Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2024
- 22 participants
- 27 discussions
05 Sep '24
I need to allow our network engineers to see the logs without giving them sudo access to the entire server.
I can tinker a bit in /etc/logrotate.d/radius, but that will not guarantee the directory permissions under /var/log/radius/radacct ?
A side question:
There was a comment in /etc/logrotate.d/radius about setting "detailfile" in radius.conf, but then /etc/raddb/README.rst says it was deprecated. Is there any way to change the name of the files and directories under /var/log/radius/radacct ?
2
1
Apologies in advance if this is irregular but was hoping we could get
an old defect on github reopened:
https://github.com/FreeRADIUS/freeradius-server/issues/4327
I've added more information and finally had the cycles to verify the
issue. I know this is issue necromancy since years have passed, but
I'd like to help get this fixed.
2
1
Hi,
I've been tasked with implementing FreeRADIUS for wired and wireless
authentication using EAP-TLS.
I found it reasonably straight-forward to set up a working
proof-of-concept but would like to check one thing before getting it
production ready.
When viewing the debug output, the following message displays as a
warning in yellow but does not seem to negatively affect the end user
connection flow:
> Certificate chain - 1 intermediate CA cert(s) untrusted
> To forbid these certificates see 'reject_unknown_intermediate_ca'
> (TLS) untrusted certificate with depth [0] subject name /CN=testdevice(a)domain.org
I wonder if this might be similar to the EAP-TLS issue that Rolf
posted earlier this month
(https://lists.freeradius.org/pipermail/freeradius-users/2024-August/104643.…)
but the main difference I can see is that I have no intermediate CA in
play.
User certs are issued directly from a Test CA root (SCEPman). The
server cert is from a public CA. I also encountered the same issue
when using the bootstrap certs.
OS: RHEL 9.4
FreeRADIUS versions tested: 3.2.6-1.el9 (NetworkRADIUS repo) & the
3.0.x RHEL version.
Hosting Platform: Azure (the UDP packet reordering feature has been enabled)
Test clients: Android 14, Windows 10/11, and eapol_test
Thank you for your assistance with this. I'll paste the full debug
output below with some substitutions for privacy.
Kind regards,
George
[root@xx-dev-radius-eus-01 certs]# radiusd -X
FreeRADIUS Version 3.2.6
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/totp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/eap-servicename
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/rfc7542
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/servicename
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
proxy_dedup_window = 1
cleanup_delay = 5
max_requests = 16384
max_fds = 512
postauth_client_lost = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = yes
require_message_authenticator = "auto"
limit_proxy_state = "auto"
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
nonblock = no
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client testclient1 {
ipaddr = 1.2.3.4
secret = <<< secret >>>
virtual_server = "servicename"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Shared secret for client testclient1 is short, and likely can be
broken by an attacker.
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap-servicename
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_totp
# Loading module "totp" from file /etc/raddb/mods-enabled/totp
totp {
time_step = 30
otp_length = 6
lookback_steps = 1
lookback_interval = 30
lookforward_steps = 0
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Loading module "eap-servicename" from file
/etc/raddb/mods-enabled/eap-servicename
eap eap-servicename {
default_eap_type = "tls"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
dedup_key = ""
}
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/coa
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "totp" from file /etc/raddb/mods-enabled/totp
# Instantiating module "eap-servicename" from file
/etc/raddb/mods-enabled/eap-servicename
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/acme/connect.domain.net/key.pem"
certificate_file = "/etc/acme/connect.domain.net/fullchain.pem"
ca_file = "/etc/raddb/certs/ca.pem"
fragment_size = 1024
include_length = yes
auto_chain = no
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server servicename { # from file /etc/raddb/sites-enabled/servicename
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server servicename
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address * port 1812 bound to server servicename
Listening on acct address * port 1813 bound to server servicename
Listening on auth address :: port 1812 bound to server servicename
Listening on acct address :: port 1813 bound to server servicename
Listening on proxy address * port 49854
Listening on proxy address :: port 50665
Ready to process requests
