Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 12 participants
- 27047 discussions
Hi everybody,
I'am using Freeradius 3.0.12 with backend MySQL.
I customized my SQL groupreply request like this:
authorize_group_reply_query = "\
SELECT id, groupname, attribute, \
value, op \
FROM ${groupreply_table} \
WHERE groupname = '%{${group_attribute}}' AND value LIKE '%%%{Called-Station-Id}%%' \
ORDER BY id"
%(Called-Station-Id) can be phone number like +33567897654, and the request sent to MySQL is:
SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = GROUP' AND value LIKE '%=2B33567897654%' ORDER BY id
'+' string was converted to "=2B'.
How can I do to preserve + string
Best Regards,
Tony LEMEUNIER
Tony LEMEUNIER
4
7
Hello:
I'm setting up EAP-TLS for the first time using the test certificates. Can
someone please look at the debug output and help me find what's causing the
failure ? I think I've included the correct snippet:
rad_recv: Access-Request packet from host 192.168.10.22 port 49205, id=37,
length=128
NAS-IP-Address = 192.168.10.22
NAS-Port-Type = Ethernet
NAS-Port = 12
User-Name = "client"
State = 0xda0f395eda0d3de3fa5ad84917a2fd9b
Called-Station-Id = "EC-1D-8B-EC-5C-F7"
Calling-Station-Id = "00-40-8C-BF-28-F4"
EAP-Message = 0x02020006030d
Message-Authenticator = 0x6ffb217a2a4a97d64cd8714d965b7b2b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry client at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 37 to 192.168.10.22 port 49205
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xda0f395edb0c34e3fa5ad84917a2fd9b
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.22 port 49205, id=38,
length=128
NAS-IP-Address = 192.168.10.22
NAS-Port-Type = Ethernet
NAS-Port = 12
User-Name = "client"
State = 0xda0f395edb0c34e3fa5ad84917a2fd9b
Called-Station-Id = "EC-1D-8B-EC-5C-F7"
Calling-Station-Id = "00-40-8C-BF-28-F4"
EAP-Message = 0x020300060300
Message-Authenticator = 0x18eed350fa3d2921bb07065aa89044d8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry client at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Thank you,
Joe
2
1
Hi folks,
About a week ago I popped a near-trivial pull request in against FR
v3.0.x (because this is the version we are using) but it should be more
widely compatible. I haven't heard anything back since - do I need to do
anything else to have it considered for merging?
https://github.com/FreeRADIUS/freeradius-server/pull/2184
Thanks,
Jonathan
1
0
Hello,
I have installed FreeRADIUS on Ubuntu Server 16.04. I can connect to it
with EAP MSCHAPv2 and many other ways but it fails on TTLS MSCHAPv2 which
is the one I need to use. If wanted I can send the debug information from
a working EAP MSCHAPv2.
I try to connect with an android phone through a ASUS router.
Anyone got any idea why it is not working?
root@ubuntuRADIUS:/etc/freeradius# freeradius -X
freeradius: FreeRADIUS Version 2.2.8, for host i686-pc-linux-gnu, built on
Jul 26 2017 at 15:28:44
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/checkval
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.0.2.2 {
ipaddr = 10.0.2.2
require_message_authenticator = no
secret = "testing123"
}
client asus {
ipaddr = 10.0.0.1
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file
/etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 58209
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=131
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0xbeb4b21ce8f441d188a5cfd604ea60f4
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566041d25661548b775c8b93cb3b8ac0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=306
Cleaning up request 0 ID 0 with timestamp +34
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x566041d25661548b775c8b93cb3b8ac0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100ab150016030100a00100009c0303526804514ac801dadb13db30bc913fac38c7cb01a7563c4e87eae08760e0f0e500003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
Message-Authenticator = 0xfa662c8841ae23189146cdb69dcb7064
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0102040015c00000046a1603030039020000350303882e3d0906b3ac53b42c9a46285a2d0ae21d934798a065c56e02ad4103ed1b5800c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
EAP-Message =
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
EAP-Message =
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
EAP-Message =
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c00014903001741041c8714338c965bc7b84cfcb017ba8f7b4ac0b9677bab6c17f25b3d7ae14e08b09a2bedeb5c45f7979bff9eecd8c07b25fd937226555016d601cc60fa422ef751060101006dd90aabf97ea915a14e0e6ef6c57bfe4829db82b1602975b98712ec5db42b3c8b5c79572d5573bcd0a5c7560a03067e2f771494ecafa8a038672befabaf28d49b5f0d9b0a55b8d7d225eb2a11727955c030546f3709e912bc3f1b4d904c979c1fd43b0a325c403a3adc3aeeededdb811a1d55a2f8de44262e62557d74e60789234cd69ce46be1c86a
EAP-Message = 0x6c200c441581cef8c8df6fa0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566041d25762548b775c8b93cb3b8ac0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=141
Cleaning up request 1 ID 0 with timestamp +34
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x566041d25762548b775c8b93cb3b8ac0
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0x9edaf5e9ac1eadb44961e09e6104bcbe
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0103007e15800000046aac4b2092f7d8e1ea994220a3e8fd64f6d29dd5d76d635dd7ac0895ea388f366812df6a1924dc25d7bb65058b2688fb10a125244fbfb429eddaab8d0bbdd38c76c39129ccddd422eaec8d1f5b478a431a81eeda645fc6502dfb21b1aa3c3a2abe102dd9b84bd475b427489216030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566041d25463548b775c8b93cb3b8ac0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=267
Cleaning up request 2 ID 0 with timestamp +34
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x566041d25463548b775c8b93cb3b8ac0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02030084150016030300461000004241046c37eb48dbbe8b3f2e0d3f4da3132daa81876d95c47c3c705cbf6917fa06d3ded4742817f732475c9c8b95f86670e5e80736e8f8e722d7e5a840d53943d1487d14030300010116030300280000000000000000db7f068e8fcce0d83d6a09d6b3abb56aefe288bc0d88a8c936338de79690e402
Message-Authenticator = 0x73f1ad17bb3790824f1409941692e2c8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0104003d158000000033140303000101160303002848357c1cd4efab5cceee0653c966dd0bf3a945b2ad77d149c6a69feff8cda8dcc4ab0b04d23d59d8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x566041d25564548b775c8b93cb3b8ac0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=278
Cleaning up request 3 ID 0 with timestamp +34
