Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2024
- 30 participants
- 47 discussions
13 Sep '24
Hello all,
Situation is like this:
FreeRADIUS server already installed with IP 192.168.81.12 and configured to
authenticate against LDAP linux server with IP 192.168.92.25.
Authentication is working fine. But we need to switch from Linux LDAP to MS
AD based on Windows server 2022 on IP 192.168.92.14.
I have configured Smaba on radius server to joint the AD and it's working
fine.
Radius server joined the Domain, commands like wbinfo –a example_user%
mypassword or ntlm_auth –-request-nt-key –-domain=XYZDOM –-username=example_
user are working fine as well.
However i have stuck on FreeRADIUS configuration.
Configuration changes made:
#####################################################
sites-enables/default
In authorize section
pap
if (User-Password) {
update control {
Auth-Type := ldap
}
}
In authenticate section
authenticate {
Auth-Type PAP {
ldap
}
Uncommented word ldap on separate line in section Auth-Type LDAP
# Auth-Type LDAP {
ldap
# }
#####################################################
mods-enabled/ldap
ip of ldap server changed to IP of new domain controler
ldap {
server = 'ldap://192.168.92.14'
identity = 'adminusername(a)mydomain.com'
password = adminpassword
base_dn = 'dc=mydomain,dc=com'
start_tls = no
require_cert = 'allow'
#####################################################
mods-enabled/eap
eap {
default_eap_type = peap
}
ttls {
default_eap_type = gtc
}
tls-config tls-common {
random_file = /dev/urandom
}
#####################################################
proxy.conf
realm mydomain.com {
}
#####################################################
mods-enabled/mschap
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-
User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --
nt-response=%{%{mschap:NT-Response}:-00} --domain=%{mschap:NT-Domain}"
#####################################################
sites-enabled/inner-tunnel
authorize {
...
# Read the 'users' file
files # <--- This one!
...
}
#####################################################
After all modyfications i started freeradius in degub mode
freeradius -fxx -l stdout
and issued radtest command:
radtest myusername(a)mydomain.com mypassword localhost 10 testing123
This is output:
#####################################################
(0) Received Access-Request Id 87 from 127.0.0.1:34561 to 127.0.0.1:1812
length 88
(0) User-Name = "myusername(a)mydomain.com"
(0) User-Password = "mypassword"
(0) NAS-IP-Address = 192.168.81.12
(0) NAS-Port = 10
(0) Message-Authenticator = 0xc529dae657c9aa6feb8b4e2e64bc950e
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/
default
(0) authorize {
(0) policy filter_eduroam_realms {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (!(&User-Name =~ /@/)){
(0) if (!(&User-Name =~ /@/)) -> FALSE
(0) if (&User-Name =~ /@$/){
(0) if (&User-Name =~ /@$/) -> FALSE
(0) if (&User-Name =~ /@.+?@/){
(0) if (&User-Name =~ /@.+?@/) -> FALSE
(0) if (&User-Name =~ /@.+?[^[:alnum:]\.-]/){
(0) if (&User-Name =~ /@.+?[^[:alnum:]\.-]/) -> FALSE
(0) if (&User-Name =~ /(a)[\.-]/){
(0) if (&User-Name =~ /(a)[\.-]/) -> FALSE
(0) if (&User-Name =~ /@.+?[\.-]$/){
(0) if (&User-Name =~ /@.+?[\.-]$/) -> FALSE
(0) if (&User-Name =~ /(a)[^\.]+$/){
(0) if (&User-Name =~ /(a)[^\.]+$/) -> FALSE
(0) if (&User-Name =~ /@.+?\.\./){
(0) if (&User-Name =~ /@.+?\.\./) -> FALSE
(0) if (&User-Name =~ /(a)myabc\.com$/i){
(0) if (&User-Name =~ /(a)myabc\.com$/i) -> FALSE
(0) if (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3
gppnetwork\.org$/i){
(0) if (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3
gppnetwork\.org$/i) -> FALSE
(0) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i){
(0) if (&User-Name =~ /@gmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(0) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i){
(0) if (&User-Name =~ /@yahoo\.co(m|\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(0) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i){
(0) if (&User-Name =~ /@hotmail\.co(m|\.[[:alnum:]][[:alnum:]])$/i)
-> FALSE
(0) if (&User-Name =~ /\.zc$/i){
(0) if (&User-Name =~ /\.zc$/i) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_eduroam_realms = notfound
(0) policy filter_myusername {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_myusername = notfound
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})
[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})
[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy rewrite_calling_station_id = noop
(0) policy operator-name.authorize {
(0) if ("%{client:Operator-Name}") {
(0) EXPAND %{client:Operator-Name}
(0) -->
(0) if ("%{client:Operator-Name}") -> FALSE
(0) } # policy operator-name.authorize = noop
(0) if (Calling-Station-Id !~ /^70-6F-6C-6/) {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "mydomain.com" for User-Name = "myusername@
mydomain.com"
(0) suffix: Found realm "mydomain.com"
(0) suffix: Adding Stripped-User-Name = "myusername"
(0) suffix: Adding Realm = "mydomain.com"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: Searching for user in group "gzkouska"
rlm_ldap (ldap): Reserved connection (0)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://192.168.92.14:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) files: Searching for user in group "ucitele-wifi"
rlm_ldap (ldap): Reserved connection (1)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (1)
(0) files: Searching for user in group "kabinety"
rlm_ldap (ldap): Reserved connection (2)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (2)
(0) files: Searching for user in group "zaci-wifi"
rlm_ldap (ldap): Reserved connection (3)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (3)
(0) files: Searching for user in group "ucebny"
rlm_ldap (ldap): Reserved connection (4)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (4)
(0) files: Searching for user in group "vpn-admin"
rlm_ldap (ldap): Reserved connection (0)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (0)
(0) files: Searching for user in group "VPN-ucitele"
rlm_ldap (ldap): Reserved connection (5)
(0) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) files: --> (uid=myusername)
(0) files: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) files: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) files: Search returned no results
rlm_ldap (ldap): Released connection (5)
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (uid=myusername)
(0) ldap: Performing search in "dc=gyrec,dc=cz" with filter "(uid=
myusername)", scope "sub"
(0) ldap: Waiting for search result...
