls: (TLS) Initiating new session
> (2) eap_tls: (TLS) Setting verify mode to require certificate from client
> (2) eap: Sending EAP Request (code 1) ID 1 length 6
> (2) eap: EAP session adding &reply:State = 0x61a7200961a62df0
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) Challenge { ... } # empty sub-section is ignored
> (2) session-state: Saving cached attributes
> (2) Framed-MTU = 994
> (2) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1063
> length 64
> (2) EAP-Message = 0x010100060d20
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x61a7200961a62df0743c98b3a07aed8f
> (2) Finished request
> Waking up in 1.9 seconds.
> (3) Received Access-Request Id 1 from 10.17.30.60:1063 to 172.17.0.2:1812
> length 215
> (3) Message-Authenticator = 0x2946bae5a640bdd89ef938aa738b4b94
> (3) Service-Type = Framed-User
> (3) User-Name = "user(a)example.org"
> (3) Framed-MTU = 1488
> (3) State = 0x61a7200961a62df0743c98b3a07aed8f
> (3) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (3) Calling-Station-Id = "22-85-59-7C-27-7A"
> (3) NAS-Identifier = "D-Link Access Point"
> (3) NAS-Port-Type = Wireless-802.11
> (3) Connect-Info = "CONNECT 54Mbps 802.11g"
> (3) EAP-Message = 0x020100060300
> (3) NAS-IP-Address = 10.17.30.60
> (3) NAS-Port = 1
> (3) NAS-Port-Id = "STA port # 1"
> (3) Restoring &session-state
> (3) &session-state:Framed-MTU = 994
> (3) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /(a)\./) {
> (3) if (&User-Name =~ /(a)\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (3) suffix: No such realm "example.org"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (3) eap: No EAP Start, assuming it's an on-going EAP conversation
> (3) [eap] = updated
> (3) files: users: Matched entry user(a)example.org at line 2
> (3) [files] = ok
> (3) [expiration] = noop
> (3) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (3) [pap] = noop
> (3) } # authorize = updated
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x61a7200961a62df0
> (3) eap: Finished EAP session with state 0x61a7200961a62df0
> (3) eap: Previous EAP request found for state 0x61a7200961a62df0, released
> from the list
> (3) eap: Peer sent packet with method EAP NAK (3)
> (3) eap: Peer NAK'd indicating it is not willing to continue
> (3) eap: Sending EAP Failure (code 4) ID 1 length 4
> (3) eap: Failed in EAP select
> (3) [eap] = invalid
> (3) } # authenticate = invalid
> (3) Failed to authenticate the user
> (3) Using Post-Auth-Type Reject
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) Post-Auth-Type REJECT {
> (3) attr_filter.access_reject: EXPAND %{User-Name}
> (3) attr_filter.access_reject: --> user(a)example.org
> (3) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (3) [attr_filter.access_reject] = updated
> (3) [eap] = noop
> (3) policy remove_reply_message_if_eap {
> (3) if (&reply:EAP-Message && &reply:Reply-Message) {
> (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (3) else {
> (3) [noop] = noop
> (3) } # else = noop
> (3) } # policy remove_reply_message_if_eap = noop
> (3) } # Post-Auth-Type REJECT = updated
> (3) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (3) Sending delayed response
> (3) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1063
> length 44
> (3) EAP-Message = 0x04010004
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 0.8 seconds.
> (0) Cleaning up request packet ID 0 with timestamp +74 due to
> cleanup_delay was reached
> (1) Cleaning up request packet ID 1 with timestamp +74 due to
> cleanup_delay was reached
> Waking up in 3.0 seconds.
> (4) Received Access-Request Id 0 from 10.17.30.60:1065 to 172.17.0.2:1812
> length 212
> (4) Message-Authenticator = 0x7e90cef35650d96b0188a6bcc9040100
> (4) Service-Type = Framed-User
> (4) User-Name = "user(a)example.org"
> (4) Framed-MTU = 1488
> (4) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (4) Calling-Station-Id = "22-85-59-7C-27-7A"
> (4) NAS-Identifier = "D-Link Access Point"
> (4) NAS-Port-Type = Wireless-802.11
> (4) Connect-Info = "CONNECT 54Mbps 802.11g"
> (4) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (4) NAS-IP-Address = 10.17.30.60
> (4) NAS-Port = 1
> (4) NAS-Port-Id = "STA port # 1"
> (4) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /(a)\./) {
> (4) if (&User-Name =~ /(a)\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (4) suffix: No such realm "example.org"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) authenticate {
> (4) eap: Peer sent packet with method EAP Identity (1)
> (4) eap: Calling submodule eap_tls to process data
> (4) eap_tls: (TLS) Initiating new session
> (4) eap_tls: (TLS) Setting verify mode to require certificate from client
> (4) eap: Sending EAP Request (code 1) ID 1 length 6
> (4) eap: EAP session adding &reply:State = 0x10b8d47310b9d97a
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) Challenge { ... } # empty sub-section is ignored
> (4) session-state: Saving cached attributes
> (4) Framed-MTU = 994
> (4) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1065
> length 64
> (4) EAP-Message = 0x010100060d20
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x10b8d47310b9d97a65ed29a95486330e
> (4) Finished request
> Waking up in 1.8 seconds.