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x566041d25564548b775c8b93cb3b8ac0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204008f150017030300840000000000000001adeee8b56ad79d8da4b1679db4746911f0033f5b5d83956312523861b8b2791310d63b269ec0b5eff151f90027dccef0ad6d604f6362e4bec2d7e8329969d05507acde23d18bf5c09ef07eface4cd2cba6c386f193dd76063b912057d569d1a549db5a68e108be0542d58e654e1b61e4716d701605d32b81ac0e5e9c
Message-Authenticator = 0x05dc9439feca7c1d8a89f6cf01ca1fe5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 4 ID 0 with timestamp +34
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=131
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x1c6c04fb8378f1910b9fb507c133e93c
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c457a660c446f12a95d9c7efeb2c3c0
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=306
Cleaning up request 5 ID 0 with timestamp +41
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x0c457a660c446f12a95d9c7efeb2c3c0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100ab150016030100a00100009c03037bd1bcd41a4e58bb2447cae4df3b01e79efc412376c6c44ecd111b633f6da95900003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
Message-Authenticator = 0x26bfb48fc179201a854a456aae91e65c
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0102040015c00000046a16030300390200003503039c0f1bfc9ead4d4ac014ec5aa1165fa6567c65c0de03bd01fde7d800817a142500c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
EAP-Message =
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
EAP-Message =
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
EAP-Message =
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c0001490300174104c9045f5eb696e3bae69ae45f211aa435df203c126a105d4a36ff13d66e0d4a63be257f9607c09181a5937f23017e649418a160a82bd6665ec0c91baf97c6426d06010100929ea9e28c3494ad9133da7258e1b236497833a40dab4df86ddeb1c9d15551ea00a6527607177a2245b04be917f5290ea002cfb420ae25310982a2d28b6db50e72f77b59c971b9952f55452e845b89a799a6de4b20a436d32f8d8b096784af93e77e1173ac2f8f7f93fac69934ee96dae1758470d9da75f2e48bcd9c71552e1da13bb79bbc9757153e
EAP-Message = 0x0a6dd003a8cc5909b776178e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c457a660d476f12a95d9c7efeb2c3c0
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=141
Cleaning up request 6 ID 0 with timestamp +41
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x0c457a660d476f12a95d9c7efeb2c3c0
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0xa934c5d9ef37110127b4f5bde5976891
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0103007e15800000046acb854a80c6735479539ee466b6a78aea03b8217eca2044c6ae68d2abbe534fde390dee64a8f7fd6b3dae8a0df9ac8d0af161c7625e3c3760846bfecd09dd16ee51aa7dcc9fba22300f028808728e22ead32640c245d1a74109ccab548af6f1de2121336a0c96e46418d10716030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c457a660e466f12a95d9c7efeb2c3c0
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=267
Cleaning up request 7 ID 0 with timestamp +41
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x0c457a660e466f12a95d9c7efeb2c3c0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02030084150016030300461000004241040908ad55e927f17918673c168d8477906aabd3bc14038f994d1c1a2f327e121ddf4f448468ff574b1de06a5e5c00123236777eace6353a385d9d6205b8e023d51403030001011603030028000000000000000038383460e069ca3fb477847a834dece115cf0c5f26f01130a5b49d8a3e7e3efc
Message-Authenticator = 0xcf44d9a2c92b07296faf5930c64adb01
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0104003d1580000000331403030001011603030028df04f4b005fc62dedaf73c81ca86bc8d61392e442fd3a85c287b0d0e06972d6e6410ba3fbf7330d1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c457a660f416f12a95d9c7efeb2c3c0
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=278
Cleaning up request 8 ID 0 with timestamp +41
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x0c457a660f416f12a95d9c7efeb2c3c0
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204008f1500170303008400000000000000010b253d2220ac2acfe53e1fd5fbf2f2598a92443873a876f42e99da95a7bb051826a9c1c5dffc5c67c16c586df567d560ca07a7241921db2556e8d2a66f422b1932cfb3e1eb112d1fc6d3ba616889e05555c878940ee3f351d7a15a49586714bdd55276e3cdeab9ed113e4e460db718e3924ebd328bdf9a3e3236b6fc
Message-Authenticator = 0x1af17b63a64f47fcbc3a0ec16717a910
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 9 ID 0 with timestamp +41
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=131
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x676ec42b20976a91a8bd7ab0d8cb999f
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x983a0f7a983b1a9e70d1786f6677e705
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=306
Cleaning up request 10 ID 0 with timestamp +49
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x983a0f7a983b1a9e70d1786f6677e705
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100ab150016030100a00100009c0303a27710c867999b0722e29b8d455b6f41806830d2b5785a86ef947bc76d4ef04a00003ec02cc030009fc02bc02f009ecca9cca8c00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a01000035ff0100010000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
Message-Authenticator = 0x4494d20d1a8cb27ec272148c29dfc456
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 171
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 00a0]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0039]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 02cc]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 014d]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0004]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0102040015c00000046a160303003902000035030338d451eebc70f7a6865019f0f9fe971d97d29dbbf259f8c9fd51f0aa6f931c6000c03000000dff01000100000b00040300010216030302cc0b0002c80002c50002c2308202be308201a6a003020102020900b37fe074c794d454300d06092a864886f70d01010b050030173115301306035504030c0c7562756e7475524144495553301e170d3138303330313133353235325a170d3238303232373133353235325a30173115301306035504030c0c7562756e747552414449555330820122300d06092a864886f70d01010105000382010f003082010a0282010100be9382ed2dc1add32b1b35f7
EAP-Message =
0x52c8fc8c0d2652e99ec612ac75a1029c63f63cfff4fd6cd9bb9e419bcfb7aed8e64d01f0f410c11961e22e9d2bea61dc6aacf0717dc0e386103809ea6f9978c068b1d59f405695fddfd47aff401b5f3390333b57b915960ec53698c32b02a49566bbbfb192c0a9b928a24535f40190231bf71416c580b6d982b17e744c7780ac0a64ea777a6f6d3cc493896914f89e0569b9a24f5a59387c852f838f053a9c396eee54f4ea222ae605b4735262d4e3685c6088da5fb881f739c00c93542663954a9800c99410e74ff3593536a9a669c0ef50b612e4270afe8f123d0ad38121639babf0fbd66137021597d97e6ef7d4aa7f9c02710203010001a30d300b
EAP-Message =
0x30090603551d1304023000300d06092a864886f70d01010b050003820101000b407680d9c47a5900401c7b6fe5390675f547567dacb4a75fb72387a0b621d5a668726d0654ef300fbe6b18324ddf2510cb0b6e459e90857c9d9cc34482c2aa5d7d9df792b1cc77f83aa3ccb7c6d0bd9080c31e22f5eb90212ede14732eaffcc9b24c580fede255a3e5acf05effc49d74cb63971ea81cda755983b202bffc116440616a01f57ad5b353cd7bba302dcf067313b00d0ff8a1bdd01e1b612ee04fd36c42949a32175585a1b28583c6a46f9399989acc68d2c3e7b7360ceddca417823ae7fe9d21a888c393bca3a9dbd66ccbbf59d5a1a290e7c67f1abe3bb3