Unable to chase referral "ldap://ForestDnsZones.mydomain.com/DC=
ForestDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://DomainDnsZones.mydomain.com/DC=
DomainDnsZones,DC=gyrec,DC=cz" (-1: Can't contact LDAP server)
Unable to chase referral "ldap://mydomain.com/CN=Configuration,DC=gyrec,DC=
cz" (-1: Can't contact LDAP server)
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
(0) [ldap] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is
available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> myusername(a)mydomain.com
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Login incorrect (Failed retrieving values required to evaluate
condition): [myusername(a)mydomain.com] (from client localhost port 10)
(0) Delaying response for 1.000000 seconds
Thread 1 waiting to be assigned a request
Waking up in 0.8 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 87 from 127.0.0.1:1812 to 127.0.0.1:34561 length
20
Waking up in 8.9 seconds.
#####################################################
Could you help me and advice where can be problem and what kind of
misconfiguration can cause
ERROR: Failed retrieving values required to evaluate condition
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
errors?
Thank you very much.
Chucho Valdez
3
5
Hi All,
I've got my setup working so that the outer auth is dealt with by EAPTTLS
and then the inner is dealt with by either PAP/MD5 depending on what device
the client is using (Windows doesn't seem to support MD5 and Apple doesn't
seem to support PAP without extra config).
My question is regarding the /mods-available/inner-eap module. My setup
seems to be working but finding out that this module exists has made me
question that fact. Instead of configuring inner tunnel within the
/mods-enabled/eap file (e.g. setting the virtual server to your inner
tunnel server and then configuring the inner tunnel virtual server in
/sites-enabled/inner-tunnel etc.) do you HAVE to use
/mods-available/inner-eap for this kind of setup to work correctly?
When reading the documents I wasn't sure if the inner-eap module was going
to be more heavily relied upon in v4.0.0 (I'm on v3.2.1) but wasn't
necessary at the moment?
Kind regards,
Connor
3
5
FreeRADIUS Creates New .vps and .asn1 Files for Cached TLS Sessions Instead of Reusing Them
by Luca Borruto 12 Sep '24
by Luca Borruto 12 Sep '24
12 Sep '24
Hey ! I am currently using FreeRADIUS with EAP-TLS for client
authentication, and I have configured a TLS session cache directory at
`/var/log/freeradius/tlscache/`. However, every time a client reconnects,
FreeRADIUS creates new `.vps` and `.asn1` files for each session, even
though the session details remain the same.
**Expected Behavior**:
FreeRADIUS should reuse the cached session when a client reconnects instead
of creating new cache files.
**Actual Behavior**:
A new pair of `.vps` and `.asn1` files is created for every connection,
leading to unnecessary cache file creation and a potential performance hit.
**Logs Showing the Issue**:
When a client reconnects, FreeRADIUS logs indicate that it doesn’t find the
cached session, even though it previously created one:
For the second connection attempt:
```
(8) eap_tls: Peer requested cached session:
604b28a21b0839df85aac31a93fc59ae1efa3f58781088cb0df999c05fa9d01b
(8) eap_tls: WARNING: (TLS) TLS - No persisted session file
/var/log/freeradius/tlscache/604b28a21b0839df85aac31a93fc59ae1efa3f58781088cb0df999c05fa9d01b.asn1:
No such file or directory
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
hello
```
Then it recreates the session file:
```
(8) eap_tls: Serialising session
1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549, and
storing in cache
(8) eap_tls: WARNING: (TLS) TLS - Wrote session
1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549 to
/var/log/freeradius/tlscache/1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549.asn1
(1641 bytes)
```
**Sample Cached Session Files**:
Here are two examples of the `.vps` files generated for the same client:
First `.vps` file:
```
# SSL cached session
e6c48d5b37efbac1c4c1ec7604cb29a0030f0c6e22c304567c885f61147ea693
EAP-Type = TLS,
TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566",
...
```
Second `.vps` file (after reconnection):
```
# SSL cached session
e1103d784da8d948197c0346232a22e98863d5d366a75b95f15529622b34f95c
EAP-Type = TLS,
TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566",
...
```
As you can see, the session details are identical, but a new cache file is
created each time.
**Environment**:
- FreeRADIUS version: 3.2.6
- EAP-TLS with TLS 1.2
- OS: Debian
- TLS cache location: `/var/log/freeradius/tlscache/`
Why is FreeRADIUS not reusing the cached session and instead creating new
cached session files for every connection attempt? Is there a configuration
issue or a potential bug that might be causing this?
Thanks for any tips!
2
1
Hello
Recently,
we attempted to update the freeradius from version 2.x to 3.2.6.
We copied the existing configuration(clients.conf, radiusd.conf etc) to the freeradius installed on the new Linux system.
In testing, there were no issues with PPP that directly requests authentication from the cpe to the radius server.
However, L2TP authentication that passes through another company's proxy radius encounters an error.
The error message is as follows.
Auth: (207) Login incorrect (chap: &control:Cleartext-Password is required for authentication): [eurogarage-puilboreau-002(a)ven.axess.ptel] (from client PhibeeProxy2 port 16777956)
There have been no changes to the IP and password of the other side in clients.conf.
I read the relevant information about PAP and User-Password in the migration documentation.
All passwords are set as Cleartext-Password
If anyone has experienced a similar issue, any advice would be appreciated
Regards
Seungtaek
2
1
Hi All,
If I'm not mistaken this is set on the client side, however, how would I
make it so that the anonymous username is sent as the outer identity and
the real username is then sent as the inner identity? The server is
functioning fine as it is, the TTLS tunnel gets initiated and by the looks
of it the username and password are tunnelled within the tunnel and
authenticated by PAP/MD5.
