Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 12 participants
- 27047 discussions
Hi,
I've noticed that the acctstarttime on radacct table have some values I
don't understand.
In fact I have some routers (I work with mikrotik and hotspot + freeradius)
that are in Taiwan and others on Spain.
I thought that acctstarttime was set according the date time from the system
where is installed freeradius (centos + mariadb for me)
But I've seen today some rows from today (according radacctid) with a
different time stamp (1970-04-13):
I had an incorrect date on the mikrotik from the example, just the same date
that is on the database, so then I thought that the acctstartime comes from
router clock. but the routers I have In Taiwan with Taiwan clock don't save
on accstarttime the router clock, they still saving data according the
system where I have installed freeradius.
What do I miss ?
Thanks,
Oscar.
3
6
This should be easy. I'm sure I'm missing something obvious.
I want to run two virtual servers bound to different ports with each one
consulting a different "authorize" file. The "files" module seems bound
to whatever is in mods-enabled/files, which I can obviously change but
that changes it for both servers. Attempts to teach the files module a
different path have failed with various errors. Is there an example of
this somewhere? I could obviously run two completely separate instances
of freeradius (3.0.16 on Slackware Linux) but that seems silly.
--
Jay Rouman (jsr(a)edzone.net)
Gratiot/Isabella RESD, Ithaca, MI
2
1
3GPP: multiple attributes, port from file based authentication to sql
by Wolfgang Zeitler 24 Mar '18
by Wolfgang Zeitler 24 Mar '18
24 Mar '18
Hi there,
I'm currently running freeradius to authenticate mobile devices on a 4G network.
For authentication I have to check multiple attributes. The user - file is currently populated like that:
user Cleartext-password := "password", 3GPP-IMSI == 262011234567, Called-Station-ID == "apn-name"
User-Name = user,
Service-Type = Framed,
Framed-Protocol = GPRS-PDP-Context,
Framed-IPv6-Prefix = 2001:DB8::/64,
Framed-Interface-ID = 0:0:0:2,
Reply-Message = "Welcome To Lab Network",
Acct-Session-Id = 00000001,
I'm currently wondering, how to port that into the radcheck and the radreply table.
I understood, whith the default configuration, only one attribute will be checked, e.g. Cleartext-password
Thank you for support
Wolfgang
2
3
I'm currently using the rlm_sql_null driver to write accounting updates to
a flat file, which are then sent up to an external database using
radsqlrelay. On a very small percentage of the records (Maybe once out of
every million records or so), one of the lines gets truncated in the output
file, causing it to be merged with the next record. Here is one such
example. About halfway through the line, you can see where the first sql
statement is only partially written, and then the next UPDATE starts all on
the same line (AND AcctStopTime UPDATE radacct). radsqlrelay does not
handle this gracefully. When it fails to execute the invalid SQL it just
goes into an infinite loop, trying to execute that same SQL statement over
and over. Given the infrequency that it happens, I'm not sure that it would
feasible to get debug output from radiusd when it happens, although I'm
open to suggestions on how to capture any useful info. Wondering if anybody
has seen anything like before? I'm currently running the
freeradius-3.0.13-6.el7.x86_64 rpm from the EPEL repo for CentOS 7. It
doesn't happen often, but we're generating millions of accounting updates a
day across hundreds of freeradius servers, so it has been popping up
somewhere just about every day.
UPDATE radacct SET FramedIPAddress = NULLIF('172.21.22.24', '')::inet,
AcctSessionTime = 600, AcctInterval = (1520393120 - EXTRACT(EPOCH FROM
(COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime =
TO_TIMESTAMP(1520393120), AcctInputOctets = (('0'::bigint << 32) +
'0'::bigint), AcctOutputOctets = (('0'::bigint << 32) + '0'::bigint) WHERE
(AcctUniqueId = 'fb8de85671b07d2387ec982a42bb4ea4') AND AcctStopTime UPDATE
radacct SET AcctStopTime = TO_TIMESTAMP(1520396146), AcctUpdateTime =
TO_TIMESTAMP(1520396146), AcctSessionTime = COALESCE(10806, (1520396146 -
EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = (('0'::bigint <<
32) + '0'::bigint), AcctOutputOctets = (('0'::bigint << 32) + '0'::bigint),
AcctTerminateCause = '', FramedIPAddress = NULLIF('172.21.22.61',
'')::inet, ConnectInfo_stop = '' WHERE (AcctUniqueId =
'1c43554feb67bd56087b0656fefdad17') AND AcctStopTime IS NULL;
Shawn Asmussen
3
3
Hello Everyone,
I have setup freeradius in my lab environment to authenticate an Android
cell phone using EAP-SIM and a SIM card.
Performing a packet capture over the Wi-Fi, I was able to realize that the
phone receive the EAP-SIM challenge request but doesn't reply with a
EAP-SIM Challenge response. Instead, it replies with a EAP-SIM Client-Error
(0). I can also see the RAND values in the EAP-SIM Challenge Request packet.
I have used this script to generate the triplets (RAND, SRES and KC) using
the Ki number of the SIM card:
https://github.com/skelsec/COMP128/blob/master/COMP128.py
I have provided, below, the output of the freeradius server when I try to
connect.
Do you have an idea of what could be wrong?
Do you think it could be related to the triplets not being generated
correctly?
Thank you in advance!