EAP-Message =
0x77e112552a255d336731fee2e1a05bd01a87a238f12694278b87ef2146a11e649288160303014d0c0001490300174104d4bc9b3384651e6ecdfedf74bd004c614a51dfeeae36a9fc6b3f3e9d756da259a0d153ef55332cb9350c545c4cad7b3b96f4c0a5e04abc0475aca9a2494dd0bf06010100bb47844ba03bc1969c891a1e37a8a99e1310d97835b5be102a13ddf1b84b3a7a4840fad85e9c6e272ab4a5e2d1afc31d0f2f6edb69d42dc73bd33bc93566a2f5b3a6c3f7468b951c623115a75f9e74d98369e4aa8f2be02b4ccbde2bd4c438a7cc780a035d0dbc5a5ff14f9761fc1068db76a5fceff260f5a1cd60d261c535af2676a2ca2e0cb2d15d
EAP-Message = 0xc9ea0b7bf4dc7b16b042bed8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x983a0f7a99381a9e70d1786f6677e705
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=141
Cleaning up request 11 ID 0 with timestamp +49
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x983a0f7a99381a9e70d1786f6677e705
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0x29ca321bf5207e566bdfbde431c392df
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0103007e15800000046a4e10b776a37915fcf4f2dde3685940dbfea0542c5769819c4b948a1eaea41a55547f1fba0cd678ad5fd9868549d4ad9ba86131ccde39ca1a54e8d4ff6135f1da87c7649d577be682838374dc3922358785cbb92f67427b573e3447c30ec5f00758b9bda56bbde8b5b5f7af16030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x983a0f7a9a391a9e70d1786f6677e705
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=267
Cleaning up request 12 ID 0 with timestamp +49
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x983a0f7a9a391a9e70d1786f6677e705
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0203008415001603030046100000424104939c1ca8205736e62176faa470a2ddd4cc4732bdfb0a91a3c69756ff20227f99c8be39ae3ee90aef2cfd6ee33ee90a00d5a6009982426148bf7cf50eaaf9649c14030300010116030300280000000000000000cb752cedfefbb76538cb2a753067821926acc5a82e1587251a9ae55e49270d99
Message-Authenticator = 0x48305bf93df8cdc7213e51a97981a74b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0046]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0001]
[ttls] <<< Unknown TLS version [length 0005]
[ttls] <<< Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0001]
[ttls] TLS_accept: unknown state
[ttls] >>> Unknown TLS version [length 0005]
[ttls] >>> Unknown TLS version [length 0010]
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.0.2.2 port 37101
EAP-Message =
0x0104003d15800000003314030300010116030300280b1a10be1e4e65a7c37a795524033677856ba37e47405ca76d6d047a8119d2116f56dc72c6053901
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x983a0f7a9b3e1a9e70d1786f6677e705
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.2 port 37101, id=0,
length=278
Cleaning up request 13 ID 0 with timestamp +49
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
Called-Station-Id = "ac9e17bd7668"
Calling-Station-Id = "2c0e3d040b41"
NAS-Identifier = "ac9e17bd7668"
NAS-Port = 14
Framed-MTU = 1400
State = 0x983a0f7a9b3e1a9e70d1786f6677e705
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204008f15001703030084000000000000000181f59453f45ff9351d0eb09f8559ad492ab457ecade0e6c6c30f1a8e547e2dd5f00316175c390c1f26d1aaa61eaa1a25735804b47041bede97df420c9eef1e806739cc77f680dbca690661abb5c7e3d19a7dc4f892452d4a704a7f7bd4d89fd81f982735b50be5c35f6f0b45d340a01c9384319974ad53e68a8fcf73
Message-Authenticator = 0x6f40d71d85b6f299fd688e265aa1ce7a
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< Unknown TLS version [length 0005]
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 10.0.2.2
port 14 cli 2c0e3d040b41)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 14 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 14
Sending Access-Reject of id 0 to 10.0.2.2 port 37101
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 14 ID 0 with timestamp +49
Ready to process requests.
2
2
Hi,
I need Help to try to create a new table (MariaDB) with one row from each
user identified by day on the radacct.
Because radacct is growing fast I need to store a new table with the visits
per day by username.
Something like visits_table
idVisits_table
username
date_visit
with username and date_visit unique keys.
Also a need to store this table in a different server from the server where
is installed the radius_db.
I've been reading and I can do a trigger on radius_db and every insert on
radacct fire an insert-update on the new visits_table.
Also a I can create this visits_table as a FederatedX table on the other
MariaDB machine.
I would like to know if someone have done this before and can give me a
little bit of light on how to solve this.
I think with the trigger and plus the FederatedX maybe a slow down to much
the database, maybe some code (need help in this) on the radius part will do
the job better.
If anyone can give me a hand will be appreciate.
Thanks.
Oscar
2
2
I’m hoping someone can give me a helping hand. I’ve got an older version of FreeRADIUS (2.2.0) running on an internal legacy system. The server is scheduled to be replaced by the summer so at this point it would be a waste to try to upgrade it. I do however need to make a change to the configuration to hack for a requirement of the server that’s being replaced first… and I’ve been kind of going/googling around in circles. Have tried 4 or 5 different things that I’ve found but I think a few of them may be for newer versions of FreeRADIUS… and the ones I thought were old enough didn’t accomplish anything either 😊
Essentially what I need to do is run one script after a user is authenticated to which will extract the username and the IP address they’ve been assigned (and possibly the NAS IP/port) (in the current test script this info is just echoed to a file so that I can tell when it’s working). And then a different script (with the same parameters) when they log off. From reading I’m guessing accounting-start and accounting-stop is the point where I want to be doing this, but I’m open to input on that as well if there’s somewhere more appropriate.
What is the best/right way to accomplish this in FreeRADIUS 2.2.0?
Cheers,
Mike
3
4
Hello,
I have been setting up freeradius-3.0.15 (from PPA) under Ubuntu 16.04,
and using mod_krb5 to authenticate against Samba4. There are four
freeradius servers, each with a Samba replica behind it.
Once every few days, I get alerts from nagios saying one or more RADIUS
servers has stopped working for a few minutes, and then they recover.
There are two nagios servers making RADIUS checks across all four RADIUS
servers, and both nagios servers see the problem simultaneously.