Kind regards,
Connor
2
3
I'm trying to figure out the best way to do this. We are using PPSK on TP-Link and are trying to figure out a work around for the 128 password limit for a single PPSK SSID. We have a password created that goes to specific VLANs and are trying to replicate it with a separate radius server. We do not want to use the typical radius authentication with PPSK since that requires us to know the MAC address of the devices beforehand. This will be a BYOD type setup. Using DEFAULT Auth-Type := Accept in the users file works fine to get around not knowing the mac addresses beforehand but the question is, how do we match against multiple Tunnel-Password fields?
DEFAULT Auth-Type := Accept
Tunnel-Password = test1234,
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = "100",
Fall-Through = Yes
Thank you
Travis Garrison
2
2
Hi,
I've been tasked with implementing FreeRADIUS for wired and wireless
authentication using EAP-TLS.
I found it reasonably straight-forward to set up a working proof-of-concept
but would like to check one thing before getting it production ready.
When viewing the debug output, the following message displays as a warning
in yellow but does not seem to negatively affect the end user connection
flow:
> Certificate chain - 1 intermediate CA cert(s) untrusted
> To forbid these certificates see 'reject_unknown_intermediate_ca'
> (TLS) untrusted certificate with depth [0] subject name /CN=
testdevice(a)domain.org
I wonder if this might be similar to the EAP-TLS issue that Rolf posted
earlier this month (
https://lists.freeradius.org/pipermail/freeradius-users/2024-August/104643.…)
but the main difference I can see is that I have no intermediate CA in
play.
User certs are issued directly from a Test CA root (SCEPman). The server
cert is from a public CA. I also encountered the same issue when using the
bootstrap certs.
OS: RHEL 9.4
FreeRADIUS versions tested: 3.2.6-1.el9 (NetworkRADIUS repo) & the 3.0.x
RHEL version.
Hosting Platform: Azure (the UDP packet reordering feature has been enabled)
Test clients: Android 14, Windows 10/11, and eapol_test
Thank you for your assistance with this. I'll paste the full debug output
below with some substitutions for privacy.
Kind regards,
George
[root@xx-dev-radius-eus-01 certs]# radiusd -X
FreeRADIUS Version 3.2.6
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/totp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/eap-servicename
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/rfc7542
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/servicename
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
proxy_dedup_window = 1
cleanup_delay = 5
max_requests = 16384
max_fds = 512
postauth_client_lost = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = yes
require_message_authenticator = "auto"
limit_proxy_state = "auto"
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
nonblock = no
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client testclient1 {
ipaddr = 1.2.3.4
secret = <<< secret >>>
virtual_server = "servicename"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Shared secret for client testclient1 is short, and likely can be broken by
an attacker.
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap-servicename
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_totp
# Loading module "totp" from file /etc/raddb/mods-enabled/totp
totp {
time_step = 30
otp_length = 6
lookback_steps = 1
lookback_interval = 30
lookforward_steps = 0
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Loading module "eap-servicename" from file
/etc/raddb/mods-enabled/eap-servicename
eap eap-servicename {
default_eap_type = "tls"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
dedup_key = ""
}
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/coa
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "totp" from file /etc/raddb/mods-enabled/totp
# Instantiating module "eap-servicename" from file
/etc/raddb/mods-enabled/eap-servicename
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/acme/connect.domain.net/key.pem"
certificate_file = "/etc/acme/connect.domain.net/fullchain.pem"
ca_file = "/etc/raddb/certs/ca.pem"
fragment_size = 1024
include_length = yes
auto_chain = no
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server servicename { # from file /etc/raddb/sites-enabled/servicename
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server servicename
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address * port 1812 bound to server servicename
Listening on acct address * port 1813 bound to server servicename
Listening on auth address :: port 1812 bound to server servicename
Listening on acct address :: port 1813 bound to server servicename
Listening on proxy address * port 49854
Listening on proxy address :: port 50665
Ready to process requests
(0) Received Access-Request Id 47 from 1.2.3.4:34278 to 10.0.0.4:1812
length 253
(0) User-Name = "test1234(a)domain.org"
(0) NAS-IP-Address = 192.168.44.12
(0) NAS-Identifier = "E600-A16B02"
(0) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(0) NAS-Port-Id = "ET"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 1
(0) Calling-Station-Id = "E2-99-88-51-2A-A1"
(0) Connect-Info = "CONNECT 54Mbps 802.11a"
(0) Acct-Session-Id = "693ABFF4296F577A"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) WLAN-Group-Mgmt-Cipher = 1027078
(0) Framed-MTU = 1400
(0) EAP-Message =
0x02c9001e01746573743132333440636f6d706574656e7a2e6f72672e6e7a
(0) Message-Authenticator = 0xea4b200a5de671a429e9546fb03bcd87
(0) # Executing section authorize from file
/etc/raddb/sites-enabled/servicename
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "domain.org" for User-Name = "
test1234(a)domain.org"
(0) suffix: No such realm "domain.org"
(0) [suffix] = noop
(0) eap-servicename: Peer sent EAP Response (code 2) ID 201 length 30
(0) eap-servicename: EAP-Identity reply, returning 'ok' so we can
short-circuit the rest of authorize
(0) [eap-servicename] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap-servicename
(0) # Executing group from file /etc/raddb/sites-enabled/servicename
(0) authenticate {
(0) eap-servicename: Peer sent packet with method EAP Identity (1)
(0) eap-servicename: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) TLS -Initiating new session
(0) eap_tls: (TLS) TLS - Setting verify mode to require certificate from
client
(0) eap-servicename: Sending EAP Request (code 1) ID 202 length 10
(0) eap-servicename: EAP session adding &reply:State = 0x15a54f0f156f4235