Here are the logs:
(0) Received Access-Request Id 108 from 192.168.20.19:54927 to
192.168.20.17:1812 length 291
(0) User-Name = "1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(0) NAS-IP-Address = 192.168.20.19
(0) NAS-Port = 0
(0) NAS-Identifier = "192.168.20.19"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "c0eefb5acc11"
(0) Called-Station-Id = "000b86ee0268"
(0) Service-Type = Login-User
(0) Framed-MTU = 1100
(0) EAP-Message =
0x02010038013139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f7267
(0) Aruba-Essid-Name = "Test EAP-SIM"
(0) Aruba-Location-Id = "00:0b:86:ee:02:68"
(0) Aruba-AP-Group = "instant-EE:02:68"
(0) Message-Authenticator = 0x7c7de18dffeab059ae54da7999356d53
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(0) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 56
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x1646e2171644e69d
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Sent Access-Challenge Id 108 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0
(0) EAP-Message = 0x010200160410970ed9f6222d1151ea27852e700dfc83
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x1646e2171644e69d214aa497303ba7f5
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 109 from 192.168.20.19:54927 to
192.168.20.17:1812 length 259
(1) User-Name = "1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(1) NAS-IP-Address = 192.168.20.19
(1) NAS-Port = 0
(1) NAS-Identifier = "192.168.20.19"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "c0eefb5acc11"
(1) Called-Station-Id = "000b86ee0268"
(1) Service-Type = Login-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x020200060312
(1) State = 0x1646e2171644e69d214aa497303ba7f5
(1) Aruba-Essid-Name = "Test EAP-SIM"
(1) Aruba-Location-Id = "00:0b:86:ee:02:68"
(1) Aruba-AP-Group = "instant-EE:02:68"
(1) Message-Authenticator = 0x4b85a873255dd52687e055cdfde627c6
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(1) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry
1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org at line 96
(1) [files] = ok
(1) if (User-Name =~ /^[0-9]+/) {
(1) if (User-Name =~ /^[0-9]+/) -> TRUE
(1) if (User-Name =~ /^[0-9]+/) {
(1) update reply {
(1) EXPAND %{control:EAP-Sim-Rand1}
(1) --> 0x5e56fc4d1cb798dd53c4191e157472ac
(1) &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac
(1) EXPAND %{control:EAP-Sim-Rand2}
(1) --> 0x7711b7949ea67837276197a3bfc10561
(1) &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561
(1) EXPAND %{control:EAP-Sim-Rand3}
(1) --> 0xdb249cea25f603d22e193aa1ae792b20
(1) &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20
(1) EXPAND %{control:EAP-Sim-SRES1}
(1) --> 0x47c9aae3
(1) &EAP-Sim-SRES1 := 0x47c9aae3
(1) EXPAND %{control:EAP-Sim-SRES2}
(1) --> 0x7112acb0
(1) &EAP-Sim-SRES2 := 0x7112acb0
(1) EXPAND %{control:EAP-Sim-SRES3}
(1) --> 0x12d89ed9
(1) &EAP-Sim-SRES3 := 0x12d89ed9
(1) EXPAND %{control:EAP-Sim-KC1}
(1) --> 0x44fb0ab88d208400
(1) &EAP-Sim-KC1 := 0x44fb0ab88d208400
(1) EXPAND %{control:EAP-Sim-KC2}
(1) --> 0x9135bb2807184400
(1) &EAP-Sim-KC2 := 0x9135bb2807184400
(1) EXPAND %{control:EAP-Sim-KC3}
(1) --> 0x783fa135bbb97000
(1) &EAP-Sim-KC3 := 0x783fa135bbb97000
(1) } # update reply = noop
(1) } # if (User-Name =~ /^[0-9]+/) = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x1646e2171644e69d
(1) eap: Finished EAP session with state 0x1646e2171644e69d
(1) eap: Previous EAP request found for state 0x1646e2171644e69d, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type SIM (18)
(1) eap: Calling submodule eap_sim to process data
(1) eap: Sending EAP Request (code 1) ID 90 length 20
(1) eap: EAP session adding &reply:State = 0x1646e217171cf09d
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Sent Access-Challenge Id 109 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0
(1) EAP-Message = 0x015a0014120a00000f0200020001000011010100
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x1646e217171cf09d214aa497303ba7f5
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 110 from 192.168.20.19:54927 to
192.168.20.17:1812 length 341
(2) User-Name = "1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(2) NAS-IP-Address = 192.168.20.19
(2) NAS-Port = 0
(2) NAS-Identifier = "192.168.20.19"
(2) NAS-Port-Type = Wireless-802.11
(2) Calling-Station-Id = "c0eefb5acc11"
(2) Called-Station-Id = "000b86ee0268"
(2) Service-Type = Login-User
(2) Framed-MTU = 1100
(2) EAP-Message =
0x025a0058120a0000100100010705000043cdc6794d84b18456e0fe40aee0d7e20e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
(2) State = 0x1646e217171cf09d214aa497303ba7f5
(2) Aruba-Essid-Name = "Test EAP-SIM"
(2) Aruba-Location-Id = "00:0b:86:ee:02:68"
(2) Aruba-AP-Group = "instant-EE:02:68"
(2) Message-Authenticator = 0xa4a1ade2eae64052c6f0aa2ecc3ea908
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(2) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 90 length 88
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) files: users: Matched entry
1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org at line 96
(2) [files] = ok
(2) if (User-Name =~ /^[0-9]+/) {
(2) if (User-Name =~ /^[0-9]+/) -> TRUE
(2) if (User-Name =~ /^[0-9]+/) {
(2) update reply {
(2) EXPAND %{control:EAP-Sim-Rand1}
(2) --> 0x5e56fc4d1cb798dd53c4191e157472ac
(2) &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac
(2) EXPAND %{control:EAP-Sim-Rand2}
(2) --> 0x7711b7949ea67837276197a3bfc10561
(2) &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561
(2) EXPAND %{control:EAP-Sim-Rand3}
(2) --> 0xdb249cea25f603d22e193aa1ae792b20
(2) &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20
(2) EXPAND %{control:EAP-Sim-SRES1}
(2) --> 0x47c9aae3
(2) &EAP-Sim-SRES1 := 0x47c9aae3
(2) EXPAND %{control:EAP-Sim-SRES2}
(2) --> 0x7112acb0
(2) &EAP-Sim-SRES2 := 0x7112acb0
(2) EXPAND %{control:EAP-Sim-SRES3}
(2) --> 0x12d89ed9
(2) &EAP-Sim-SRES3 := 0x12d89ed9
(2) EXPAND %{control:EAP-Sim-KC1}
(2) --> 0x44fb0ab88d208400