(0) Received Access-Request Id 47 from 1.2.3.4:34278 to 10.0.0.4:1812 length 253
(0) User-Name = "test1234(a)domain.org"
(0) NAS-IP-Address = 192.168.44.12
(0) NAS-Identifier = "E600-A16B02"
(0) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(0) NAS-Port-Id = "ET"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 1
(0) Calling-Station-Id = "E2-99-88-51-2A-A1"
(0) Connect-Info = "CONNECT 54Mbps 802.11a"
(0) Acct-Session-Id = "693ABFF4296F577A"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) WLAN-Group-Mgmt-Cipher = 1027078
(0) Framed-MTU = 1400
(0) EAP-Message =
0x02c9001e01746573743132333440636f6d706574656e7a2e6f72672e6e7a
(0) Message-Authenticator = 0xea4b200a5de671a429e9546fb03bcd87
(0) # Executing section authorize from file /etc/raddb/sites-enabled/servicename
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "domain.org" for User-Name = "test1234(a)domain.org"
(0) suffix: No such realm "domain.org"
(0) [suffix] = noop
(0) eap-servicename: Peer sent EAP Response (code 2) ID 201 length 30
(0) eap-servicename: EAP-Identity reply, returning 'ok' so we can
short-circuit the rest of authorize
(0) [eap-servicename] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap-servicename
(0) # Executing group from file /etc/raddb/sites-enabled/servicename
(0) authenticate {
(0) eap-servicename: Peer sent packet with method EAP Identity (1)
(0) eap-servicename: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) TLS -Initiating new session
(0) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client
(0) eap-servicename: Sending EAP Request (code 1) ID 202 length 10
(0) eap-servicename: EAP session adding &reply:State = 0x15a54f0f156f4235
(0) [eap-servicename] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/servicename
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 1014
(0) Sent Access-Challenge Id 47 from 10.0.0.4:1812 to 1.2.3.4:34278 length 68
(0) EAP-Message = 0x01ca000a0da000000000
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x15a54f0f156f423549e64d7d4c36d897
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 48 from 1.2.3.4:34278 to 10.0.0.4:1812 length 482
(1) User-Name = "test1234(a)domain.org"
(1) NAS-IP-Address = 192.168.44.12
(1) NAS-Identifier = "E600-A16B02"
(1) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(1) NAS-Port-Id = "ET"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 1
(1) Calling-Station-Id = "E2-99-88-51-2A-A1"
(1) Connect-Info = "CONNECT 54Mbps 802.11a"
(1) Acct-Session-Id = "693ABFF4296F577A"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) WLAN-Group-Mgmt-Cipher = 1027078
(1) Framed-MTU = 1400
(1) EAP-Message =
0x02ca00f10d0016030100e6010000e2030344655eb8a7665dacee77220b890a78280ff40b74db678954531ec00b2113115320d6391a2680dff522f55a07f7c35ee7f02f181b7c907ebd50098737f45cddc0ec0024130113021303c02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100007500170000ff01000100000a00080006001d00170018000b00020100000500050100000000000d00140012040308040401050308050501080606010201003300260024001d0020349b6d33f3241d2ea911b7ba91d909cf1d63b2c0d34fcfa4e41f8b14c992646b002d00020101002b00050403040303
(1) State = 0x15a54f0f156f423549e64d7d4c36d897
(1) Message-Authenticator = 0x804a4bf48e97610ecfc391c332458376
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 1014
(1) # Executing section authorize from file /etc/raddb/sites-enabled/servicename
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "domain.org" for User-Name = "test1234(a)domain.org"
(1) suffix: No such realm "domain.org"
(1) [suffix] = noop
(1) eap-servicename: Peer sent EAP Response (code 2) ID 202 length 241
(1) eap-servicename: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap-servicename] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap-servicename
(1) # Executing group from file /etc/raddb/sites-enabled/servicename
(1) authenticate {
(1) eap-servicename: Removing EAP session with state 0x15a54f0f156f4235
(1) eap-servicename: Previous EAP request found for state
0x15a54f0f156f4235, released from the list
(1) eap-servicename: Peer sent packet with method EAP TLS (13)
(1) eap-servicename: Calling submodule eap_tls to process data
(1) eap_tls: (TLS) EAP Got final fragment (235 bytes)
(1) eap_tls: WARNING: (TLS) EAP Total received record fragments (235
bytes), does not equal expected expected data length (0 bytes)
(1) eap_tls: (TLS) EAP Done initial handshake
(1) eap_tls: (TLS) TLS - Handshake state - before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client hello
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHello
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server hello
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Certificate
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write key exchange
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, CertificateRequest
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write
certificate request
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server done