(0) [eap-servicename] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/servicename
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 1014
(0) Sent Access-Challenge Id 47 from 10.0.0.4:1812 to 1.2.3.4:34278 length
68
(0) EAP-Message = 0x01ca000a0da000000000
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x15a54f0f156f423549e64d7d4c36d897
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 48 from 1.2.3.4:34278 to 10.0.0.4:1812
length 482
(1) User-Name = "test1234(a)domain.org"
(1) NAS-IP-Address = 192.168.44.12
(1) NAS-Identifier = "E600-A16B02"
(1) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(1) NAS-Port-Id = "ET"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 1
(1) Calling-Station-Id = "E2-99-88-51-2A-A1"
(1) Connect-Info = "CONNECT 54Mbps 802.11a"
(1) Acct-Session-Id = "693ABFF4296F577A"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) WLAN-Group-Mgmt-Cipher = 1027078
(1) Framed-MTU = 1400
(1) EAP-Message =
0x02ca00f10d0016030100e6010000e2030344655eb8a7665dacee77220b890a78280ff40b74db678954531ec00b2113115320d6391a2680dff522f55a07f7c35ee7f02f181b7c907ebd50098737f45cddc0ec0024130113021303c02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100007500170000ff01000100000a00080006001d00170018000b00020100000500050100000000000d00140012040308040401050308050501080606010201003300260024001d0020349b6d33f3241d2ea911b7ba91d909cf1d63b2c0d34fcfa4e41f8b14c992646b002d00020101002b00050403040303
(1) State = 0x15a54f0f156f423549e64d7d4c36d897
(1) Message-Authenticator = 0x804a4bf48e97610ecfc391c332458376
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 1014
(1) # Executing section authorize from file
/etc/raddb/sites-enabled/servicename
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "domain.org" for User-Name = "
test1234(a)domain.org"
(1) suffix: No such realm "domain.org"
(1) [suffix] = noop
(1) eap-servicename: Peer sent EAP Response (code 2) ID 202 length 241
(1) eap-servicename: No EAP Start, assuming it's an on-going EAP
conversation
(1) [eap-servicename] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap-servicename
(1) # Executing group from file /etc/raddb/sites-enabled/servicename
(1) authenticate {
(1) eap-servicename: Removing EAP session with state 0x15a54f0f156f4235
(1) eap-servicename: Previous EAP request found for state
0x15a54f0f156f4235, released from the list
(1) eap-servicename: Peer sent packet with method EAP TLS (13)
(1) eap-servicename: Calling submodule eap_tls to process data
(1) eap_tls: (TLS) EAP Got final fragment (235 bytes)
(1) eap_tls: WARNING: (TLS) EAP Total received record fragments (235
bytes), does not equal expected expected data length (0 bytes)
(1) eap_tls: (TLS) EAP Done initial handshake
(1) eap_tls: (TLS) TLS - Handshake state - before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
hello
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHello
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
hello
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Certificate
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write
certificate
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write key
exchange
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, CertificateRequest
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write
certificate request
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(1) eap_tls: (TLS) TLS - Server : Need to read more data: SSLv3/TLS write
server done
(1) eap_tls: (TLS) TLS - In Handshake Phase
(1) eap-servicename: Sending EAP Request (code 1) ID 203 length 1020
(1) eap-servicename: EAP session adding &reply:State = 0x15a54f0f146e4235
(1) [eap-servicename] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/servicename
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 1014
(1) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(1) Sent Access-Challenge Id 48 from 10.0.0.4:1812 to 1.2.3.4:34278 length
1086
(1) EAP-Message =
0x01cb03fc0dc000000d40160303005d0200005903034cedb5cc3133e28566956b6570166c3e0132cae9de19be0faa497461ca7072cf20a764076692c3f12002152ba7c08e420358d8ccbc97dffccb713cda45d0ff9cc8c02b000011ff01000100000b000403000102001700001603030b9f0b000b9b000b9800042f3082042b308203b1a00302010202102d8b8310dd5d7880731a8dd132e71dbd300a06082a8648ce3d040303304b310b30090603550406130241543110300e060355040a13075a65726f53534c312a3028060355040313215a65726f53534c2045434320446f6d61696e205365637572652053697465204341301e170d3234303832373030303030305a170d3234313132353233353935395a3021311f301d06035504031316636f6e6e6563742e626c616e6b656e2e6e65742e6e7a3076301006072a8648ce3d020106052b81040022036200040bf1f4e7aaf51bdc51ff050463f2af37e5a3d99e37ebe073f26df6c0c768b52dac052e3060e551de3c
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x15a54f0f146e423549e64d7d4c36d897
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 49 from 1.2.3.4:34278 to 10.0.0.4:1812
length 247
(2) User-Name = "test1234(a)domain.org"
(2) NAS-IP-Address = 192.168.44.12
(2) NAS-Identifier = "E600-A16B02"
(2) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(2) NAS-Port-Id = "ET"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 1
(2) Calling-Station-Id = "E2-99-88-51-2A-A1"
(2) Connect-Info = "CONNECT 54Mbps 802.11a"
(2) Acct-Session-Id = "693ABFF4296F577A"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) WLAN-Group-Mgmt-Cipher = 1027078
(2) Framed-MTU = 1400
(2) EAP-Message = 0x02cb00060d00
(2) State = 0x15a54f0f146e423549e64d7d4c36d897
(2) Message-Authenticator = 0x19f1a691f13a725c00b4e54836ff78c2
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 1014
(2) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(2) # Executing section authorize from file
/etc/raddb/sites-enabled/servicename
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "domain.org" for User-Name = "
test1234(a)domain.org"
(2) suffix: No such realm "domain.org"
(2) [suffix] = noop
(2) eap-servicename: Peer sent EAP Response (code 2) ID 203 length 6
(2) eap-servicename: No EAP Start, assuming it's an on-going EAP
conversation
(2) [eap-servicename] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap-servicename
(2) # Executing group from file /etc/raddb/sites-enabled/servicename
(2) authenticate {
(2) eap-servicename: Removing EAP session with state 0x15a54f0f146e4235
(2) eap-servicename: Previous EAP request found for state
0x15a54f0f146e4235, released from the list
(2) eap-servicename: Peer sent packet with method EAP TLS (13)
(2) eap-servicename: Calling submodule eap_tls to process data
(2) eap_tls: (TLS) Peer ACKed our handshake fragment