(2) &EAP-Sim-KC1 := 0x44fb0ab88d208400
(2) EXPAND %{control:EAP-Sim-KC2}
(2) --> 0x9135bb2807184400
(2) &EAP-Sim-KC2 := 0x9135bb2807184400
(2) EXPAND %{control:EAP-Sim-KC3}
(2) --> 0x783fa135bbb97000
(2) &EAP-Sim-KC3 := 0x783fa135bbb97000
(2) } # update reply = noop
(2) } # if (User-Name =~ /^[0-9]+/) = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(2) pap: WARNING: Authentication will fail unless a "known good" password
is available
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x1646e217171cf09d
(2) eap: Finished EAP session with state 0x1646e217171cf09d
(2) eap: Previous EAP request found for state 0x1646e217171cf09d, released
from the list
(2) eap: Peer sent packet with method EAP SIM (18)
(2) eap: Calling submodule eap_sim to process data
(2) eap_sim: EAP-SIM decoded packet
(2) eap_sim: User-Name = "
1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(2) eap_sim: NAS-IP-Address = 192.168.20.19
(2) eap_sim: NAS-Port = 0
(2) eap_sim: NAS-Identifier = "192.168.20.19"
(2) eap_sim: NAS-Port-Type = Wireless-802.11
(2) eap_sim: Calling-Station-Id = "c0eefb5acc11"
(2) eap_sim: Called-Station-Id = "000b86ee0268"
(2) eap_sim: Service-Type = Login-User
(2) eap_sim: Framed-MTU = 1100
(2) eap_sim: EAP-Message =
0x025a0058120a0000100100010705000043cdc6794d84b18456e0fe40aee0d7e20e0e00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
(2) eap_sim: State = 0x1646e217171cf09d214aa497303ba7f5
(2) eap_sim: Aruba-Essid-Name = "Test EAP-SIM"
(2) eap_sim: Aruba-Location-Id = "00:0b:86:ee:02:68"
(2) eap_sim: Aruba-AP-Group = "instant-EE:02:68"
(2) eap_sim: Message-Authenticator = 0xa4a1ade2eae64052c6f0aa2ecc3ea908
(2) eap_sim: Event-Timestamp = "Mar 22 2018 20:34:34 UTC"
(2) eap_sim: EAP-Type = SIM
(2) eap_sim: EAP-Sim-Subtype = Start
(2) eap_sim: EAP-Sim-SELECTED_VERSION = 0x0001
(2) eap_sim: EAP-Sim-NONCE_MT = 0x000043cdc6794d84b18456e0fe40aee0d7e2
(2) eap_sim: EAP-Sim-IDENTITY =
0x00333139303137303030303030323032343040776c616e2e6d6e633037302e6d63633930312e336770706e6574776f726b2e6f726700
(2) eap: Sending EAP Request (code 1) ID 91 length 80
(2) eap: EAP session adding &reply:State = 0x1646e217141df09d
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Sent Access-Challenge Id 110 from 192.168.20.17:1812 to
192.168.20.19:54927 length 0
(2) EAP-Message =
0x015b0050120b0000010d00005e56fc4d1cb798dd53c4191e157472ac7711b7949ea67837276197a3bfc10561db249cea25f603d22e193aa1ae792b200b050000e2a774c8fd253915e0e4dfe1d832709e
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x1646e217141df09d214aa497303ba7f5
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 111 from 192.168.20.19:54927 to
192.168.20.17:1812 length 265
(3) User-Name = "1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(3) NAS-IP-Address = 192.168.20.19
(3) NAS-Port = 0
(3) NAS-Identifier = "192.168.20.19"
(3) NAS-Port-Type = Wireless-802.11
(3) Calling-Station-Id = "c0eefb5acc11"
(3) Called-Station-Id = "000b86ee0268"
(3) Service-Type = Login-User
(3) Framed-MTU = 1100
(3) EAP-Message = 0x025b000c120e000016010000
(3) State = 0x1646e217141df09d214aa497303ba7f5
(3) Aruba-Essid-Name = "Test EAP-SIM"
(3) Aruba-Location-Id = "00:0b:86:ee:02:68"
(3) Aruba-AP-Group = "instant-EE:02:68"
(3) Message-Authenticator = 0xf23c8af6d4ad1d8640f4ad602564c6bb
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "wlan.mnc070.mcc901.3gppnetwork.org" for
User-Name = "1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org"
(3) suffix: No such realm "wlan.mnc070.mcc901.3gppnetwork.org"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 91 length 12
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) files: users: Matched entry
1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org at line 96
(3) [files] = ok
(3) if (User-Name =~ /^[0-9]+/) {
(3) if (User-Name =~ /^[0-9]+/) -> TRUE
(3) if (User-Name =~ /^[0-9]+/) {
(3) update reply {
(3) EXPAND %{control:EAP-Sim-Rand1}
(3) --> 0x5e56fc4d1cb798dd53c4191e157472ac
(3) &EAP-Sim-Rand1 := 0x5e56fc4d1cb798dd53c4191e157472ac
(3) EXPAND %{control:EAP-Sim-Rand2}
(3) --> 0x7711b7949ea67837276197a3bfc10561
(3) &EAP-Sim-Rand2 := 0x7711b7949ea67837276197a3bfc10561
(3) EXPAND %{control:EAP-Sim-Rand3}
(3) --> 0xdb249cea25f603d22e193aa1ae792b20
(3) &EAP-Sim-Rand3 := 0xdb249cea25f603d22e193aa1ae792b20
(3) EXPAND %{control:EAP-Sim-SRES1}
(3) --> 0x47c9aae3
(3) &EAP-Sim-SRES1 := 0x47c9aae3
(3) EXPAND %{control:EAP-Sim-SRES2}
(3) --> 0x7112acb0
(3) &EAP-Sim-SRES2 := 0x7112acb0
(3) EXPAND %{control:EAP-Sim-SRES3}
(3) --> 0x12d89ed9
(3) &EAP-Sim-SRES3 := 0x12d89ed9
(3) EXPAND %{control:EAP-Sim-KC1}
(3) --> 0x44fb0ab88d208400
(3) &EAP-Sim-KC1 := 0x44fb0ab88d208400
(3) EXPAND %{control:EAP-Sim-KC2}
(3) --> 0x9135bb2807184400
(3) &EAP-Sim-KC2 := 0x9135bb2807184400
(3) EXPAND %{control:EAP-Sim-KC3}
(3) --> 0x783fa135bbb97000
(3) &EAP-Sim-KC3 := 0x783fa135bbb97000
(3) } # update reply = noop
(3) } # if (User-Name =~ /^[0-9]+/) = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(3) pap: WARNING: Authentication will fail unless a "known good" password
is available
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x1646e217141df09d
(3) eap: Finished EAP session with state 0x1646e217141df09d
(3) eap: Previous EAP request found for state 0x1646e217141df09d, released
from the list
(3) eap: Peer sent packet with method EAP SIM (18)
(3) eap: Calling submodule eap_sim to process data
(3) eap: ERROR: Failed continuing EAP SIM (18) session. EAP sub-module
failed
(3) eap: Sending EAP Failure (code 4) ID 91 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: -->
1901700000020240(a)wlan.mnc070.mcc901.3gppnetwork.org
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 111 from 192.168.20.17:1812 to 192.168.20.19:54927
length 44
(3) EAP-Message = 0x045b0004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
(0) Cleaning up request packet ID 108 with timestamp +14
(1) Cleaning up request packet ID 109 with timestamp +14
(2) Cleaning up request packet ID 110 with timestamp +14
Waking up in 0.2 seconds.