I now have authentication logging turn on, and at the time of the last
event I see:
... all OK
Thu Feb 22 17:21:51 2018 : Auth: (273) Login OK: [nagiostest] (from
client ix_nagios port 0)
Thu Feb 22 17:22:38 2018 : Auth: (274) Login OK: [nagiostest] (from
client wrn_mon2 port 0)
Thu Feb 22 17:23:00 2018 : Error: Unresponsive child for request 275, in
component authenticate module krb5
Thu Feb 22 17:23:10 2018 : WARNING: (275) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:23:38 2018 : Auth: (276) Login OK: [nagiostest] (from
client wrn_mon2 port 0)
Thu Feb 22 17:24:00 2018 : Error: Unresponsive child for request 277, in
component authenticate module krb5
Thu Feb 22 17:24:01 2018 : WARNING: (277) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:24:46 2018 : Error: Unresponsive child for request 278, in
component authenticate module krb5
Thu Feb 22 17:24:52 2018 : Info: Need 1 more connections to reach 5 spares
Thu Feb 22 17:24:52 2018 : Info: rlm_krb5 (krb5): Opening additional
connection (5), 1 of 5 pending slots used
Thu Feb 22 17:24:52 2018 : WARNING: (278) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:25:00 2018 : Error: Unresponsive child for request 279, in
component authenticate module krb5
Thu Feb 22 17:25:01 2018 : WARNING: (279) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:25:45 2018 : Info: rlm_krb5 (krb5): Closing connection
(4), from 1 unused connections
Thu Feb 22 17:25:45 2018 : Auth: (280) Login OK: [nagiostest] (from
client wrn_mon2 port 0)
Thu Feb 22 17:26:00 2018 : Error: Unresponsive child for request 281, in
component authenticate module krb5
Thu Feb 22 17:26:10 2018 : WARNING: (281) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:26:46 2018 : Error: Unresponsive child for request 282, in
component authenticate module krb5
Thu Feb 22 17:26:56 2018 : Info: Need 1 more connections to reach 5 spares
Thu Feb 22 17:26:56 2018 : Info: rlm_krb5 (krb5): Opening additional
connection (6), 1 of 5 pending slots used
Thu Feb 22 17:26:56 2018 : WARNING: (282) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:27:00 2018 : Error: Unresponsive child for request 283, in
component authenticate module krb5
Thu Feb 22 17:27:10 2018 : WARNING: (283) WARNING: Module rlm_krb5
became unblocked
Thu Feb 22 17:27:43 2018 : Info: rlm_krb5 (krb5): Closing connection
(1), from 1 unused connections
Thu Feb 22 17:27:43 2018 : Auth: (284) Login OK: [nagiostest] (from
client wrn_mon2 port 0)
Thu Feb 22 17:28:00 2018 : Auth: (285) Login OK: [nagiostest] (from
client ix_nagios port 0)
... all OK again
I'm not sure about the meaning of the message "became unblocked".
Looking at the source of call_modsingle()
       blocked = (request->master_state == REQUEST_STOP_PROCESSING);
       if (blocked) return RLM_MODULE_NOOP;
...
       blocked = (request->master_state == REQUEST_STOP_PROCESSING);
       if (blocked) {
               RWARN("Module %s became unblocked",
sp->modinst->entry->name);
       }
It seems to me that the module has unexpectedly become blocked (not
unblocked!)Â But does this simply mean that the module is taking longer
to respond than expected? Or if not, what else does it indicate?
Apart from this: I wondered if you had any pointers to narrowing down
the problem. There are four servers so I can probably leave one running
under freeradius -X until it recurs.
Now, of course the problem *could* be with Samba4. However I have a
separate nagios script (below) which performs LDAP queries using krb5
authentication, and it never reports a problem - not even an occasional
"soft" error; that suggests that KRB5 is reliable.
It considered if it was a problem with the RADIUS checking plugin
(check_radius_adv), but this seems very unlikely given that (a) both
nagios servers see the same problem simultaneously, and (b) freeradius
itself is logging problems around the time of the issue.
I have:
[radiusd.conf]
max_request_time = 10
thread pool {
       start_servers = 3
-----------
#!/bin/sh
host="$1"
if [ "$host" = "" ]; then
 echo "Missing hostname"
 exit 2
fi
export KRB5_CONFIG="/tmp/krb5.config.$$"
export KRB5CCNAME="/tmp/krb5.cc_cache.$$"
if expr "$host" : ".*:" >/dev/null; then
 khost="[$host]"
else
 khost="$host"
fi
cat <<EOS >"$KRB5_CONFIG"
[realms]
AD.EXAMPLE.NET = {
 kdc = $khost
}
EOS
# 1. Can we get a ticket from this host?
kinit -k -t /etc/nagiostest.keytab nagiostest(a)AD.EXAMPLE.NET
if [ "$?" != "0" ]; then
 echo "KINIT FAILED"
 rm "$KRB5_CONFIG"
 exit 2
fi
# 2. Can we use this ticket to do an LDAP query to this host?
res="$(ldapsearch -LLLQ -Y GSSAPI -h "$host" -b
"cn=users,dc=ad,dc=example,dc=net" "(samaccountname=nagiostest)"
samaccountname userprincipalname)"
if [ "$?" != "0" ]; then
 echo "LDAPSEARCH FAILED"
 kdestroy
 rm "$KRB5_CONFIG"
 exit 2
fi
if ! expr "$res" : ".*userPrincipalName: nagiostest(a)ad.example.net"
>/dev/null; then
 echo "LDAPSEARCH BAD RESULT: $res"
 kdestroy
 rm "$KRB5_CONFIG"
 exit 2
fi
# 3. Clean up
kdestroy
rm "$KRB5_CONFIG"
echo "OK"
5
8
Greetings o/
I support a radius version 2.2.5 + mysql for a customer of ours.
Recently I had to add new Vendor attributes.
Using those generates an error and I am stuck.
The exact error is:
rlm_sql: Failed to create the pair: Unknown vendor name in attribute
name "Transmode-ENM-User-Category"
rlm_sql (sql): Error getting data from database
The SQL query and output:
mysql radius_aaa -e "SELECT id, username, attribute, value, op         Â
FROM radreply          WHERE username ='testuser01'";
+-----+------------+-----------------------------+--------------------+----+
| id | username  | attribute                  | value             | op |
+-----+------------+-----------------------------+--------------------+----+
| 65 | testuser01 | Cisco-AVPair               | "shell:priv-lvl=5" | = |
| 66 | testuser01 | Service-Type               | NAS-Prompt-User   | = |
| 67 | testuser01 | Foundry-Privilege-Level    | 5                 | = |
| 89 | testuser01 | Juniper-Local-User-Name    | JunOS-Backbone-RO | := |
| 132 | testuser01 | Juniper-Local-User-Name    | JunOS-CPE-RO      | := |
| 158 | testuser01 | Juniper-Local-User-Name    | remote            | := |
| 159 | testuser01 | Transmode-ENM-User-Category | 0x1Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â | += |
+-----+------------+-----------------------------+--------------------+----+
Debug output:
---
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu,
built on Aug 10 2017 at 07:25:15
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius-aaa//radiusd.conf
including configuration file /etc/freeradius-aaa//clients.conf
including files in directory /etc/freeradius-aaa//modules/
including configuration file /etc/freeradius-aaa//modules/opendirectory
including configuration file /etc/freeradius-aaa//modules/echo
including configuration file /etc/freeradius-aaa//modules/logintime
including configuration file /etc/freeradius-aaa//modules/detail.log
including configuration file /etc/freeradius-aaa//modules/passwd
including configuration file /etc/freeradius-aaa//modules/linelog
including configuration file /etc/freeradius-aaa//modules/attr_rewrite
including configuration file /etc/freeradius-aaa//modules/always
including configuration file /etc/freeradius-aaa//modules/expiration
including configuration file /etc/freeradius-aaa//modules/smsotp
including configuration file /etc/freeradius-aaa//modules/dynamic_clients