(1) eap_tls: (TLS) TLS - Server : Need to read more data: SSLv3/TLS
write server done
(1) eap_tls: (TLS) TLS - In Handshake Phase
(1) eap-servicename: Sending EAP Request (code 1) ID 203 length 1020
(1) eap-servicename: EAP session adding &reply:State = 0x15a54f0f146e4235
(1) [eap-servicename] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/servicename
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 1014
(1) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(1) Sent Access-Challenge Id 48 from 10.0.0.4:1812 to 1.2.3.4:34278 length 1086
(1) EAP-Message =
0x01cb03fc0dc000000d40160303005d0200005903034cedb5cc3133e28566956b6570166c3e0132cae9de19be0faa497461ca7072cf20a764076692c3f12002152ba7c08e420358d8ccbc97dffccb713cda45d0ff9cc8c02b000011ff01000100000b000403000102001700001603030b9f0b000b9b000b9800042f3082042b308203b1a00302010202102d8b8310dd5d7880731a8dd132e71dbd300a06082a8648ce3d040303304b310b30090603550406130241543110300e060355040a13075a65726f53534c312a3028060355040313215a65726f53534c2045434320446f6d61696e205365637572652053697465204341301e170d3234303832373030303030305a170d3234313132353233353935395a3021311f301d06035504031316636f6e6e6563742e626c616e6b656e2e6e65742e6e7a3076301006072a8648ce3d020106052b81040022036200040bf1f4e7aaf51bdc51ff050463f2af37e5a3d99e37ebe073f26df6c0c768b52dac052e3060e551de3c
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x15a54f0f146e423549e64d7d4c36d897
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 49 from 1.2.3.4:34278 to 10.0.0.4:1812 length 247
(2) User-Name = "test1234(a)domain.org"
(2) NAS-IP-Address = 192.168.44.12
(2) NAS-Identifier = "E600-A16B02"
(2) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(2) NAS-Port-Id = "ET"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 1
(2) Calling-Station-Id = "E2-99-88-51-2A-A1"
(2) Connect-Info = "CONNECT 54Mbps 802.11a"
(2) Acct-Session-Id = "693ABFF4296F577A"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) WLAN-Group-Mgmt-Cipher = 1027078
(2) Framed-MTU = 1400
(2) EAP-Message = 0x02cb00060d00
(2) State = 0x15a54f0f146e423549e64d7d4c36d897
(2) Message-Authenticator = 0x19f1a691f13a725c00b4e54836ff78c2
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 1014
(2) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.3 Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, CertificateRequest"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHelloDone"
(2) # Executing section authorize from file /etc/raddb/sites-enabled/servicename
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "domain.org" for User-Name = "test1234(a)domain.org"
(2) suffix: No such realm "domain.org"
(2) [suffix] = noop
(2) eap-servicename: Peer sent EAP Response (code 2) ID 203 length 6
(2) eap-servicename: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap-servicename] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap-servicename
(2) # Executing group from file /etc/raddb/sites-enabled/servicename
(2) authenticate {
(2) eap-servicename: Removing EAP session with state 0x15a54f0f146e4235
(2) eap-servicename: Previous EAP request found for state
0x15a54f0f146e4235, released from the list
(2) eap-servicename: Peer sent packet with method EAP TLS (13)
(2) eap-servicename: Calling submodule eap_tls to process data
(2) eap_tls: (TLS) Peer ACKed our handshake fragment
(2) eap-servicename: Sending EAP Request (code 1) ID 204 length 1020
(2) eap-servicename: EAP session adding &reply:State = 0x15a54f0f17694235
(2) [eap-servicename] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/servicename
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 1014
(2) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 49 from 10.0.0.4:1812 to 1.2.3.4:34278 length 1086
(2) EAP-Message =
0x01cc03fc0dc000000d4089d6c4011a005d2b7e2600048904d20560241791c630210603551d11041a30188216636f6e6e6563742e626c616e6b656e2e6e65742e6e7a300a06082a8648ce3d040303036800306502306cc100dc1f09181ce17ccf95085b53785b692da8ab93599804b77ffe8c0425437c443a23b90863b5bf75a123df410e22023100dcb89fc0111997a9c1b421d7cb47e49a168d4c832288f5c0d687e96713343242502bcd19f5a1db582782e9f14e69e522000389308203853082030ca003020102021023b76de3c1bb2b1a51961e08eab764e8300a06082a8648ce3d040303308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f72697479301e170d3230
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x15a54f0f1769423549e64d7d4c36d897
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 50 from 1.2.3.4:34278 to 10.0.0.4:1812 length 247
(3) User-Name = "test1234(a)domain.org"
(3) NAS-IP-Address = 192.168.44.12
(3) NAS-Identifier = "E600-A16B02"
(3) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(3) NAS-Port-Id = "ET"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 1
(3) Calling-Station-Id = "E2-99-88-51-2A-A1"
(3) Connect-Info = "CONNECT 54Mbps 802.11a"
(3) Acct-Session-Id = "693ABFF4296F577A"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) WLAN-Group-Mgmt-Cipher = 1027078
(3) Framed-MTU = 1400
(3) EAP-Message = 0x02cc00060d00
(3) State = 0x15a54f0f1769423549e64d7d4c36d897