(3) Cleaning up request packet ID 111 with timestamp +14
Ready to process requests
--
François
4
5
Good Morning !
We are working on using the RLM_Rest to query a Web Server. When I run
radiusd -X we receive the following error.
/etc/raddb/mods-enabled/rest[1]: Failed to link to module 'rlm_rest':
/usr/lib64/freeradius/rlm_rest.so: cannot open shared object file: No such
file or directory
Not sure if I am missing a package or if I have to compile something to
create the RLM_REST.SO File. I definitely do not have the file in the
directory shown below.
What is the process to create this file?
Thank You
Chris
Contents of the directory:
/usr/lib64/freeradius/
libfreeradius-dhcp.so rlm_chap.so rlm_eap_leap.so
rlm_exec.so rlm_pam.so rlm_sqlippool.so
libfreeradius-eap.so rlm_counter.so rlm_eap_md5.so
rlm_expiration.so rlm_pap.so rlm_sql_mysql.so
libfreeradius-radius.so rlm_cram.so rlm_eap_mschapv2.so
rlm_expr.so rlm_passwd.so rlm_sql_null.so
libfreeradius-server.so rlm_date.so rlm_eap_peap.so
rlm_files.so rlm_preprocess.so rlm_sql.so
proto_dhcp.so rlm_detail.so rlm_eap_pwd.so
rlm_ippool.so rlm_radutmp.so rlm_unix.so
proto_vmps.so rlm_dhcp.so rlm_eap_sim.so
rlm_ldap.so rlm_realm.so rlm_unpack.so
rlm_always.so rlm_digest.so rlm_eap.so
rlm_linelog.so rlm_replicate.so rlm_utf8.so
rlm_attr_filter.so rlm_dynamic_clients.so rlm_eap_tls.so
rlm_logintime.so rlm_soh.so rlm_wimax.so
rlm_cache_rbtree.so rlm_eap_fast.so rlm_eap_tnc.so
rlm_mschap.so rlm_sometimes.so rlm_yubikey.so
rlm_cache.so rlm_eap_gtc.so rlm_eap_ttls.so
rlm_otp.so rlm_sqlcounter.so
2
4
Hello,
please could any one tell me why redis reject connection coming from unkown
IP source, for example if my freerdaius server started on eth1 and my redis
server is listening on eth2 ( other range) when i try to connect to redis
from my freerdaius server, the connection can't established because the IP
source is on other range the destination IP address. is there any
possibilit to start freerdius on a specific interface.
Thanks in advance
2
1
Hello
I'm working on a management panel for multiple use. In the query. conf
file, I made changes to the queries for the tenant_id arm. But it gives
error in the Acct table. I get a syntax error. Please help me.
I want to do it; Print the tenant_id number that I created in the NAS table
to the TENANT_ID table in the Acct table... as a condition, reellipaddr =%
{Nas-IP-Address}
Thanks
Received Accounting-Request Id 130 from 192.168.7.1:24103 to
192.168.7.237:1813 length 164
NAS-IP-Address = 192.168.22.188
NAS-Identifier = 'pfSense.localdomain'
User-Name = 'emrah'
Acct-Status-Type = Start
Acct-Authentic = RADIUS
NAS-IP-Address = 192.168.22.188
NAS-Identifier = 'pfSense.localdomain'
NAS-Port-Type = Ethernet
NAS-Port = 2012
Acct-Session-Id = '27e89601da582df5'
Framed-IP-Address = 192.168.7.237
Called-Station-Id = '192.168.22.188'
Calling-Station-Id = '08-00-27-78-09-cd'
(65) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(65) preacct {
(65) [preprocess] = ok
(65) acct_unique acct_unique {
(65) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i)
(65) EXPAND %{string:Class}
(65) -->
(65) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(65) else else {
(65) update request {
(65) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(65) --> 35096e6b3a3e563444ee6e26cf7ced1f
(65) Acct-Unique-Session-Id := '"35096e6b3a3e563444ee6e26cf7ced1f"'
(65) } # update request = noop
(65) } # else else = noop
(65) } # acct_unique acct_unique = noop
(65) suffix : No '@' in User-Name = "emrah", looking up realm NULL
(65) suffix : No such realm "NULL"
(65) [suffix] = noop
(65) [files] = noop
(65) } # preacct = ok
(65) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(65) accounting {
(65) detail : EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(65) detail : --> /var/log/freeradius/radacct/192.168.7.1/detail-20180320
(65) detail :
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.7.1/detail-20180320
(65) detail : EXPAND %t
(65) detail : --> Tue Mar 20 17:53:35 2018
(65) [detail] = ok
(65) [unix] = ok
(65) sql : EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(65) sql : --> type.start.query
(65) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (42)
(65) sql : EXPAND %{User-Name}
(65) sql : --> emrah
(65) sql : SQL-User-Name set to 'emrah'
(65) sql : EXPAND INSERT INTO rad_accts (tenant_id, acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES (SELECT nas.tenant_id FROM nas WHERE nas.realipaddr
= '%{NAS-IP-Address}', '%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')
(65) sql : --> INSERT INTO rad_accts (tenant_id, acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES (SELECT nas.tenant_id FROM nas WHERE nas.realipaddr
= '192.168.22.188', '27e89601da582df5', '35096e6b3a3e563444ee6e26cf7ced1f',
'emrah', '', '192.168.22.188', '2012', 'Ethernet',
FROM_UNIXTIME(1521561215), FROM_UNIXTIME(1521561215), NULL, '0', 'RADIUS',
'', '', '0', '0', '192.168.22.188', '08-00-27-78-09-cd', '', '', '',
'192.168.7.237')
rlm_sql (sql): Executing query: 'INSERT INTO rad_accts (tenant_id,
acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctupdatetime, acctstoptime,
acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES (SELECT nas.tenant_id FROM nas WHERE nas.realipaddr
= '192.168.22.188', '27e89601da582df5', '35096e6b3a3e563444ee6e26cf7ced1f',
'emrah', '', '192.168.22.188', '2012', 'Ethernet',
FROM_UNIXTIME(1521561215), FROM_UNIXTIME(1521561215), NULL, '0', 'RADIUS',
'', '', '0', '0', '192.168.22.188', '08-00-27-78-09-cd', '', '', '',
'192.168.7.237')'
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql (sql): You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use near
'SELECT nas.tenant_id FROM nas WHERE nas.realipaddr = '192.168.22.188',
'27e89601' at line 1
rlm_sql_mysql: MYSQL check_error: 1064 received
rlm_sql_mysql: Cannot store result
rlm_sql_mysql: MySQL error 'You have an error in your SQL syntax; check the
manual that corresponds to your MariaDB server version for the right syntax
to use near 'SELECT nas.tenant_id FROM nas WHERE nas.realipaddr =
'192.168.22.188', '27e89601' at line 1'
(65) sql : Trying next query...
(65) sql : EXPAND UPDATE rad_accts SET acctstarttime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctupdatetime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'
(65) sql : --> UPDATE rad_accts SET acctstarttime =
FROM_UNIXTIME(1521561215), acctupdatetime = FROM_UNIXTIME(1521561215),
connectinfo_start = '' WHERE acctsessionid = '27e89601da582df5' AND username =
'emrah' AND nasipaddress = '192.168.22.188'
rlm_sql (sql): Executing query: 'UPDATE rad_accts SET acctstarttime =
FROM_UNIXTIME(1521561215), acctupdatetime = FROM_UNIXTIME(1521561215),
connectinfo_start = '' WHERE acctsessionid = '27e89601da582df5' AND username =
'emrah' AND nasipaddress = '192.168.22.188''
rlm_sql_mysql: Rows matched: 0 Changed: 0 Warnings: 0
(65) sql : No records updated
(65) sql : No additional queries configured
rlm_sql (sql): Released connection (42)
rlm_sql (sql): Opening additional connection (43)
rlm_sql_mysql: Starting connect to MySQL server
(65) [sql] = noop
(65) [exec] = noop
(65) attr_filter.accounting_response : EXPAND %{User-Name}
(65) attr_filter.accounting_response : --> emrah
(65) attr_filter.accounting_response : Matched entry DEFAULT at line 12
(65) [attr_filter.accounting_response] = updated
(65) } # accounting = updated
Sending Accounting-Response Id 130 from 192.168.7.237:1813 to
192.168.7.1:24103
(65) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 175 from 192.168.7.1:47006 to 192.168.7.237:1812
length 131
NAS-IP-Address = 192.168.22.188
NAS-Identifier = 'pfSense.localdomain'
User-Name = 'emrah'
User-Password = '123'
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 2012
Framed-IP-Address = 192.168.7.237
Called-Station-Id = '192.168.22.188'
Calling-Station-Id = '08-00-27-78-09-cd'
(66) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(66) authorize {
(66) filter_username filter_username {
(66) if (User-Name != "%{tolower:%{User-Name}}")
(66) EXPAND %{tolower:%{User-Name}}
(66) --> emrah
(66) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(66) if (User-Name =~ / /)
(66) if (User-Name =~ / /) -> FALSE
(66) if (User-Name =~ /@.*@/ )
(66) if (User-Name =~ /@.*@/ ) -> FALSE
(66) if (User-Name =~ /\\.\\./ )
(66) if (User-Name =~ /\\.\\./ ) -> FALSE
(66) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/))
(66) if ((User-Name =~ /@/) && (User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(66) if (User-Name =~ /\\.$/)
(66) if (User-Name =~ /\\.$/) -> FALSE
(66) if (User-Name =~ /(a)\\./)
(66) if (User-Name =~ /(a)\\./) -> FALSE
(66) } # filter_username filter_username = notfound
(66) [preprocess] = ok
(66) [chap] = noop
(66) [mschap] = noop
(66) [digest] = noop
(66) suffix : No '@' in User-Name = "emrah", looking up realm NULL
(66) suffix : No such realm "NULL"
(66) [suffix] = noop
(66) eap : No EAP-Message, not doing EAP
(66) [eap] = noop
(66) sql : EXPAND %{User-Name}
(66) sql : --> emrah
(66) sql : SQL-User-Name set to 'emrah'
rlm_sql (sql): Reserved connection (43)
(66) sql : EXPAND SELECT rad_checks.id, rad_checks.username,
rad_checks.attribu, rad_checks.value, rad_checks.op, rad_checks.tenant_id,
nas.realipaddr FROM rad_checks INNER JOIN nas ON username =
'%{SQL-User-Name}' AND nas.realipaddr = '%{NAS-IP-Address}' ORDER BY id
(66) sql : --> SELECT rad_checks.id, rad_checks.username,
rad_checks.attribu, rad_checks.value, rad_checks.op, rad_checks.tenant_id,
nas.realipaddr FROM rad_checks INNER JOIN nas ON username = 'emrah' AND
nas.realipaddr = '192.168.22.188' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT rad_checks.id, rad_checks.username,
rad_checks.attribu, rad_checks.value, rad_checks.op, rad_checks.tenant_id,
nas.realipaddr FROM rad_checks INNER JOIN nas ON username = 'emrah' AND
nas.realipaddr = '192.168.22.188' ORDER BY id'
(66) sql : User found in radcheck table
(66) sql : Check items matched
(66) sql : EXPAND SELECT rad_replies.id, rad_replies.username,
rad_replies.attribu, rad_replies.value, rad_replies.op,
rad_replies.tenant_id, nas.realipaddr FROM rad_replies INNER JOIN nas ON