> (5) Received Access-Request Id 1 from 10.17.30.60:1065 to 172.17.0.2:1812
> length 215
> (5) Message-Authenticator = 0x4024c8a365e14657a651ceb71b9f5f61
> (5) Service-Type = Framed-User
> (5) User-Name = "user(a)example.org"
> (5) Framed-MTU = 1488
> (5) State = 0x10b8d47310b9d97a65ed29a95486330e
> (5) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (5) Calling-Station-Id = "22-85-59-7C-27-7A"
> (5) NAS-Identifier = "D-Link Access Point"
> (5) NAS-Port-Type = Wireless-802.11
> (5) Connect-Info = "CONNECT 54Mbps 802.11g"
> (5) EAP-Message = 0x020100060300
> (5) NAS-IP-Address = 10.17.30.60
> (5) NAS-Port = 1
> (5) NAS-Port-Id = "STA port # 1"
> (5) Restoring &session-state
> (5) &session-state:Framed-MTU = 994
> (5) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /(a)\./) {
> (5) if (&User-Name =~ /(a)\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: Looking up realm "example.org" for User-Name = "
> user(a)example.org"
> (5) suffix: No such realm "example.org"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (5) eap: No EAP Start, assuming it's an on-going EAP conversation
> (5) [eap] = updated
> (5) files: users: Matched entry user(a)example.org at line 2
> (5) [files] = ok
> (5) [expiration] = noop
> (5) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (5) [pap] = noop
> (5) } # authorize = updated
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x10b8d47310b9d97a
> (5) eap: Finished EAP session with state 0x10b8d47310b9d97a
> (5) eap: Previous EAP request found for state 0x10b8d47310b9d97a, released
> from the list
> (5) eap: Peer sent packet with method EAP NAK (3)
> (5) eap: Peer NAK'd indicating it is not willing to continue
> (5) eap: Sending EAP Failure (code 4) ID 1 length 4
> (5) eap: Failed in EAP select
> (5) [eap] = invalid
> (5) } # authenticate = invalid
> (5) Failed to authenticate the user
> (5) Using Post-Auth-Type Reject
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) Post-Auth-Type REJECT {
> (5) attr_filter.access_reject: EXPAND %{User-Name}
> (5) attr_filter.access_reject: --> user(a)example.org
> (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (5) [attr_filter.access_reject] = updated
> (5) [eap] = noop
> (5) policy remove_reply_message_if_eap {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (5) else {
> (5) [noop] = noop
> (5) } # else = noop
> (5) } # policy remove_reply_message_if_eap = noop
> (5) } # Post-Auth-Type REJECT = updated
> (5) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (5) Sending delayed response
> (5) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1065
> length 44
> (5) EAP-Message = 0x04010004
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 0.8 seconds.
> (2) Cleaning up request packet ID 0 with timestamp +77 due to
> cleanup_delay was reached
> (3) Cleaning up request packet ID 1 with timestamp +77 due to
> cleanup_delay was reached
> Waking up in 3.1 seconds.
> (4) Cleaning up request packet ID 0 with timestamp +80 due to
> cleanup_delay was reached
> (5) Cleaning up request packet ID 1 with timestamp +80 due to
> cleanup_delay was reached
> Ready to process requests
>
> Thanks,
>
> Cl?ment
>
>
>
>
>
>
> Ce message et toutes les pieces jointes (ci-apres le "message") sont
> etablis a l'intention exclusive de ses destinataires.
> Si vous recevez ce message par erreur, merci de le detruire et d'en
> avertir immediatement l'expediteur par e-mail.
> Toute utilisation de ce message non conforme a sa destination, toute
> diffusion ou toute publication, totale ou partielle, est interdite, sauf
> autorisation expresse. Les communications sur Internet n'etant pas
> securisees, l'expediteur informe qu'il ne peut accepter aucune
> responsabilite quant au contenu de ce message.
> This mail message and attachments (the "message") are solely intended for
> the addresses. It is confidential in nature.
> If you receive this message in error, please delete it and immediately
> notify the sender by e-mail.
> Any use other than its intended purpose, dissemination or disclosure,
> either whole or partial, is prohibited except if formal approval is
> granted. As communication on the Internet is not secure, the sender does
> not accept responsibility for the content of this message.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 214, Issue 31
> *************************************************
>
2
1
Greetings!
I am trying to understand the conception of coa server. What
functionality does it brings ? Is it a some kind of proxy ?
For example, I have a NAS server with configured coa port. I can send a
disconnect request directly into it. If I configure a coa server on a
freeradius server, will I be able to send a disconnect request to the
freeradius instead and that is all?
Thanks in advance for your answers!
--
Best regards,
Yuriy Ivkin
3
6