(3) Message-Authenticator = 0x106ad3c09dd5229c69c77aaad34bef2c
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 1014
(3) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, CertificateRequest"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /etc/raddb/sites-enabled/servicename
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "domain.org" for User-Name = "test1234(a)domain.org"
(3) suffix: No such realm "domain.org"
(3) [suffix] = noop
(3) eap-servicename: Peer sent EAP Response (code 2) ID 204 length 6
(3) eap-servicename: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap-servicename] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap-servicename
(3) # Executing group from file /etc/raddb/sites-enabled/servicename
(3) authenticate {
(3) eap-servicename: Removing EAP session with state 0x15a54f0f17694235
(3) eap-servicename: Previous EAP request found for state
0x15a54f0f17694235, released from the list
(3) eap-servicename: Peer sent packet with method EAP TLS (13)
(3) eap-servicename: Calling submodule eap_tls to process data
(3) eap_tls: (TLS) Peer ACKed our handshake fragment
(3) eap-servicename: Sending EAP Request (code 1) ID 205 length 1020
(3) eap-servicename: EAP session adding &reply:State = 0x15a54f0f16684235
(3) [eap-servicename] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/servicename
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 1014
(3) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 50 from 10.0.0.4:1812 to 1.2.3.4:34278 length 1086
(3) EAP-Message =
0x01cd03fc0dc000000d406df261b9700a261b6330a88b319cbf77ec67b07fa588023025adaba4b0ee8d52e0dd0d7c9ddf7d1daee25c649c74f87e63e5c14e601686b0a75e196eec08c691d8fb0314a1a595ab0003d7308203d3308202bba003020102021056671d04ea4f994c6f10814759d27594300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x15a54f0f1668423549e64d7d4c36d897
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 51 from 1.2.3.4:34278 to 10.0.0.4:1812 length 247
(4) User-Name = "test1234(a)domain.org"
(4) NAS-IP-Address = 192.168.44.12
(4) NAS-Identifier = "E600-A16B02"
(4) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(4) NAS-Port-Id = "ET"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 1
(4) Calling-Station-Id = "E2-99-88-51-2A-A1"
(4) Connect-Info = "CONNECT 54Mbps 802.11a"
(4) Acct-Session-Id = "693ABFF4296F577A"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) WLAN-Group-Mgmt-Cipher = 1027078
(4) Framed-MTU = 1400
(4) EAP-Message = 0x02cd00060d00
(4) State = 0x15a54f0f1668423549e64d7d4c36d897
(4) Message-Authenticator = 0x086b69404a413776374c1648af478648
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 1014
(4) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, CertificateRequest"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file /etc/raddb/sites-enabled/servicename
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "domain.org" for User-Name = "test1234(a)domain.org"
(4) suffix: No such realm "domain.org"
(4) [suffix] = noop
(4) eap-servicename: Peer sent EAP Response (code 2) ID 205 length 6
(4) eap-servicename: No EAP Start, assuming it's an on-going EAP conversation
(4) [eap-servicename] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = eap-servicename
(4) # Executing group from file /etc/raddb/sites-enabled/servicename
(4) authenticate {
(4) eap-servicename: Removing EAP session with state 0x15a54f0f16684235
(4) eap-servicename: Previous EAP request found for state
0x15a54f0f16684235, released from the list
(4) eap-servicename: Peer sent packet with method EAP TLS (13)
(4) eap-servicename: Calling submodule eap_tls to process data
(4) eap_tls: (TLS) Peer ACKed our handshake fragment
(4) eap-servicename: Sending EAP Request (code 1) ID 206 length 372
(4) eap-servicename: EAP session adding &reply:State = 0x15a54f0f116b4235
(4) [eap-servicename] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/servicename
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 1014
(4) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 51 from 10.0.0.4:1812 to 1.2.3.4:34278 length 432
(4) EAP-Message =
0x01ce01740d8000000d40362eefa5220f83744992c7f710c20c29fbb7bdba7fe35fd59ff2a9f474d5b8e1b3b081e4e1a563a3ccea0478906ebff716030300940c00009003001d20e6c3f11ac624218f27f520adc0d647bd8942644b6f7cfc9cfbca254b7d1f921d040300683066023100bfa2ba21263e4e546a7aae58a71eaed279454f57d0277b6faba5d1e3c5a74df733eeca429e995f2fc2aa19d98bcc4a9602310098e453ef7210b07498bdf002cf2b883a3df9c05e2fa1a4d9e0375a24c354d13131e2a73828a0beb2014b2dcd5a3964fa16030300930d00008f0201400020040305030603080708080809080a080b0804080508060401050106010303030100680066306431163014060355040a130d436f6d706574656e7a20504f43312d302b060355040b132465633831366132312d666636632d346233382d623362392d343365376330396531343063311b301906035504031312534345506d616e2d526f6f742d43412d563116030300040e000000
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x15a54f0f116b423549e64d7d4c36d897
(4) Finished request
Waking up in 4.7 seconds.