username = '%{SQL-User-Name}' AND nas.realipaddr = '%{NAS-IP-Address}'
ORDER BY id
(66) sql : --> SELECT rad_replies.id, rad_replies.username,
rad_replies.attribu, rad_replies.value, rad_replies.op,
rad_replies.tenant_id, nas.realipaddr FROM rad_replies INNER JOIN nas ON
username = 'emrah' AND nas.realipaddr = '192.168.22.188' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT rad_replies.id,
rad_replies.username, rad_replies.attribu, rad_replies.value,
rad_replies.op, rad_replies.tenant_id, nas.realipaddr FROM rad_replies
INNER JOIN nas ON username = 'emrah' AND nas.realipaddr = '192.168.22.188'
ORDER BY id'
(66) sql : EXPAND SELECT rad_user_groups.groupname, nas.realipaddr FROM
rad_user_groups INNER JOIN nas ON username = '%{SQL-User-Name}' AND
nas.realipaddr = '%{NAS-IP-Address}' ORDER BY priority
(66) sql : --> SELECT rad_user_groups.groupname, nas.realipaddr FROM
rad_user_groups INNER JOIN nas ON username = 'emrah' AND nas.realipaddr =
'192.168.22.188' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT rad_user_groups.groupname,
nas.realipaddr FROM rad_user_groups INNER JOIN nas ON username = 'emrah'
AND nas.realipaddr = '192.168.22.188' ORDER BY priority'
(66) sql : User found in the group table
(66) sql : EXPAND SELECT rad_group_checks.id, rad_group_checks.groupname,
rad_group_checks.attribu, rad_group_checks.Value, rad_group_checks.op,
nas.realipaddr FROM rad_group_checks INNER JOIN nas ON groupname =
'%{Sql-Group}' AND nas.realipaddr = '%{NAS-IP-Address}' ORDER BY id
(66) sql : --> SELECT rad_group_checks.id, rad_group_checks.groupname,
rad_group_checks.attribu, rad_group_checks.Value, rad_group_checks.op,
nas.realipaddr FROM rad_group_checks INNER JOIN nas ON groupname = 'tes'
AND nas.realipaddr = '192.168.22.188' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT rad_group_checks.id,
rad_group_checks.groupname, rad_group_checks.attribu,
rad_group_checks.Value, rad_group_checks.op, nas.realipaddr FROM
rad_group_checks INNER JOIN nas ON groupname = 'tes' AND nas.realipaddr =
'192.168.22.188' ORDER BY id'
(66) sql : Group "tes" check items matched
(66) sql : EXPAND SELECT rad_group_replies.id, rad_group_replies.groupname,
rad_group_replies.attribu, rad_group_replies.Value, rad_group_replies.op,
nas.realipaddr FROM rad_group_replies INNER JOIN nas ON groupname =
'%{Sql-Group}' AND nas.realipaddr = '%{NAS-IP-Address}' ORDER BY id
(66) sql : --> SELECT rad_group_replies.id, rad_group_replies.groupname,
rad_group_replies.attribu, rad_group_replies.Value, rad_group_replies.op,
nas.realipaddr FROM rad_group_replies INNER JOIN nas ON groupname = 'tes'
AND nas.realipaddr = '192.168.22.188' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT rad_group_replies.id,
rad_group_replies.groupname, rad_group_replies.attribu,
rad_group_replies.Value, rad_group_replies.op, nas.realipaddr FROM
rad_group_replies INNER JOIN nas ON groupname = 'tes' AND nas.realipaddr =
'192.168.22.188' ORDER BY id'
(66) sql : Group "tes" reply items processed
rlm_sql (sql): Released connection (43)
(66) [sql] = ok
(66) [expiration] = noop
(66) [logintime] = noop
(66) WARNING: dailycounter : Couldn't find control attribute
'control:Max-Daily-Session'
(66) [dailycounter] = noop
(66) WARNING: noresetcounter : Couldn't find control attribute
'control:Max-All-Session'
(66) [noresetcounter] = noop
(66) WARNING: monthlycounter : Couldn't find control attribute
'control:Max-Monthly-Session'
(66) [monthlycounter] = noop
(66) WARNING: expire_on_login : Couldn't find control attribute
'control:Expire-After'
(66) [expire_on_login] = noop
(66) [pap] = updated
(66) } # authorize = updated
(66) Found Auth-Type = PAP
(66) # Executing group from file /etc/freeradius/sites-enabled/default
(66) Auth-Type PAP {
(66) pap : Login attempt with password
(66) pap : User authenticated successfully
(66) [pap] = ok
(66) } # Auth-Type PAP = ok
(66) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(66) post-auth {
(66) sql : EXPAND .query
(66) sql : --> .query
(66) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (43)
(66) sql : EXPAND %{User-Name}
(66) sql : --> emrah
(66) sql : SQL-User-Name set to 'emrah'
(66) sql : EXPAND INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(66) sql : --> INSERT INTO rad_post_auths (username, pass, reply,
authdate) VALUES ( 'emrah', '123', 'Access-Accept', '2018-03-20 17:53:35')
rlm_sql (sql): Executing query: 'INSERT INTO rad_post_auths (username,
pass, reply, authdate) VALUES ( 'emrah', '123', 'Access-Accept',
'2018-03-20 17:53:35')'
rlm_sql (sql): Released connection (43)
(66) [sql] = ok
(66) [exec] = noop
(66) remove_reply_message_if_eap remove_reply_message_if_eap {
(66) if (reply:EAP-Message && reply:Reply-Message)
(66) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(66) else else {
(66) [noop] = noop
(66) } # else else = noop
(66) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(66) } # post-auth = ok
Sending Access-Accept Id 175 from 192.168.7.237:1812 to 192.168.7.1:47006
WISPr-Bandwidth-Max-Down = 10485760
(66) Finished request
Waking up in 0.2 seconds.