including configuration file /etc/freeradius-aaa//modules/mschap
including configuration file /etc/freeradius-aaa//modules/radutmp
including configuration file /etc/freeradius-aaa//modules/policy
including configuration file /etc/freeradius-aaa//modules/mac2vlan
including configuration file /etc/freeradius-aaa//modules/counter
including configuration file /etc/freeradius-aaa//modules/acct_unique
including configuration file /etc/freeradius-aaa//modules/exec
including configuration file /etc/freeradius-aaa//modules/inner-eap
including configuration file /etc/freeradius-aaa//modules/realm
including configuration file /etc/freeradius-aaa//modules/ippool
including configuration file /etc/freeradius-aaa//modules/detail.example.com
including configuration file /etc/freeradius-aaa//modules/sql_log
including configuration file /etc/freeradius-aaa//modules/wimax
including configuration file /etc/freeradius-aaa//modules/ldap
including configuration file /etc/freeradius-aaa//modules/mac2ip
including configuration file /etc/freeradius-aaa//modules/attr_filter
including configuration file /etc/freeradius-aaa//modules/ntlm_auth
including configuration file /etc/freeradius-aaa//modules/otp
including configuration file /etc/freeradius-aaa//modules/pap
including configuration file /etc/freeradius-aaa//modules/chap
including configuration file /etc/freeradius-aaa//modules/etc_group
including configuration file /etc/freeradius-aaa//modules/preprocess
including configuration file /etc/freeradius-aaa//modules/checkval
including configuration file /etc/freeradius-aaa//modules/perl
including configuration file /etc/freeradius-aaa//modules/krb5
including configuration file /etc/freeradius-aaa//modules/files
including configuration file /etc/freeradius-aaa//modules/cui
including configuration file /etc/freeradius-aaa//modules/detail
including configuration file /etc/freeradius-aaa//modules/digest
including configuration file /etc/freeradius-aaa//modules/expr
including configuration file /etc/freeradius-aaa//modules/unix
including configuration file /etc/freeradius-aaa//modules/smbpasswd
including configuration file /etc/freeradius-aaa//modules/sradutmp
including configuration file
/etc/freeradius-aaa//modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius-aaa//modules/pam
including configuration file /etc/freeradius-aaa//eap.conf
including configuration file /etc/freeradius-aaa//sql.conf
including configuration file /etc/freeradius-aaa//sql/mysql/dialup.conf
including configuration file /etc/freeradius-aaa//sql/mysql/counter.conf
including configuration file /etc/freeradius-aaa//policy.conf
including files in directory /etc/freeradius-aaa//sites-enabled/
including configuration file /etc/freeradius-aaa//sites-enabled/default
including configuration file /etc/freeradius-aaa//sites-enabled/inner-tunnel
main {
   user = "freerad"
   group = "freerad"
   allow_core_dumps = no
}
including dictionary file /etc/freeradius-aaa//dictionary
main {
   name = "freeradius-aaa"
   prefix = "/usr"
   localstatedir = "/var"
   sbindir = "/usr/sbin"
   logdir = "/var/log/freeradius-aaa"
   run_dir = "/var/run/freeradius-aaa"
   libdir = "/usr/lib/freeradius"
   radacctdir = "/var/log/freeradius-aaa/radacct"
   hostname_lookups = no
   max_request_time = 30
   cleanup_delay = 5
   max_requests = 1024
   pidfile = "/var/run/freeradius-aaa/freeradius-aaa.pid"
   checkrad = "/usr/sbin/checkrad"
   debug_level = 0
   proxy_requests = no
 log {
    stripped_names = no
    auth = yes
    auth_badpass = no
    auth_goodpass = no
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
    allow_vulnerable_openssl = no
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file
/etc/freeradius-aaa//modules/exec
 exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
 }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file
/etc/freeradius-aaa//modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file
/etc/freeradius-aaa//modules/expiration
 expiration {
    reply-message = "Password Has Expired "
 }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file
/etc/freeradius-aaa//modules/logintime
 logintime {
    reply-message = "You are calling outside your allowed timespan "
    minimum-timeout = 60
 }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file ?
 modules {
 Module: Creating Auth-Type = digest
 Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file
/etc/freeradius-aaa//modules/pap
 pap {
    encryption_scheme = "auto"
    auto_header = no
 }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file
/etc/freeradius-aaa//modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file
/etc/freeradius-aaa//modules/mschap
 mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = no
    allow_retry = yes
 }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file
/etc/freeradius-aaa//modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file
/etc/freeradius-aaa//modules/unix
 unix {
    radwtmp = "/var/log/freeradius-aaa/radwtmp"
 }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius-aaa//eap.conf
 eap {
    default_eap_type = "md5"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 4096
 }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
  gtc {
     challenge = "Password: "
     auth_type = "PAP"
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
  tls {
     rsa_key_exchange = no
     dh_key_exchange = yes
     rsa_key_length = 512
     dh_key_length = 512
     verify_depth = 0
     CA_path = "/etc/freeradius-aaa//certs"
     pem_file_type = yes
     private_key_file = "/etc/freeradius-aaa//certs/server.key"
     certificate_file = "/etc/freeradius-aaa//certs/server.pem"
     CA_file = "/etc/freeradius-aaa//certs/ca.pem"
     private_key_password = "whatever"
     dh_file = "/etc/freeradius-aaa//certs/dh"
     random_file = "/dev/urandom"
     fragment_size = 1024
     include_length = yes
     check_crl = no
     cipher_list = "DEFAULT"
     make_cert_command = "/etc/freeradius-aaa//certs/bootstrap"
     ecdh_curve = "prime256v1"
   cache {
      enable = no
      lifetime = 24
      max_entries = 255
   }
   verify {
   }
  }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
  ttls {
     default_eap_type = "md5"
     copy_request_to_tunnel = no
     use_tunneled_reply = no
     virtual_server = "inner-tunnel"
     include_length = yes
  }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
  peap {
     default_eap_type = "mschapv2"
     copy_request_to_tunnel = no
     use_tunneled_reply = no
     proxy_tunneled_request_as_eap = yes
     virtual_server = "inner-tunnel"
     soh = no
  }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
  mschapv2 {
     with_ntdomain_hack = no
     send_error = no
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file
/etc/freeradius-aaa//modules/preprocess
 preprocess {
    huntgroups = "/etc/freeradius-aaa//huntgroups"
    hints = "/etc/freeradius-aaa//hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = no
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
 }
reading pairlist file /etc/freeradius-aaa//huntgroups
reading pairlist file /etc/freeradius-aaa//hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file
/etc/freeradius-aaa//modules/realm
 realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = no
 }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file
/etc/freeradius-aaa//modules/files
 files {
    usersfile = "/etc/freeradius-aaa//users"
    acctusersfile = "/etc/freeradius-aaa//acct_users"