(2) eap-servicename: Sending EAP Request (code 1) ID 204 length 1020
(2) eap-servicename: EAP session adding &reply:State = 0x15a54f0f17694235
(2) [eap-servicename] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/servicename
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 1014
(2) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 49 from 10.0.0.4:1812 to 1.2.3.4:34278 length
1086
(2) EAP-Message =
0x01cc03fc0dc000000d4089d6c4011a005d2b7e2600048904d20560241791c630210603551d11041a30188216636f6e6e6563742e626c616e6b656e2e6e65742e6e7a300a06082a8648ce3d040303036800306502306cc100dc1f09181ce17ccf95085b53785b692da8ab93599804b77ffe8c0425437c443a23b90863b5bf75a123df410e22023100dcb89fc0111997a9c1b421d7cb47e49a168d4c832288f5c0d687e96713343242502bcd19f5a1db582782e9f14e69e522000389308203853082030ca003020102021023b76de3c1bb2b1a51961e08eab764e8300a06082a8648ce3d040303308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f72697479301e170d3230
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x15a54f0f1769423549e64d7d4c36d897
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 50 from 1.2.3.4:34278 to 10.0.0.4:1812
length 247
(3) User-Name = "test1234(a)domain.org"
(3) NAS-IP-Address = 192.168.44.12
(3) NAS-Identifier = "E600-A16B02"
(3) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(3) NAS-Port-Id = "ET"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 1
(3) Calling-Station-Id = "E2-99-88-51-2A-A1"
(3) Connect-Info = "CONNECT 54Mbps 802.11a"
(3) Acct-Session-Id = "693ABFF4296F577A"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) WLAN-Group-Mgmt-Cipher = 1027078
(3) Framed-MTU = 1400
(3) EAP-Message = 0x02cc00060d00
(3) State = 0x15a54f0f1769423549e64d7d4c36d897
(3) Message-Authenticator = 0x106ad3c09dd5229c69c77aaad34bef2c
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 1014
(3) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/etc/raddb/sites-enabled/servicename
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "domain.org" for User-Name = "
test1234(a)domain.org"
(3) suffix: No such realm "domain.org"
(3) [suffix] = noop
(3) eap-servicename: Peer sent EAP Response (code 2) ID 204 length 6
(3) eap-servicename: No EAP Start, assuming it's an on-going EAP
conversation
(3) [eap-servicename] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap-servicename
(3) # Executing group from file /etc/raddb/sites-enabled/servicename
(3) authenticate {
(3) eap-servicename: Removing EAP session with state 0x15a54f0f17694235
(3) eap-servicename: Previous EAP request found for state
0x15a54f0f17694235, released from the list
(3) eap-servicename: Peer sent packet with method EAP TLS (13)
(3) eap-servicename: Calling submodule eap_tls to process data
(3) eap_tls: (TLS) Peer ACKed our handshake fragment
(3) eap-servicename: Sending EAP Request (code 1) ID 205 length 1020
(3) eap-servicename: EAP session adding &reply:State = 0x15a54f0f16684235
(3) [eap-servicename] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/servicename
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 1014
(3) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 50 from 10.0.0.4:1812 to 1.2.3.4:34278 length
1086
(3) EAP-Message =
0x01cd03fc0dc000000d406df261b9700a261b6330a88b319cbf77ec67b07fa588023025adaba4b0ee8d52e0dd0d7c9ddf7d1daee25c649c74f87e63e5c14e601686b0a75e196eec08c691d8fb0314a1a595ab0003d7308203d3308202bba003020102021056671d04ea4f994c6f10814759d27594300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x15a54f0f1668423549e64d7d4c36d897
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 51 from 1.2.3.4:34278 to 10.0.0.4:1812
length 247
(4) User-Name = "test1234(a)domain.org"
(4) NAS-IP-Address = 192.168.44.12
(4) NAS-Identifier = "E600-A16B02"
(4) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(4) NAS-Port-Id = "ET"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 1
(4) Calling-Station-Id = "E2-99-88-51-2A-A1"
(4) Connect-Info = "CONNECT 54Mbps 802.11a"
(4) Acct-Session-Id = "693ABFF4296F577A"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) WLAN-Group-Mgmt-Cipher = 1027078
(4) Framed-MTU = 1400
(4) EAP-Message = 0x02cd00060d00
(4) State = 0x15a54f0f1668423549e64d7d4c36d897
(4) Message-Authenticator = 0x086b69404a413776374c1648af478648
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 1014
(4) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/etc/raddb/sites-enabled/servicename
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "domain.org" for User-Name = "
test1234(a)domain.org"
(4) suffix: No such realm "domain.org"
(4) [suffix] = noop
(4) eap-servicename: Peer sent EAP Response (code 2) ID 205 length 6
(4) eap-servicename: No EAP Start, assuming it's an on-going EAP
conversation
(4) [eap-servicename] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = eap-servicename
(4) # Executing group from file /etc/raddb/sites-enabled/servicename
(4) authenticate {
(4) eap-servicename: Removing EAP session with state 0x15a54f0f16684235
(4) eap-servicename: Previous EAP request found for state
0x15a54f0f16684235, released from the list
(4) eap-servicename: Peer sent packet with method EAP TLS (13)
(4) eap-servicename: Calling submodule eap_tls to process data
(4) eap_tls: (TLS) Peer ACKed our handshake fragment
(4) eap-servicename: Sending EAP Request (code 1) ID 206 length 372
(4) eap-servicename: EAP session adding &reply:State = 0x15a54f0f116b4235
(4) [eap-servicename] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/servicename
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 1014
(4) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 51 from 10.0.0.4:1812 to 1.2.3.4:34278 length
432
(4) EAP-Message =
0x01ce01740d8000000d40362eefa5220f83744992c7f710c20c29fbb7bdba7fe35fd59ff2a9f474d5b8e1b3b081e4e1a563a3ccea0478906ebff716030300940c00009003001d20e6c3f11ac624218f27f520adc0d647bd8942644b6f7cfc9cfbca254b7d1f921d040300683066023100bfa2ba21263e4e546a7aae58a71eaed279454f57d0277b6faba5d1e3c5a74df733eeca429e995f2fc2aa19d98bcc4a9602310098e453ef7210b07498bdf002cf2b883a3df9c05e2fa1a4d9e0375a24c354d13131e2a73828a0beb2014b2dcd5a3964fa16030300930d00008f0201400020040305030603080708080809080a080b0804080508060401050106010303030100680066306431163014060355040a130d436f6d706574656e7a20504f43312d302b060355040b132465633831366132312d666636632d346233382d623362392d343365376330396531343063311b301906035504031312534345506d616e2d526f6f742d43412d563116030300040e000000
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x15a54f0f116b423549e64d7d4c36d897
(4) Finished request
Waking up in 4.7 seconds.