(65) Cleaning up request packet ID 130 with timestamp +1262
Waking up in 4.7 seconds.
(66) Cleaning up request packet ID 175 with timestamp +1262
3
13
Hi Team.
I am trying to Implement FreeRadius via EAP-TTLS (pap - ldap)
I have looked the guides and have been reading up on this for a week. My instance uses FreeIPA LDAP. (SSHA512)
below is the output.
freeradius: FreeRADIUS Version 2.2.8, for host x86_64-pc-linux-gnu, built on Jul 26 2017 at 15:27:21
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client localhost {
ipaddr = 10.0.2.2
require_message_authenticator = no
secret = "hell0swarm"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "gtc"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "ipa.sandbox.local"
port = 389
password = "Southgate1"
expect_password = yes
identity = "cn=Directory Manager"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "cn=users,cn=accounts,dc=sandbox,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x15d7850
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 35045
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=42, length=163
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029b000b01726164697573
Message-Authenticator = 0x0f1f7c927f6db37977b667e7510a354f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 155 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for radius
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radius
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)
[ldap] expand: cn=users,cn=accounts,dc=sandbox,dc=local -> cn=users,cn=accounts,dc=sandbox,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ipa.sandbox.local:389, authentication 0
[ldap] bind as cn=Directory Manager/Southgate1 to ipa.sandbox.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in cn=users,cn=accounts,dc=sandbox,dc=local, with filter (uid=radius)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA512}ySH+q7QCAIgZTd2xIXSLPsrej/rAUViTnWiw0Zl7N5CE/lWl0Miuh4LaPJnYhAzmwlYce8PF4fi3CcuqJNEOxnkUPcVgbkri"
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Found unknown header {{SSHA512}}: Not doing anything
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 42 to 10.0.2.2 port 34310
EAP-Message = 0x019c00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860ea4727adc5a25aedf2dd369
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=43, length=331
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029c00a115800000009716030100920100008e03035ab2477bedbb703081c1b65a23d01a19d04db4011e48b2ef5d064a9bd6aa54d200002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
State = 0x0e3867860ea4727adc5a25aedf2dd369
Message-Authenticator = 0xeca2aaff8bd094193c66de7b01faa0c4
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 156 length 161
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 151
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0092]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02dc]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 43 to 10.0.2.2 port 34310
EAP-Message = 0x019d040015c00000047a1603030039020000350303f7f6fee4c943e8e4f7547e9299f37d933ab09c1b567045c797d1ba015ce5112f00c03000000dff01000100000b00040300010216030302dc0b0002d80002d50002d2308202ce308201b6a003020102020900fd39d198e112ad9f300d06092a864886f70d01010b0500301f311d301b06035504030c147261646975732e73616e64626f782e6c6f63616c301e170d3138303332313130323332375a170d3238303331383130323332375a301f311d301b06035504030c147261646975732e73616e64626f782e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a02
EAP-Message = 0x82010100ce219bada0c8b6f1a48bc90d496e523570118a889e95f36b136b1e91d50cf8cca976dbf51620dd656261e70466437dc581ec9d99330da2fb1f7047ac458fc0b7779ebbadb572e977668a64c5f709cad94a6a7a6372b45f2c30ac5c290b47787c06e444513161142ac0eb82b0f4e6fab14a382ff1f1cec9d3f46f3a0736e3b8baf9645e89e9886f321631d33ae09c4a1c34af1339fb3bc63ec68eaba9c2bdeb84712f72f328b9174181f3dc9dedd31b64fe72f2082b2ff2101c4e31de36a40d2625317d6670e903035ae405dbaf92933a775f91ce604ad3cf02461fba04881028d94bad652ba648ae199682957f755d11e0bd783851ac6d57ac
EAP-Message = 0x1d13851623b1310203010001a30d300b30090603551d1304023000300d06092a864886f70d01010b05000382010100413ba9e7b8cf26856d848f6a672c3a5dd94c518f684e574fa24f984a004bfcb25b38424341bfe32ac2d091461e194c68a95062236e1ff49b6960146fd872ecefbeae7be43ea5741dea66b535bfdf1b490f71b6b50cc60eaa3e7245f53247b8914fc42a6b2cf42bdfb266ceaf1b3aaa3e851e0e957907b05cbb28ffce88a575ecf8a7846fe645aca916c1c834ebdb26459a7db573d753187baec11f1d6292aac1f369c81c32c9d423d3a440a5303d59615d76cbd74bc300723740de6636835af4341e6023e70f01f04aa03efe6b93
EAP-Message = 0x37d95c5c24c6e75e36e51200314ff603ee4b653d4ff543cfe5e30f688a7b819ee930ddc87fcc801ac1c5cbde2ce24082d34d160303014d0c0001490300174104cd053d5984e96d3d36e72944e2887edf4a012023ffad7d5e90601656a795b6ae9746916786f4df5d89ec9618e5e0b6a0003cbb9b902f526c9a14032dd77f076d0401010097f9597eccd4db59362def5618431b862e55a7878bca6b157702e2e3658eabb5e4508eb983469b522ad9e7a922e3aeae82315df9ac3a38b42eed0ee05a3bc3a4a13708dec33575318363aed88506bf498fcf61e569d90148294dfdbc55e46d0f9362f61afc52bcf86128da341fa3046024f51c04f8ecaba072
EAP-Message = 0x90f02c1a99bfba1cb78a047c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860fa5727adc5a25aedf2dd369
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=44, length=176
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029d00061500
State = 0x0e3867860fa5727adc5a25aedf2dd369
Message-Authenticator = 0xf20af72004f37da09929c90d0125548a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 157 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 44 to 10.0.2.2 port 34310
EAP-Message = 0x019e008e15800000047a518b5554214bfa9f8acaefa8bf7b2021038e2f019bd21bc6788acb04f936090b30c4b8d99c6d6dc2c40766289107b4be86de1e03e0a7c8d8433c1735a44da6afbd8526b0d09e6c785023c4d5e95386561705a58df52c5b5a7f5da1d74d430c358475d017ab31aa18b691aecd91c82aad7b9fb1b4d997ff06d911f516030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860ca6727adc5a25aedf2dd369
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=45, length=306
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029e008815800000007e160303004610000042410499f7272fd2b18dd745f5369bc0f61dc19dc4db7e52c37c20fc03b230b3906079a5c78f17176611bff6bebd2c4e84f9b77dcf81d4eaaea4f88299bf9cd47720fd1403030001011603030028d029786083d7f81dfe2d89690a000c3c22bfed6672ad9c284b31fae24755486b1026858e2a163ceb