(5) Received Access-Request Id 52 from 1.2.3.4:34278 to 10.0.0.4:1812
length 1659
(5) User-Name = "test1234(a)domain.org"
(5) NAS-IP-Address = 192.168.44.12
(5) NAS-Identifier = "E600-A16B02"
(5) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(5) NAS-Port-Id = "ET"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 1
(5) Calling-Station-Id = "E2-99-88-51-2A-A1"
(5) Connect-Info = "CONNECT 54Mbps 802.11a"
(5) Acct-Session-Id = "693ABFF4296F577A"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) WLAN-Group-Mgmt-Cipher = 1027078
(5) Framed-MTU = 1400
(5) EAP-Message =
0x02ce05800dc00000090416030306950b00069100068e00068b308206873082046fa003020102021450c0804b19c3a25ccca19a49a87106af8b7e9ac5300d06092a864886f70d01010b0500306431163014060355040a130d436f6d706574656e7a20504f43312d302b060355040b132465633831366132312d666636632d346233382d623362392d343365376330396531343063311b301906035504031312534345506d616e2d526f6f742d43412d5631301e170d3234303831353039333630385a170d3236303831363039333630385a30263124302206035504030c1b7465737464657669636540636f6d706574656e7a2e6f72672e6e7a30820222300d06092a864886f70d01010105000382020f003082020a0282020100d679c6938db7c17c45587a3b598e1210d53442ff7ef17327bd992402433b0451c0dc420dcb568e80599d511cf91fc170eee16f61cb92bba0482ecd7a3f835b94a4193052766c87e5797f217903f820685f2b954690596d99531217c24c
(5) State = 0x15a54f0f116b423549e64d7d4c36d897
(5) Message-Authenticator = 0xb6424d2d2443246c6cbc7fe58202ac89
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 1014
(5) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, CertificateRequest"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file /etc/raddb/sites-enabled/servicename
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "domain.org" for User-Name = "test1234(a)domain.org"
(5) suffix: No such realm "domain.org"
(5) [suffix] = noop
(5) eap-servicename: Peer sent EAP Response (code 2) ID 206 length 1408
(5) eap-servicename: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap-servicename] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap-servicename
(5) # Executing group from file /etc/raddb/sites-enabled/servicename
(5) authenticate {
(5) eap-servicename: Removing EAP session with state 0x15a54f0f116b4235
(5) eap-servicename: Previous EAP request found for state
0x15a54f0f116b4235, released from the list
(5) eap-servicename: Peer sent packet with method EAP TLS (13)
(5) eap-servicename: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) EAP Peer says that the final record size will be 2308 bytes
(5) eap_tls: (TLS) EAP Expecting 2 fragments
(5) eap_tls: (TLS) EAP Got first TLS fragment (1398 bytes). Peer says
more fragments will follow
(5) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(5) eap-servicename: Sending EAP Request (code 1) ID 207 length 6
(5) eap-servicename: EAP session adding &reply:State = 0x15a54f0f106a4235
(5) [eap-servicename] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/servicename
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 1014
(5) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(5) Sent Access-Challenge Id 52 from 10.0.0.4:1812 to 1.2.3.4:34278 length 64
(5) EAP-Message = 0x01cf00060d00
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x15a54f0f106a423549e64d7d4c36d897
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 53 from 1.2.3.4:34278 to 10.0.0.4:1812
length 1163
(6) User-Name = "test1234(a)domain.org"
(6) NAS-IP-Address = 192.168.44.12
(6) NAS-Identifier = "E600-A16B02"
(6) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(6) NAS-Port-Id = "ET"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 1
(6) Calling-Station-Id = "E2-99-88-51-2A-A1"
(6) Connect-Info = "CONNECT 54Mbps 802.11a"
(6) Acct-Session-Id = "693ABFF4296F577A"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) WLAN-Group-Mgmt-Cipher = 1027078
(6) Framed-MTU = 1400
(6) EAP-Message =
0x02cf03940d00f3a55ed5c5036ec591d3b982ef738a0eed22dc154f64042eaf9d8d2fe20c0dd97eb61e963a2269d3f262534889c8678a8d42dc07336bf51a2b16d0657153bfe28fcc83fbbbf875589f16b5dc2f43cb35cd2e25a3800c5c60fe7832eb4f180c556a0f753854d1e7b54c3ca7d6b220d4cdf4eddf2b230c286e0ecdf072991018148cb6b9298e5b81cacb8b733b6b37ab1e2c91d56370304391877a4e3df07d3d9a69465c4de9b4ac7e851b25d4edb27df48a6cb46aecf886e9a25a98655b2c8b7d4c8b0fbe3800efeaabf751c61725b3adaf50268818670b6d6b3ac4c5cc7c9d8787bd9086fd97a57ffcd0b374f410af60c4386408d902bdc225e76ff476ac09f4218152090c925e3cbb518831e5c97e3a32314533efda13809c27e49dcda98b40d7cb9a971603030025100000212040372c6b398889bbeb241275299a51542d51146475d6934f2a5ca262334c027516030302080f00020408040200c2c25474568a7c94484af4e86258b362dc4b3bd4d585
(6) State = 0x15a54f0f106a423549e64d7d4c36d897
(6) Message-Authenticator = 0x47e9ae4c5eef6095dc69df9c7bb3027e
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 1014
(6) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, CertificateRequest"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHelloDone"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/servicename
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "domain.org" for User-Name = "test1234(a)domain.org"
(6) suffix: No such realm "domain.org"
(6) [suffix] = noop
(6) eap-servicename: Peer sent EAP Response (code 2) ID 207 length 916
(6) eap-servicename: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap-servicename] = updated
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap-servicename
(6) # Executing group from file /etc/raddb/sites-enabled/servicename
(6) authenticate {
(6) eap-servicename: Removing EAP session with state 0x15a54f0f106a4235
(6) eap-servicename: Previous EAP request found for state
0x15a54f0f106a4235, released from the list
(6) eap-servicename: Peer sent packet with method EAP TLS (13)
(6) eap-servicename: Calling submodule eap_tls to process data
(6) eap_tls: (TLS) EAP Done initial handshake
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server done
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate
(6) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain
(6) eap_tls: TLS-Cert-Serial := "1fd207b3bfa245ec9f1f630632d4c1a1"
(6) eap_tls: TLS-Cert-Expiration := "340807045107Z"
(6) eap_tls: TLS-Cert-Valid-Since := "240807044107Z"
(6) eap_tls: TLS-Cert-Subject := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(6) eap_tls: TLS-Cert-Issuer := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(6) eap_tls: TLS-Cert-Common-Name := "SCEPman-Root-CA-V1"