(5) Received Access-Request Id 52 from 1.2.3.4:34278 to 10.0.0.4:1812
length 1659
(5) User-Name = "test1234(a)domain.org"
(5) NAS-IP-Address = 192.168.44.12
(5) NAS-Identifier = "E600-A16B02"
(5) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(5) NAS-Port-Id = "ET"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 1
(5) Calling-Station-Id = "E2-99-88-51-2A-A1"
(5) Connect-Info = "CONNECT 54Mbps 802.11a"
(5) Acct-Session-Id = "693ABFF4296F577A"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) WLAN-Group-Mgmt-Cipher = 1027078
(5) Framed-MTU = 1400
(5) EAP-Message =
0x02ce05800dc00000090416030306950b00069100068e00068b308206873082046fa003020102021450c0804b19c3a25ccca19a49a87106af8b7e9ac5300d06092a864886f70d01010b0500306431163014060355040a130d436f6d706574656e7a20504f43312d302b060355040b132465633831366132312d666636632d346233382d623362392d343365376330396531343063311b301906035504031312534345506d616e2d526f6f742d43412d5631301e170d3234303831353039333630385a170d3236303831363039333630385a30263124302206035504030c1b7465737464657669636540636f6d706574656e7a2e6f72672e6e7a30820222300d06092a864886f70d01010105000382020f003082020a0282020100d679c6938db7c17c45587a3b598e1210d53442ff7ef17327bd992402433b0451c0dc420dcb568e80599d511cf91fc170eee16f61cb92bba0482ecd7a3f835b94a4193052766c87e5797f217903f820685f2b954690596d99531217c24c
(5) State = 0x15a54f0f116b423549e64d7d4c36d897
(5) Message-Authenticator = 0xb6424d2d2443246c6cbc7fe58202ac89
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 1014
(5) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/etc/raddb/sites-enabled/servicename
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "domain.org" for User-Name = "
test1234(a)domain.org"
(5) suffix: No such realm "domain.org"
(5) [suffix] = noop
(5) eap-servicename: Peer sent EAP Response (code 2) ID 206 length 1408
(5) eap-servicename: No EAP Start, assuming it's an on-going EAP
conversation
(5) [eap-servicename] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap-servicename
(5) # Executing group from file /etc/raddb/sites-enabled/servicename
(5) authenticate {
(5) eap-servicename: Removing EAP session with state 0x15a54f0f116b4235
(5) eap-servicename: Previous EAP request found for state
0x15a54f0f116b4235, released from the list
(5) eap-servicename: Peer sent packet with method EAP TLS (13)
(5) eap-servicename: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) EAP Peer says that the final record size will be 2308
bytes
(5) eap_tls: (TLS) EAP Expecting 2 fragments
(5) eap_tls: (TLS) EAP Got first TLS fragment (1398 bytes). Peer says more
fragments will follow
(5) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(5) eap-servicename: Sending EAP Request (code 1) ID 207 length 6
(5) eap-servicename: EAP session adding &reply:State = 0x15a54f0f106a4235
(5) [eap-servicename] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/servicename
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 1014
(5) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(5) Sent Access-Challenge Id 52 from 10.0.0.4:1812 to 1.2.3.4:34278 length
64
(5) EAP-Message = 0x01cf00060d00
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x15a54f0f106a423549e64d7d4c36d897
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 53 from 1.2.3.4:34278 to 10.0.0.4:1812
length 1163
(6) User-Name = "test1234(a)domain.org"
(6) NAS-IP-Address = 192.168.44.12
(6) NAS-Identifier = "E600-A16B02"
(6) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(6) NAS-Port-Id = "ET"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 1
(6) Calling-Station-Id = "E2-99-88-51-2A-A1"
(6) Connect-Info = "CONNECT 54Mbps 802.11a"
(6) Acct-Session-Id = "693ABFF4296F577A"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) WLAN-Group-Mgmt-Cipher = 1027078
(6) Framed-MTU = 1400
(6) EAP-Message =
0x02cf03940d00f3a55ed5c5036ec591d3b982ef738a0eed22dc154f64042eaf9d8d2fe20c0dd97eb61e963a2269d3f262534889c8678a8d42dc07336bf51a2b16d0657153bfe28fcc83fbbbf875589f16b5dc2f43cb35cd2e25a3800c5c60fe7832eb4f180c556a0f753854d1e7b54c3ca7d6b220d4cdf4eddf2b230c286e0ecdf072991018148cb6b9298e5b81cacb8b733b6b37ab1e2c91d56370304391877a4e3df07d3d9a69465c4de9b4ac7e851b25d4edb27df48a6cb46aecf886e9a25a98655b2c8b7d4c8b0fbe3800efeaabf751c61725b3adaf50268818670b6d6b3ac4c5cc7c9d8787bd9086fd97a57ffcd0b374f410af60c4386408d902bdc225e76ff476ac09f4218152090c925e3cbb518831e5c97e3a32314533efda13809c27e49dcda98b40d7cb9a971603030025100000212040372c6b398889bbeb241275299a51542d51146475d6934f2a5ca262334c027516030302080f00020408040200c2c25474568a7c94484af4e86258b362dc4b3bd4d585