State = 0x0e3867860ca6727adc5a25aedf2dd369
Message-Authenticator = 0xd2090eacf30fa9bd347d218d065db656
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 158 length 136
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 126
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 45 to 10.0.2.2 port 34310
EAP-Message = 0x019f003d1580000000331403030001011603030028ab9c5933cc6f2f6115097fb866282b2177bebf872b2e0f3cb430c69ba9f9282469c7068aa3ba81f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860da7727adc5a25aedf2dd369
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=46, length=229
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x029f003b158000000031170303002cd029786083d7f81ecf4475d575195eeb919015526f00fce51126275ebbe66123da22086d458a9a761cb51a79
State = 0x0e3867860da7727adc5a25aedf2dd369
Message-Authenticator = 0x15221c3c47eb0a82ef58202885172586
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 159 length 59
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 49
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0200000b01726164697573
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of radius
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x0200000b01726164697573
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radius"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for radius
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radius
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)
[ldap] expand: cn=users,cn=accounts,dc=sandbox,dc=local -> cn=users,cn=accounts,dc=sandbox,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,cn=accounts,dc=sandbox,dc=local, with filter (uid=radius)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA512}ySH+q7QCAIgZTd2xIXSLPsrej/rAUViTnWiw0Zl7N5CE/lWl0Miuh4LaPJnYhAzmwlYce8PF4fi3CcuqJNEOxnkUPcVgbkri"
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Found unknown header {{SSHA512}}: Not doing anything
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type gtc
[gtc] expand: Password: -> Password:
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Challenge
EAP-Message = 0x0101000f0650617373776f72643a20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fbf16057fbe1015c9f0c4b7558f94c7
[ttls] Got tunneled Access-Challenge
[ttls] >>> Unknown TLS version [length 0005]
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 46 to 10.0.2.2 port 34310
EAP-Message = 0x01a0003f1580000000351703030030ab9c5933cc6f2f6233fa3e2a6e868a32624fc2ea7b76083ba13b79a2baabe2a705c21d12807f04a6607f426555d86086
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0e3867860a98727adc5a25aedf2dd369
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 34310, id=47, length=233
User-Name = "radius"
NAS-Identifier = "f09fc230e95f"
NAS-Port = 0
Called-Station-Id = "F2-9F-C2-32-E9-5F:hell0swarm"
Calling-Station-Id = "54-4E-90-98-D4-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02a0003f1580000000351703030030d029786083d7f81f1a470fcec80f928f731047396fe56e8497caeedc114efea5c4d4fbc8c8d2277f51e7d3d98699963b
State = 0x0e3867860a98727adc5a25aedf2dd369
Message-Authenticator = 0x368acb4d6e489fb6ae7b47a9153c8723
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 160 length 63
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 53
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x020100100650617373776f7264313233
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x020100100650617373776f7264313233
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radius"
State = 0x7fbf16057fbe1015c9f0c4b7558f94c7
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 1 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for radius
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> radius
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=radius)
[ldap] expand: cn=users,cn=accounts,dc=sandbox,dc=local -> cn=users,cn=accounts,dc=sandbox,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=users,cn=accounts,dc=sandbox,dc=local, with filter (uid=radius)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{SSHA512}ySH+q7QCAIgZTd2xIXSLPsrej/rAUViTnWiw0Zl7N5CE/lWl0Miuh4LaPJnYhAzmwlYce8PF4fi3CcuqJNEOxnkUPcVgbkri"
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Found unknown header {{SSHA512}}: Not doing anything
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[gtc] +group PAP {
[pap] login attempt with password "Password123"
[pap] No password configured for the user. Cannot do authentication
++[pap] = fail
+} # group PAP = fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> radius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Reject
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user radius
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> radius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 47 to 10.0.2.2 port 34310
EAP-Message = 0x04a00004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 42 with timestamp +21
Cleaning up request 1 ID 43 with timestamp +21
Cleaning up request 2 ID 44 with timestamp +21
Cleaning up request 3 ID 45 with timestamp +21
Cleaning up request 4 ID 46 with timestamp +21
Waking up in 1.0 seconds.
Cleaning up request 5 ID 47 with timestamp +21
Ready to process requests.
Mitch.Sullivan
mitch.sullivan(a)swarm64.com
IT administrator | Swarm64 AS
Swarm64 AS Zweigstelle Hive
Ullsteinstr. 114 | 12109 Berlin | Germany
3
2
I cant start EAP on FreeRADIUS v4
My config is
eap {
   default_eap_type = peap
   ignore_unknown_eap_types = yes
   md5 {
   }
   tls-config tls-common {
      private_key_password = whatever
      private_key_file = ${certdir}/server.pem
      certificate_file = ${certdir}/server.pem
      cipher_list = "DEFAULT"
      ecdh_curve = "prime256v1"
      cache {
      }
      verify {
      }
   }
   tls {
      tls = tls-common
   }
   ttls {
      tls = tls-common
   }
   peap {
      tls = tls-common
      default_eap_type = mschapv2
   }
   mschapv2 {
      identity = "UNA"
   }
}
Freeradus shows it as
Loaded module "rlm_eap"
  eap gheap {
   default_eap_type = peap
   ignore_unknown_eap_types = yes
   cisco_accounting_username_bug = no
  }
/opt/freeradius/etc/raddb/mods-enabled/eap[1]: No EAP method configured, module cannot do anything
/opt/freeradius/etc/raddb/mods-enabled/eap[1]: Bootstrap failed for module "gheap"
It does not see methods in config
--Â
Best regards, Aleksandr Stepanov.
5
18