(6) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain
(6) eap_tls: TLS-Client-Cert-Serial :=
"50c0804b19c3a25ccca19a49a87106af8b7e9ac5"
(6) eap_tls: TLS-Client-Cert-Expiration := "260816093608Z"
(6) eap_tls: TLS-Client-Cert-Valid-Since := "240815093608Z"
(6) eap_tls: TLS-Client-Cert-Subject := "/CN=testdevice(a)domain.org"
(6) eap_tls: TLS-Client-Cert-Issuer := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(6) eap_tls: TLS-Client-Cert-Common-Name := "testdevice(a)domain.org"
(6) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"65:77:76:8A:D3:C0:8F:69:D0:06:7E:0E:E4:45:1C:C5:D1:02:D5:9E"
(6) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"52:6B:C1:99:FD:93:8F:DC:43:D1:54:18:46:C8:39:D0:AA:CD:8A:3C"
(6) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
Certificate chain - 1 intermediate CA cert(s) untrusted
To forbid these certificates see 'reject_unknown_intermediate_ca'
(TLS) untrusted certificate with depth [0] subject name
/CN=testdevice(a)domain.org
(6) eap_tls: Starting OCSP Request
(6) eap_tls: ocsp: Using responder URL "http://responderhost:80/ocsp"
This Update: Aug 27 10:30:21 2024 GMT
Next Update: Aug 27 10:40:21 2024 GMT
(6) eap_tls: ocsp: Cert status: good
(6) eap_tls: ocsp: Certificate is valid
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
client certificate
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
client key exchange
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
certificate verify
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
change cipher spec
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished
(6) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write
change cipher spec
(6) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished
(6) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished successfully
(6) eap_tls: (TLS) TLS - Connection Established
(6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6) eap_tls: TLS-Session-Version = "TLS 1.2"
(6) eap-servicename: Sending EAP Request (code 1) ID 208 length 61
(6) eap-servicename: EAP session adding &reply:State = 0x15a54f0f13754235
(6) [eap-servicename] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/servicename
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 1014
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
CertificateVerify"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Finished"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 53 from 10.0.0.4:1812 to 1.2.3.4:34278 length 119
(6) EAP-Message =
0x01d0003d0d80000000331403030001011603030028c7b5378da3badfb666bf510993d417130f51b97e0ba9dd960e67a15924dac5c2c2f842aa9f5f9695
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x15a54f0f1375423549e64d7d4c36d897
(6) Finished request
Waking up in 3.2 seconds.
(7) Received Access-Request Id 54 from 1.2.3.4:34278 to 10.0.0.4:1812 length 247
(7) User-Name = "test1234(a)domain.org"
(7) NAS-IP-Address = 192.168.44.12
(7) NAS-Identifier = "E600-A16B02"
(7) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(7) NAS-Port-Id = "ET"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) NAS-Port = 1
(7) Calling-Station-Id = "E2-99-88-51-2A-A1"
(7) Connect-Info = "CONNECT 54Mbps 802.11a"
(7) Acct-Session-Id = "693ABFF4296F577A"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) WLAN-Group-Mgmt-Cipher = 1027078
(7) Framed-MTU = 1400
(7) EAP-Message = 0x02d000060d00
(7) State = 0x15a54f0f1375423549e64d7d4c36d897
(7) Message-Authenticator = 0x6e7d1312ef6ce87a5b8df766fbdbf1db
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 1014
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.3 Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, CertificateRequest"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.2 Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.2 Handshake, CertificateVerify"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS
1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS
1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/servicename
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "domain.org" for User-Name = "test1234(a)domain.org"
(7) suffix: No such realm "domain.org"
(7) [suffix] = noop
(7) eap-servicename: Peer sent EAP Response (code 2) ID 208 length 6
(7) eap-servicename: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap-servicename] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap-servicename
(7) # Executing group from file /etc/raddb/sites-enabled/servicename
(7) authenticate {
(7) eap-servicename: Removing EAP session with state 0x15a54f0f13754235
(7) eap-servicename: Previous EAP request found for state
0x15a54f0f13754235, released from the list
(7) eap-servicename: Peer sent packet with method EAP TLS (13)
(7) eap-servicename: Calling submodule eap_tls to process data
(7) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
(7) eap_tls: (TLS) cache - Setting up attributes for session resumption
(7) eap_tls: caching EAP-Type = TLS
(7) eap_tls: caching TLS-Cert-Serial := "1fd207b3bfa245ec9f1f630632d4c1a1"
(7) eap_tls: caching TLS-Cert-Expiration := "340807045107Z"
(7) eap_tls: caching TLS-Cert-Valid-Since := "240807044107Z"
(7) eap_tls: caching TLS-Cert-Subject := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(7) eap_tls: caching TLS-Cert-Issuer := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(7) eap_tls: caching TLS-Cert-Common-Name := "SCEPman-Root-CA-V1"
(7) eap_tls: caching TLS-Client-Cert-Serial :=
"50c0804b19c3a25ccca19a49a87106af8b7e9ac5"
(7) eap_tls: caching TLS-Client-Cert-Expiration := "260816093608Z"
(7) eap_tls: caching TLS-Client-Cert-Valid-Since := "240815093608Z"
(7) eap_tls: caching TLS-Client-Cert-Subject := "/CN=testdevice(a)domain.org"
(7) eap_tls: caching TLS-Client-Cert-Issuer := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(7) eap_tls: caching TLS-Client-Cert-Common-Name := "testdevice(a)domain.org"
(7) eap_tls: caching
TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"65:77:76:8A:D3:C0:8F:69:D0:06:7E:0E:E4:45:1C:C5:D1:02:D5:9E"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Subject-Key-Identifier
+= "52:6B:C1:99:FD:93:8F:DC:43:D1:54:18:46:C8:39:D0:AA:CD:8A:3C"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage +=
"TLS Web Client Authentication"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
+= "1.3.6.1.5.5.7.3.2"
(7) eap_tls: Failed to find 'persist_dir' in TLS configuration.