(6) State = 0x15a54f0f106a423549e64d7d4c36d897
(6) Message-Authenticator = 0x47e9ae4c5eef6095dc69df9c7bb3027e
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 1014
(6) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/servicename
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "domain.org" for User-Name = "
test1234(a)domain.org"
(6) suffix: No such realm "domain.org"
(6) [suffix] = noop
(6) eap-servicename: Peer sent EAP Response (code 2) ID 207 length 916
(6) eap-servicename: No EAP Start, assuming it's an on-going EAP
conversation
(6) [eap-servicename] = updated
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap-servicename
(6) # Executing group from file /etc/raddb/sites-enabled/servicename
(6) authenticate {
(6) eap-servicename: Removing EAP session with state 0x15a54f0f106a4235
(6) eap-servicename: Previous EAP request found for state
0x15a54f0f106a4235, released from the list
(6) eap-servicename: Peer sent packet with method EAP TLS (13)
(6) eap-servicename: Calling submodule eap_tls to process data
(6) eap_tls: (TLS) EAP Done initial handshake
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate
(6) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain
(6) eap_tls: TLS-Cert-Serial := "1fd207b3bfa245ec9f1f630632d4c1a1"
(6) eap_tls: TLS-Cert-Expiration := "340807045107Z"
(6) eap_tls: TLS-Cert-Valid-Since := "240807044107Z"
(6) eap_tls: TLS-Cert-Subject := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(6) eap_tls: TLS-Cert-Issuer := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(6) eap_tls: TLS-Cert-Common-Name := "SCEPman-Root-CA-V1"
(6) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain
(6) eap_tls: TLS-Client-Cert-Serial :=
"50c0804b19c3a25ccca19a49a87106af8b7e9ac5"
(6) eap_tls: TLS-Client-Cert-Expiration := "260816093608Z"
(6) eap_tls: TLS-Client-Cert-Valid-Since := "240815093608Z"
(6) eap_tls: TLS-Client-Cert-Subject := "/CN=testdevice(a)domain.org"
(6) eap_tls: TLS-Client-Cert-Issuer := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(6) eap_tls: TLS-Client-Cert-Common-Name := "testdevice(a)domain.org"
(6) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"65:77:76:8A:D3:C0:8F:69:D0:06:7E:0E:E4:45:1C:C5:D1:02:D5:9E"
(6) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"52:6B:C1:99:FD:93:8F:DC:43:D1:54:18:46:C8:39:D0:AA:CD:8A:3C"
(6) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
Certificate chain - 1 intermediate CA cert(s) untrusted
To forbid these certificates see 'reject_unknown_intermediate_ca'
(TLS) untrusted certificate with depth [0] subject name /CN=
testdevice(a)domain.org
(6) eap_tls: Starting OCSP Request
(6) eap_tls: ocsp: Using responder URL "http://responderhost:80/ocsp"
This Update: Aug 27 10:30:21 2024 GMT
Next Update: Aug 27 10:40:21 2024 GMT
(6) eap_tls: ocsp: Cert status: good
(6) eap_tls: ocsp: Certificate is valid
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
certificate
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client key
exchange
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
certificate verify
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change
cipher spec
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished
(6) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change
cipher spec
(6) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished
(6) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished
successfully
(6) eap_tls: (TLS) TLS - Connection Established
(6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6) eap_tls: TLS-Session-Version = "TLS 1.2"
(6) eap-servicename: Sending EAP Request (code 1) ID 208 length 61
(6) eap-servicename: EAP session adding &reply:State = 0x15a54f0f13754235
(6) [eap-servicename] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/servicename
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 1014
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
CertificateVerify"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 53 from 10.0.0.4:1812 to 1.2.3.4:34278 length
119
(6) EAP-Message =
0x01d0003d0d80000000331403030001011603030028c7b5378da3badfb666bf510993d417130f51b97e0ba9dd960e67a15924dac5c2c2f842aa9f5f9695
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x15a54f0f1375423549e64d7d4c36d897
(6) Finished request
Waking up in 3.2 seconds.