    preproxy_usersfile = "/etc/freeradius-aaa//preproxy_users"
    compat = "no"
 }
reading pairlist file /etc/freeradius-aaa//users
reading pairlist file /etc/freeradius-aaa//acct_users
reading pairlist file /etc/freeradius-aaa//preproxy_users
 Module: Linked to module rlm_sql
 Module: Instantiating module "sql" from file /etc/freeradius-aaa//sql.conf
 sql {
    driver = "rlm_sql_mysql"
    server = "127.0.0.1"
    port = "3306"
    login = "<secret>"
    password = "<secret>"
    radius_db = "radius_aaa"
    read_groups = yes
    sqltrace = no
    sqltracefile = "/var/log/freeradius-aaa/sqltrace.sql"
    readclients = yes
    deletestalesessions = yes
    num_sql_socks = 5
    lifetime = 0
    max_queries = 0
    sql_user_name = "%{User-Name}"
    default_user_profile = ""
    nas_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
    authorize_check_query = "SELECT id, username, attribute, value,
op          FROM radcheck          WHERE username =
'%{SQL-User-Name}'Â Â Â Â Â Â Â Â Â Â ORDER BY id"
    authorize_reply_query = "SELECT id, username, attribute, value,
op          FROM radreply          WHERE username =
'%{SQL-User-Name}'Â Â Â Â Â Â Â Â Â Â ORDER BY id"
    authorize_group_check_query = "SELECT id, groupname,
attribute,          Value, op          FROM radgroupcheck         Â
WHERE groupname = '%{Sql-Group}'Â Â Â Â Â Â Â Â Â Â ORDER BY id"
    authorize_group_reply_query = "SELECT id, groupname,
attribute,          value, op          FROM radgroupreply         Â
WHERE groupname = '%{Sql-Group}'Â Â Â Â Â Â Â Â Â Â ORDER BY id"
    accounting_onoff_query = "         UPDATE radacct         Â
SET             acctstoptime      = '%S',            Â
acctsessiontime   = unix_timestamp('%S')
-Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
unix_timestamp(acctstarttime),             acctterminatecause =Â
'%{Acct-Terminate-Cause}',             acctstopdelay     =Â
%{%{Acct-Delay-Time}:-0}Â Â Â Â Â Â Â Â Â Â WHERE acctstoptime IS NULLÂ Â Â Â Â Â Â Â Â Â
AND nasipaddress     = '%{NAS-IP-Address}'          AND
acctstarttime    <= '%S'"
    accounting_update_query = "          UPDATE radacct         Â
SET             framedipaddress = '%{Framed-IP-Address}',            Â
acctsessiontime    = '%{Acct-Session-Time}',            Â
acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32
|Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
'%{%{Acct-Input-Octets}:-0}',             acctoutputoctets   =
'%{%{Acct-Output-Gigawords}:-0}' << 32
|Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
'%{%{Acct-Output-Octets}:-0}'Â Â Â Â Â Â Â Â Â Â WHERE acctsessionid =
'%{Acct-Session-Id}'          AND username       =
'%{SQL-User-Name}'          AND nasipaddress   = '%{NAS-IP-Address}'"
    accounting_update_query_alt = "          INSERT INTO
radacct            (acctsessionid,   acctuniqueid,    Â
username,             realm,           nasipaddress,    Â
nasportid,             nasporttype,     acctstarttime,   Â
acctsessiontime,             acctauthentic,   connectinfo_start,
acctinputoctets,             acctoutputoctets, calledstationid, Â
callingstationid,             servicetype,     framedprotocol,  Â
framedipaddress,             acctstartdelay, Â
xascendsessionsvrkey)Â Â Â Â Â Â Â Â Â Â VALUESÂ Â Â Â Â Â Â Â Â Â Â Â
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',            Â
'%{SQL-User-Name}',             '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',             '%{NAS-Port-Type}',            Â
DATE_SUB('%S',                      INTERVAL
(%{%{Acct-Session-Time}:-0} +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
%{%{Acct-Delay-Time}:-0}) SECOND),                     Â
'%{Acct-Session-Time}',             '%{Acct-Authentic}',
'',             '%{%{Acct-Input-Gigawords}:-0}' << 32 |            Â
'%{%{Acct-Input-Octets}:-0}',            Â
'%{%{Acct-Output-Gigawords}:-0}' << 32 |Â Â Â Â Â Â Â Â Â Â Â Â Â
'%{%{Acct-Output-Octets}:-0}',             '%{Called-Station-Id}',
'%{Calling-Station-Id}',             '%{Service-Type}',
'%{Framed-Protocol}',             '%{Framed-IP-Address}',            Â
'0', '%{X-Ascend-Session-Svr-Key}')"
    accounting_start_query = "          INSERT INTO
radacct            (acctsessionid,   acctuniqueid,   Â
username,             realm,           nasipaddress,   Â
nasportid,             nasporttype,     acctstarttime,  Â
acctstoptime,             acctsessiontime, acctauthentic,  Â
connectinfo_start,             connectinfo_stop, acctinputoctets,Â
acctoutputoctets,             calledstationid, callingstationid,
acctterminatecause,             servicetype,     framedprotocol, Â
framedipaddress,             acctstartdelay,  acctstopdelay,  Â
xascendsessionsvrkey)Â Â Â Â Â Â Â Â Â Â VALUESÂ Â Â Â Â Â Â Â Â Â Â Â
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',            Â
'%{SQL-User-Name}',             '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',             '%{NAS-Port-Type}', '%S', NULL,            Â
'0', '%{Acct-Authentic}', '%{Connect-Info}',             '', '0',
'0',             '%{Called-Station-Id}', '%{Calling-Station-Id}',
'',             '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',             '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
    accounting_start_query_alt = "          UPDATE radacct
SET             acctstarttime    = '%S',            Â
acctstartdelay   = '%{%{Acct-Delay-Time}:-0}',            Â
connectinfo_start = '%{Connect-Info}'          WHERE acctsessionid =
'%{Acct-Session-Id}'          AND username        =
'%{SQL-User-Name}'          AND nasipaddress    = '%{NAS-IP-Address}'"
    accounting_stop_query = "          UPDATE radacct
SET             acctstoptime      = '%S',            Â
acctsessiontime   = '%{Acct-Session-Time}',            Â
acctinputoctets   = '%{%{Acct-Input-Gigawords}:-0}' << 32
|Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
'%{%{Acct-Input-Octets}:-0}',             acctoutputoctets  =
'%{%{Acct-Output-Gigawords}:-0}' << 32
|Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
'%{%{Acct-Output-Octets}:-0}',             acctterminatecause =
'%{Acct-Terminate-Cause}',             acctstopdelay     =
'%{%{Acct-Delay-Time}:-0}',             connectinfo_stop  =
'%{Connect-Info}'          WHERE acctsessionid  =
'%{Acct-Session-Id}'          AND username         =
'%{SQL-User-Name}'          AND nasipaddress     = '%{NAS-IP-Address}'"
    accounting_stop_query_alt = "          INSERT INTO
radacct            (acctsessionid, acctuniqueid, username,            Â
realm, nasipaddress, nasportid,             nasporttype, acctstarttime,
acctstoptime,             acctsessiontime, acctauthentic,
connectinfo_start,             connectinfo_stop, acctinputoctets,
acctoutputoctets,             calledstationid, callingstationid,
acctterminatecause,             servicetype, framedprotocol,
framedipaddress,             acctstartdelay, acctstopdelay)         Â
VALUESÂ Â Â Â Â Â Â Â Â Â Â Â ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',            Â
'%{SQL-User-Name}',             '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}',             '%{NAS-Port-Type}',            Â
DATE_SUB('%S',                 INTERVAL (%{%{Acct-Session-Time}:-0}
+                 %{%{Acct-Delay-Time}:-0}) SECOND),             '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',            Â
'%{Connect-Info}',             '%{%{Acct-Input-Gigawords}:-0}' << 32