Session will not be cached on disk.
(7) eap-servicename: Sending EAP Success (code 3) ID 208 length 4
(7) eap-servicename: Freeing handler
(7) [eap-servicename] = ok
(7) } # authenticate = ok
(7) # Executing section post-auth from file /etc/raddb/sites-enabled/servicename
(7) post-auth {
(7) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(7) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(7) update {
(7) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3
Handshake, ClientHello'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerHello'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, Certificate'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, Certificate'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, ClientKeyExchange'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, CertificateVerify'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, Finished'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
ChangeCipherSpec'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, Finished'
(7) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] ->
'ECDHE-ECDSA-AES128-GCM-SHA256'
(7) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(7) } # update = noop
(7) [exec] = noop
(7) policy remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message) {
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else {
(7) [noop] = noop
(7) } # else = noop
(7) } # policy remove_reply_message_if_eap = noop
(7) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(7) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(7) } # post-auth = noop
(7) Sent Access-Accept Id 54 from 10.0.0.4:1812 to 1.2.3.4:34278 length 193
(7) MS-MPPE-Recv-Key =
0x422eeba9c721d957df374175733b5f81ce4a645cf75a94d717bf620b2f2e5210
(7) MS-MPPE-Send-Key =
0x1a003c5f46f72a2705a522f099e4fc851b12c727805af41e87bd400a6d73557c
(7) EAP-Message = 0x03d00004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = "test1234(a)domain.org"
(7) Framed-MTU += 1014
(7) Finished request
Waking up in 3.2 seconds.
(0) Cleaning up request packet ID 47 with timestamp +60 due to
cleanup_delay was reached
(1) Cleaning up request packet ID 48 with timestamp +60 due to
cleanup_delay was reached
(2) Cleaning up request packet ID 49 with timestamp +60 due to
cleanup_delay was reached
(3) Cleaning up request packet ID 50 with timestamp +60 due to
cleanup_delay was reached
(4) Cleaning up request packet ID 51 with timestamp +60 due to
cleanup_delay was reached
(5) Cleaning up request packet ID 52 with timestamp +60 due to
cleanup_delay was reached
Waking up in 1.3 seconds.
(6) Cleaning up request packet ID 53 with timestamp +60 due to
cleanup_delay was reached
(7) Cleaning up request packet ID 54 with timestamp +62 due to
cleanup_delay was reached
Ready to process requests
1
0
We have released FreeRADIUS version 3.2.6.
A few issues were found after the last release, which have been fixed,
as well as some other small updates.
Note especially that the "require_message_authenticator" behaviour has
been fixed when set to "auto" and used with wildcard clients (i.e. a
network rather than a single address). When using wildcard clients, the
"auto" option will now never require Message-Authenticator. You should
either use one client entry per client or, preferably, upgrade all the
clients.
There is a similar fix for dynamic clients which will now inherit
"require_message_authenticator" and "limit_proxy_state" from the dynamic
clients definition.
See doc/ChangeLog for full details.