(7) Received Access-Request Id 54 from 1.2.3.4:34278 to 10.0.0.4:1812
length 247
(7) User-Name = "test1234(a)domain.org"
(7) NAS-IP-Address = 192.168.44.12
(7) NAS-Identifier = "E600-A16B02"
(7) Called-Station-Id = "00-04-56-A1-6B-02:ET"
(7) NAS-Port-Id = "ET"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) NAS-Port = 1
(7) Calling-Station-Id = "E2-99-88-51-2A-A1"
(7) Connect-Info = "CONNECT 54Mbps 802.11a"
(7) Acct-Session-Id = "693ABFF4296F577A"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) WLAN-Group-Mgmt-Cipher = 1027078
(7) Framed-MTU = 1400
(7) EAP-Message = 0x02d000060d00
(7) State = 0x15a54f0f1375423549e64d7d4c36d897
(7) Message-Authenticator = 0x6e7d1312ef6ce87a5b8df766fbdbf1db
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 1014
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, CertificateVerify"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-ECDSA-AES128-GCM-SHA256"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/servicename
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "domain.org" for User-Name = "
test1234(a)domain.org"
(7) suffix: No such realm "domain.org"
(7) [suffix] = noop
(7) eap-servicename: Peer sent EAP Response (code 2) ID 208 length 6
(7) eap-servicename: No EAP Start, assuming it's an on-going EAP
conversation
(7) [eap-servicename] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap-servicename
(7) # Executing group from file /etc/raddb/sites-enabled/servicename
(7) authenticate {
(7) eap-servicename: Removing EAP session with state 0x15a54f0f13754235
(7) eap-servicename: Previous EAP request found for state
0x15a54f0f13754235, released from the list
(7) eap-servicename: Peer sent packet with method EAP TLS (13)
(7) eap-servicename: Calling submodule eap_tls to process data
(7) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
(7) eap_tls: (TLS) cache - Setting up attributes for session resumption
(7) eap_tls: caching EAP-Type = TLS
(7) eap_tls: caching TLS-Cert-Serial :=
"1fd207b3bfa245ec9f1f630632d4c1a1"
(7) eap_tls: caching TLS-Cert-Expiration := "340807045107Z"
(7) eap_tls: caching TLS-Cert-Valid-Since := "240807044107Z"
(7) eap_tls: caching TLS-Cert-Subject := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(7) eap_tls: caching TLS-Cert-Issuer := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(7) eap_tls: caching TLS-Cert-Common-Name := "SCEPman-Root-CA-V1"
(7) eap_tls: caching TLS-Client-Cert-Serial :=
"50c0804b19c3a25ccca19a49a87106af8b7e9ac5"
(7) eap_tls: caching TLS-Client-Cert-Expiration := "260816093608Z"
(7) eap_tls: caching TLS-Client-Cert-Valid-Since := "240815093608Z"
(7) eap_tls: caching TLS-Client-Cert-Subject := "/CN=
testdevice(a)domain.org"
(7) eap_tls: caching TLS-Client-Cert-Issuer := "/O=Organisation
POC/OU=guid/CN=SCEPman-Root-CA-V1"
(7) eap_tls: caching TLS-Client-Cert-Common-Name := "
testdevice(a)domain.org"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"65:77:76:8A:D3:C0:8F:69:D0:06:7E:0E:E4:45:1C:C5:D1:02:D5:9E"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"52:6B:C1:99:FD:93:8F:DC:43:D1:54:18:46:C8:39:D0:AA:CD:8A:3C"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Basic-Constraints +=
"CA:FALSE"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS
Web Client Authentication"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(7) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session
will not be cached on disk.
(7) eap-servicename: Sending EAP Success (code 3) ID 208 length 4
(7) eap-servicename: Freeing handler
(7) [eap-servicename] = ok
(7) } # authenticate = ok
(7) # Executing section post-auth from file
/etc/raddb/sites-enabled/servicename
(7) post-auth {
(7) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(7) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(7) update {
(7) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3
Handshake, ClientHello'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerHello'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, Certificate'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, Certificate'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, ClientKeyExchange'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, CertificateVerify'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, Finished'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
ChangeCipherSpec'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, Finished'
(7) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] ->
'ECDHE-ECDSA-AES128-GCM-SHA256'
(7) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(7) } # update = noop
(7) [exec] = noop
(7) policy remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message) {
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else {
(7) [noop] = noop
(7) } # else = noop
(7) } # policy remove_reply_message_if_eap = noop
(7) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(7) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(7) } # post-auth = noop
(7) Sent Access-Accept Id 54 from 10.0.0.4:1812 to 1.2.3.4:34278 length 193
(7) MS-MPPE-Recv-Key =
0x422eeba9c721d957df374175733b5f81ce4a645cf75a94d717bf620b2f2e5210
(7) MS-MPPE-Send-Key =
0x1a003c5f46f72a2705a522f099e4fc851b12c727805af41e87bd400a6d73557c
(7) EAP-Message = 0x03d00004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = "test1234(a)domain.org"
(7) Framed-MTU += 1014
(7) Finished request
Waking up in 3.2 seconds.
(0) Cleaning up request packet ID 47 with timestamp +60 due to
cleanup_delay was reached
(1) Cleaning up request packet ID 48 with timestamp +60 due to
cleanup_delay was reached
(2) Cleaning up request packet ID 49 with timestamp +60 due to
cleanup_delay was reached
(3) Cleaning up request packet ID 50 with timestamp +60 due to
cleanup_delay was reached
(4) Cleaning up request packet ID 51 with timestamp +60 due to
cleanup_delay was reached
(5) Cleaning up request packet ID 52 with timestamp +60 due to
cleanup_delay was reached
Waking up in 1.3 seconds.
(6) Cleaning up request packet ID 53 with timestamp +60 due to
cleanup_delay was reached
(7) Cleaning up request packet ID 54 with timestamp +62 due to
cleanup_delay was reached
Ready to process requests
2
1
Hello,
Freeradius 3.2.1 is installed from debian packages (standard debian bookworm distribution). I have implemented a new module and added it as an .so. I built the module alongside Freeradius 3.2.1 (from github).
When enabling the module, I get the following error:
Mon Sep 9 15:29:38 2024 : Error: /etc/freeradius/3.0/mods-enabled/tba[1]: Failed loading module rlm_(null) from file /usr/lib/freeradius/rlm_tba.so
Mon Sep 9 15:29:38 2024 : Error: /etc/freeradius/3.0/mods-enabled/tba[1]: Application and rlm_(null) magic number (prefix) mismatch. application: 0 module: f0
Even if I write the simplest module, I get this issue.
The has the following binder. Can you tell me, where the issue is originating from, and how I can get the MAGIC number? I searched and tried out a lot, but at the end, had to implement the functionality as a python script. Getting the radius module running would help me a lot.
extern module_t rlm_tba;
module_t rlm_tba = {
.magic = RADIUSD_MAGIC_NUMBER,
.methods = {
[MOD_POST_AUTH] = tba_post_auth
}
};
Regards,
Dincer
2
2
Hello Community,
I am using EAP-TLS 1.3 and wan't to add an TLS Extension (not an X509 extension), to the handshake message (Certificate Request), in order to add the OID-Filters defined in TLS 1.3.
Is this a configuration or a source code extension I need to do in Freeradius? Or is it purely in OpenSSL?
Appreciate any help,
Dincer
2
1
The GPG key used to sign the Network RADIUS packages at
packages.networkradius.com expired. We have renewed the expiry date.
If you are using these packages then you may need to install the
refreshed key:
https://packages.networkradius.com/pgp/packages%40networkradius.com
--
Matthew
1
0