|             '%{%{Acct-Input-Octets}:-0}',            Â
'%{%{Acct-Output-Gigawords}:-0}' << 32 |Â Â Â Â Â Â Â Â Â Â Â Â Â
'%{%{Acct-Output-Octets}:-0}',             '%{Called-Station-Id}',
'%{Calling-Station-Id}',            Â
'%{Acct-Terminate-Cause}',             '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',             '0',
'%{%{Acct-Delay-Time}:-0}')"
    group_membership_query = "SELECT groupname          FROM
radusergroup          WHERE username = '%{SQL-User-Name}'         Â
ORDER BY priority"
    connect_failure_retry_delay = 60
    simul_count_query = ""
    simul_verify_query = "SELECT radacctid, acctsessionid,
username,                               nasipaddress, nasportid,
framedipaddress,                               callingstationid,
framedprotocol                               FROM
radacct                               WHERE username =
'%{SQL-User-Name}'Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â AND acctstoptime IS NULL"
    postauth_query = "INSERT INTO
radpostauth                          (username, pass, reply,
authdate)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â VALUES (Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
'%{User-Name}',                         Â
'%{%{User-Password}:-%{Chap-Password}}',                         Â
'%{reply:Packet-Type}', '%S')"
    safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
 }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to dolibarr@127.0.0.1:3306/radius_aaa
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry
nasname=<HOSTNAME>,shortname=<HOSTNAME>,secret=<secret>
rlm_sql (sql): Adding client <IP> (<HOSTNAME>, server=<none>) to clients
list
rlm_sql (sql): Read entry
nasname=<HOSTNAME>,shortname=<HOSTNAME>,secret=<secret>
rlm_sql (sql): Adding client <IP> (<HOSTNAME>, server=<none>) to clients
list
<removed some lines>
rlm_sql (sql): Released sql socket id: 4
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/etc/freeradius-aaa//modules/acct_unique
 acct_unique {
    key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
 }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file
/etc/freeradius-aaa//modules/detail
 detail {
    detailfile =
"/var/log/freeradius-aaa/radacct/%{Client-IP-Address}/detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
 }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file
/etc/freeradius-aaa//modules/radutmp
 radutmp {
    filename = "/var/log/freeradius-aaa/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    perm = 384
    callerid = yes
 }
 Module: Linked to module rlm_sql_log
 Module: Instantiating module "sql_log" from file
/etc/freeradius-aaa//modules/sql_log
 sql_log {
    path = "/var/log/freeradius-aaa/radacct/sql-relay"
    Post-Auth = "INSERT INTO radpostauth                    Â
 (username, pass, reply, authdate) VALUES                     Â
 ('%{User-Name}', '%{User-Password:-Chap-Password}',          Â
 '%{reply:Packet-Type}', '%S');"
    sql_user_name = "%{%{User-Name}:-DEFAULT}"
    utf8 = no
    safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
 }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from
file /etc/freeradius-aaa//modules/attr_filter
 attr_filter attr_filter.accounting_response {
    attrsfile = "/etc/freeradius-aaa//attrs.accounting_response"
    key = "%{User-Name}"
    relaxed = no
 }
reading pairlist file /etc/freeradius-aaa//attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius-aaa//modules/attr_filter
 attr_filter attr_filter.access_reject {
    attrsfile = "/etc/freeradius-aaa//attrs.access_reject"
    key = "%{User-Name}"
    relaxed = no
 }
reading pairlist file /etc/freeradius-aaa//attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file
/etc/freeradius-aaa//sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = <IP>
    port = 1814
}
listen {
    type = "acct"
    ipaddr = <IP>
    port = 1815
}
listen {
    type = "auth"
    ipaddr = 127.0.0.1
    port = 18120
}
Listening on authentication address <IP> port 1814
Listening on accounting address <IP> port 1815
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host <IP> port 35760, id=91, length=80
   User-Name = "testuser01"
   User-Password = "test1234"
   NAS-IP-Address = <IP>
   NAS-Port = 0
   Message-Authenticator = 0x61803daee501323cb7312359c83e6d2b
# Executing section authorize from file
/etc/freeradius-aaa//sites-enabled/default
+group authorize {
++update request {
sql_xlat
   expand: %{User-Name} -> testuser01
sql_set_user escaped user --> 'testuser01'
   expand: SELECT type FROM nas WHERE
nasname='%{Packet-Src-IP-Address}' -> SELECT type FROM nas WHERE
nasname='<IP>'
rlm_sql (sql): Reserving sql socket id: 3
sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
   expand: %{sql:SELECT type FROM nas WHERE
nasname='%{Packet-Src-IP-Address}'} -> other
++} # update request = noop
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[sql] Â Â Â expand: %{User-Name} -> testuser01
[sql] sql_set_user escaped user --> 'testuser01'
rlm_sql (sql): Reserving sql socket id: 2
[sql]    expand: SELECT id, username, attribute, value, op         Â
FROM radcheck          WHERE username = '%{SQL-User-Name}'         Â
ORDER BY id -> SELECT id, username, attribute, value, op          FROM
radcheck          WHERE username = 'testuser01'          ORDER BY id
[sql] User found in radcheck table
[sql]    expand: SELECT id, username, attribute, value, op         Â
FROM radreply          WHERE username = '%{SQL-User-Name}'         Â
ORDER BY id -> SELECT id, username, attribute, value, op          FROM
radreply          WHERE username = 'testuser01'          ORDER BY id
rlm_sql: Failed to create the pair: Unknown vendor name in attribute
name "Transmode-ENM-User-Category"
rlm_sql (sql): Error getting data from database
[sql] SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 2
++[sql] = fail
+} # group authorize = fail
Invalid user: [testuser01] (from client radius1 port 0)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius-aaa//sites-enabled/default
+group REJECT {
[sql] Â Â Â expand: %{User-Name} -> testuser01
[sql] sql_set_user escaped user --> 'testuser01'
[sql] Â Â Â expand: %{User-Password} -> test1234
[sql]    expand: INSERT INTO radpostauth                         Â
(username, pass, reply, authdate)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â VALUES
(                          '%{User-Name}',                         Â
'%{%{User-Password}:-%{Chap-Password}}',                         Â
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth                          (username, pass, reply,
authdate)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â VALUES (Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
'testuser01',                         Â
'test1234',                          'Access-Reject', '2018-03-01
09:50:43')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth                          (username, pass, reply,
authdate)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â VALUES (Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
'testuser01',                         Â
'test1234',                          'Access-Reject', '2018-03-01
09:50:43')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] = ok
[attr_filter.access_reject] Â Â Â expand: %{User-Name} -> testuser01
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 91 to 217.17.30.116 port 35760
Waking up in 4.9 seconds.