Download from the usual places:
https://freeradius.org/releases/
https://freeradius.org/ftp/pub/freeradius/
ftp://ftp.freeradius.org/pub/freeradius/
https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_6
As usual, InkBridge Networks (Network RADIUS) is providing pre-built
packages for common Linux distributions:
https://packages.networkradius.com/
and Docker images on Dockerhub:
https://hub.docker.com/r/freeradius/freeradius-server
--
Matthew
1
0
Hi
I'm running Freeradius version 3.2.3 doing a check on valid CAs in check-eap-tls. As of now I've just made a rather long and unwieldy if test with several or conditions like this :
if ("%{TLS-Client-Cert-Issuer}" =~ /\/C=NO\/ST=Norway\/L=Oslo\/O=Telenor\ Norge\ AS\/OU=Internal\ Certificate\ Authority\/CN=Acme.*/) || ("%{TLS-Client-Cert-Issuer}" =~ /\/C=NO\/O=Telenor\ Norge\ AS\/CN=Telenor\ Norge\ Internal\ Issuing\ CA\ ECDSA\ TEST.*/) || ("%{TLS-Client-Cert-Issuer}" =~ /\/C=NO\/O=Telenor\ Norge\ AS\/OU=TEST\ ECDSA\/CN=TN\ Int\ 256\ Facilities\ CCTV\ ICA.*/) || ("%{TLS-Client-Cert-Issuer}" =~ /\/C=NO\/O=Telenor\ Norge\ AS\/CN=Telenor\ Norge\ Internal\ Issuing\ CA.*/) {
update config {
&Auth-Type := Accept
}
}
else {
update config {
&Auth-Type := Reject
}
update reply {
&outer.Reply-Message := "Your certificate is not valid."
}
}
I've tried to split the long if line into separate lines for each condition just to make it more readable but that doesn't seem to work.
Is splitting this if statement over several lines supposed to work?
Would it be possible to have the list of valid CAs stored in a text file and do some coding to parse that file?
Any other suggestions? (SQL and LDAP is currently not an option unfortunately)
./PerW
Sensitivity: Internal
4
3
Hi team,
Is anyone else experiencing FreeRad core dumping on RHEL 9.4 with the latest patch?
Tum history info 59 gives:
Packages Altered:
Upgrade freeradius-3.0.21-40.el9_4.x86_64 @rhel-9-for-x86_64-appstream-rpms
Upgraded freeradius-3.0.21-39.el9_3.x86_64 @@System
Upgrade freeradius-ldap-3.0.21-40.el9_4.x86_64 @rhel-9-for-x86_64-appstream-rpms
Upgraded freeradius-ldap-3.0.21-39.el9_3.x86_64 @@System
This appears to be related to status_check = status-server set in proxies (commenting it out seems to cause less/no crashes).
With these lines commented out it runs fine, with these present service dies after ~5+ mins of running (running radiusd -X waiting for it to die again, its taking its time...)
Change from v39 -> v40 appears to be related to BlastRADIUS vulnerability. Is there any issue with the fix for Blast + status_server checks?
Thanks,
Jim Potter
Jisc
4
3
Hi folks,
Just to verify something. In https://github.com/FreeRADIUS/freeradius-server/blob/21307a061b1d9d859febe0… it appears that the policy now sets the reply:User-Name to the request:User-Name.
However, you realise that when you send out a CUI, which is a hash of three parts, and you have two of them, you could potentially deduce the third? I defer to your expertise Alan, but shouldn't the User-Name be set to something not the real value, like maybe the outer-request:User-Name (in the case where the outer was anonymised)? I realise that's pointless where the inner User-Name and the outer User-Name match (like with oh-too-many eduroam people). Maybe '@realm'?
Just a question.
With kind regards
Stefan Paetow
Federated Roaming Technical Specialist
eduroam(UK), Jisc
email/teams: stefan.paetow(a)jisc.ac.uk
gpg: 0x3FCE5142
For eduroam support, please contact the eduroam team via help(a)jisc.ac.uk and mark it for eduroam’s attention.
On Wednesdays and Fridays, I am not available between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800.
1
0
Hello,I just installed FreeRADIUS from the networkradius/freeradius repo and tried to start the radiusd service and it failed -
Jul 30 17:06:19 d1xradiusadm01 radiusd[54302]: libssl version mismatch. built: 30000070 linked: 30200020
I am running CentOS Stream 9.
I've looked up some stuff and found that I can change the LD_LIBRARY_PATH but haven't tried that because i'm not sure if it will work for this.
Any help?
Thank you
3
3
I used to use rlm_python3 and now want to give rlm_rest a try. On GitHub, I see the example for module configuration, but some references, like the recv_coa function/section, are missing. I haven't tried using it yet, but I suspect this might be due to outdated documentation.
So, I want to ask: does rlm_rest have any downsides compared to rlm_python3? Maybe something not obvious or critical that I should consider before deciding to use it?
Best regards
Vladimir
2
1
Hello everyone,
i am currently testing Version 4. I have already successfully connected the ldap module to an Active Directory server. Now I want to use the Tacacs server to authenticate and authorize users. I have already tested the authentication and it works without any problems. To assign certain authorizations to the user, I want to use the user's groups on the AD. I could already test it successfully by adding the following in the sites-available/tacacs file under send Authorization-Pass-Add:
if (%ldap.memberof(“Admin”)) {
&reply.Viptela.Viptela-Group-Name = “netadmin”
}
Now I wonder if I can also use the module files to assign vendor specific attributes. For example if the service == ppp, protocol == ip and the user has a specific LDAP group. Or is the top variant the only one I can use?
Thanks in advance for any help,
Simon
1
0