---
Any help would be nice.
Regards,
Steffen Schwebel
2
1
Hi everyone,
I'm using a pfsense server as captive portal to authenticate users on my
WiFi network. The captive portal is set to interrogate my freeradius server.
My freeradius server can already authenticate users via my AD using
winbind. I also need local account (via "users" file) to create some
temporary "WiFi" account for guests.
My problem is that it seems that when freeradius receive an mschap request,
it only interrogate the AD and do not check the local "users" file :
*Radtest output :*
*root@radius:/etc/freeradius/3.0# radtest test hello localhost 0
testing123Sent Access-Request Id 221 from 0.0.0.0:55019
<http://0.0.0.0:55019> to 127.0.0.1:1812 <http://127.0.0.1:1812> length
74 User-Name = "test" User-Password = "hello" NAS-IP-Address =
127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00
Cleartext-Password = "hello"Received Access-Accept Id 221 from
127.0.0.1:1812 <http://127.0.0.1:1812> to 0.0.0.0:0 <http://0.0.0.0:0>
length 20root@radius:/etc/freeradius/3.0# radtest -t mschap test hello
localhost 0 testing123Sent Access-Request Id 57 from 0.0.0.0:45981
<http://0.0.0.0:45981> to 127.0.0.1:1812 <http://127.0.0.1:1812> length
130 User-Name = "test" MS-CHAP-Password = "hello" NAS-IP-Address =
127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00
Cleartext-Password = "hello" MS-CHAP-Challenge = 0x721c5f615cce85ee
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000fd35479230547ed1afaabb4620398d1ab297fc558976fbe5Received
Access-Reject Id 57 from 127.0.0.1:1812 <http://127.0.0.1:1812> to
0.0.0.0:0 <http://0.0.0.0:0> length 61 MS-CHAP-Error = "\000E=648 R=0
C=36f192b64ad8bf50 V=2"(0) -: Expected Access-Accept got Access-Reject*
*freeradius -X output :*
*1) Received Access-Request Id 57 from 127.0.0.1:45981
<http://127.0.0.1:45981> to 127.0.0.1:1812 <http://127.0.0.1:1812> length
130(1) User-Name = "test"(1) NAS-IP-Address = 127.0.1.1(1) NAS-Port =
0(1) Message-Authenticator = 0x2ac9eeb221acb45d57e63c7670667269(1)
MS-CHAP-Challenge = 0x721c5f615cce85ee(1) MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000fd35479230547ed1afaabb4620398d1ab297fc558976fbe5(1)
# Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default(1) authorize {(1) policy
filter_username {(1) if (&User-Name) {(1) if (&User-Name) ->
TRUE(1) if (&User-Name) {(1) if (&User-Name =~ / /)
{(1) if (&User-Name =~ / /) -> FALSE(1) if (&User-Name =~
/@[^@]*@/ ) {(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(1)
if (&User-Name =~ /\.\./ ) {(1) if (&User-Name =~ /\.\./ ) ->
FALSE(1) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) {(1) if ((&User-Name =~ /@/) && (&User-Name !~
/(a)(.+)\.(.+)$/)) -> FALSE(1) if (&User-Name =~ /\.$/)
{(1) if (&User-Name =~ /\.$/) -> FALSE(1) if (&User-Name
=~ /(a)\./) {(1) if (&User-Name =~ /(a)\./) -> FALSE(1) } # if
(&User-Name) = notfound(1) } # policy filter_username =
notfound(1) [preprocess] = ok(1) [chap] = noop(1) mschap: Found
MS-CHAP attributes. Setting 'Auth-Type = mschap'(1) [mschap] =
ok(1) [digest] = noop(1) suffix: Checking for suffix after "@"(1)
suffix: No '@' in User-Name = "test", looking up realm NULL(1) suffix: No
such realm "NULL"(1) [suffix] = noop(1) eap: No EAP-Message, not doing
EAP(1) [eap] = noop(1) files: users: Matched entry test at line
1(1) [files] = ok(1) [expiration] = noop(1) [logintime] =
noop(1) pap: WARNING: Auth-Type already set. Not setting to PAP(1)
[pap] = noop(1) } # authorize = ok(1) Found Auth-Type = mschap(1) #
Executing group from file /etc/freeradius/3.0/sites-enabled/default(1)
authenticate {(1) mschap: Found Cleartext-Password, hashing to create
NT-Password(1) mschap: Found Cleartext-Password, hashing to create
LM-Password(1) mschap: Client is using MS-CHAPv1 with NT-Password(1)
mschap: EXPAND %{mschap:User-Name}(1) mschap: --> testrlm_mschap
(mschap): Reserved connection (0)(1) mschap: sending authentication request
user='test' domain='lan.domain.tld'rlm_mschap (mschap): Released connection
(0)rlm_mschap (mschap): Need 5 more connections to reach 10
sparesrlm_mschap (mschap): Opening additional connection (5), 1 of 27
pending slots used(1) mschap: ERROR: No such user [0xC0000064](1) mschap:
ERROR: Password has expired. User should retry authentication(1)
[mschap] = reject(1) } # authenticate = reject(1) Failed to authenticate
the user(1) Using Post-Auth-Type Reject(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default(1) Post-Auth-Type REJECT {(1)
attr_filter.access_reject: EXPAND %{User-Name}(1)
attr_filter.access_reject: --> test(1) attr_filter.access_reject:
Matched entry DEFAULT at line 11(1) [attr_filter.access_reject] =
updated(1) [eap] = noop(1) policy remove_reply_message_if_eap
{(1) if (&reply:EAP-Message && &reply:Reply-Message) {(1) if
(&reply:EAP-Message && &reply:Reply-Message) -> FALSE(1) else
{(1) [noop] = noop(1) } # else = noop(1) } # policy
remove_reply_message_if_eap = noop(1) } # Post-Auth-Type REJECT =
updated(1) Delaying response for 1.000000 secondsWaking up in 0.3
seconds.Waking up in 0.6 seconds.(1) Sending delayed response(1) Sent
Access-Reject Id 57 from 127.0.0.1:1812 <http://127.0.0.1:1812> to
127.0.0.1:45981 <http://127.0.0.1:45981> length 61(1) MS-CHAP-Error =
"\000E=648 R=0 C=36f192b64ad8bf50 V=2"Waking up in 3.9 seconds.(1) Cleaning
up request packet ID 57 with timestamp +19*
Does anyone has an idea how i can use both authentication methods (AD and
"local") simultaneously ?
Thanks in advance.
​Regards,
*Benjamin Dupalut*
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut(a)esiee.fr
www.esiee.fr / www.cci-paris-idf.fr
2
2
Hello,
iam using freeradius 3.0.16 and in module rediswho iam trying to send
Framed-IP-Address in access accept packet. Iam using pairmake_reply but
when i start freeradius on mode debug i get this error:
pairmake_reply("Reply-Message", "Test", T_OP_EQ);
undefined symbol: pairmake_reply
an idea how to resolve this issue?
is this function still exist on freeradius 3?
Thanks
Regards
Bassem
1
0