Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 12 participants
- 27047 discussions
I am attempting to use a vendors dictionary:
/usr/share/freeradius/dictionary/dictionary.brocade and I believe it is not
being read. I have removed commented lines from dictionary.
[root@vader raddb]# pwd
/etc/raddb
[root@vader raddb]# ls -al dic*
-rw-r--r--. 1 root radiusd 1667 Sep 19 14:44 dictionary
-rw-r--r--. 1 root radiusd 688 Sep 18 15:35 dictionary.brocade
[root@vader raddb]# more dictionary
#
# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
#
$INCLUDE /usr/share/freeradius/dictionary
$INCLUDE dictionary.brocade
[root@vader raddb]# more dictionary.brocade
# -*- text -*-
# Copyright (C) 2015 The FreeRADIUS Server project and contributors
#
VENDOR Brocade 1588
BEGIN-VENDOR Brocade
ATTRIBUTE Brocade-Auth-Role 1 string
# Valid attribute values:
# Admin BasicSwitchAdmin FabricAdmin Operator
# SecurityAdmin SwitchAdmin User ZoneAdmin
ATTRIBUTE Brocade-AVPairs1 2 string
ATTRIBUTE Brocade-AVPairs2 3 string
ATTRIBUTE Brocade-AVPairs3 4 string
ATTRIBUTE Brocade-AVPairs4 5 string
# Brocade-AVPairs1/2/3/4:
# Optional, specifies Admin Domain or Virtual Fabric List
ATTRIBUTE Brocade-Passwd-ExpiryDate 6 string #
Format: MM/DD/YYYY
ATTRIBUTE Brocade-Passwd-WarnPeriod 7 string #
Format: integer in days
END-VENDOR Brocade
Dictionaries in /usr/share/freeradius are root/root but I am not sure if
these are actually used.
When starting radiusd, I am not able to confirm dictionary.brocade is
loaded, and my clients are not receiving their attributes.
[root@vader ~]# /usr/sbin/radiusd -X
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary <------ This is where
I would expect to see the dictionary.brocade called out
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/unpack
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/canonicalization
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.10.10.0/24 {
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.10.10.0/24.
Please fix your configuration
Support for old-style clients will be removed in a future release
Debugger not attached
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_detail
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüà âæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÃ
ÔŒÙÛÜŸ"
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
instantiate {
}
modules {
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/ca.key"
certificate_file = "/etc/raddb/certs/ca.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "peap"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 58585
Listening on proxy address :: port 32864
Ready to process requests
Authentication attempt, in case this is of use:
(0) Received Access-Request Id 144 from 10.10.10.169:43523 to
10.10.10.41:1812 length 73
(0) User-Name = "swadmin"
(0) NAS-IP-Address = 10.10.10.41
(0) NAS-Port = 0
(0) EAP-Message = 0x02d2000c01737761646d696e
(0) Message-Authenticator = 0xab640beb2a355cf5c760d46ab6c93ba5
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 210 length 12
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 211 length 6
(0) eap: EAP session adding &reply:State = 0x2ea7ef802e74f6df
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 144 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(0) EAP-Message = 0x01d300061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x2ea7ef802e74f6df3693c3c995d521f2
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 145 from 10.10.10.169:43523 to
10.10.10.41:1812 length 191
(1) User-Name = "swadmin"
(1) NAS-IP-Address = 10.10.10.41
(1) NAS-Port = 0
(1) State = 0x2ea7ef802e74f6df3693c3c995d521f2
(1) EAP-Message =
0x02d3007019800000006616030100610100005d0303dc50089cf14f604ce75b86aeddb03c4436e730a450cafdd173ffbbff0f494cec00000c003d0035003c002f000a00ff0100002800230000000d0020001e060106020603050105020503040104020403030103020303020102020203
(1) Message-Authenticator = 0xac1fe33d0504aa48024829daaa56797c
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 211 length 112
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x2ea7ef802e74f6df
(1) eap: Finished EAP session with state 0x2ea7ef802e74f6df
(1) eap: Previous EAP request found for state 0x2ea7ef802e74f6df, released
from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 102 bytes
(1) eap_peap: Got complete TLS record (102 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(1) eap_peap: <<< TLS 1.2 [length 0061]
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> UNKNOWN TLS VERSION ?0000? [length 0005]
(1) eap_peap: >>> TLS 1.2 [length 0051]
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> UNKNOWN TLS VERSION ?0000? [length 0005]
(1) eap_peap: >>> TLS 1.2 [length 0625]
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> UNKNOWN TLS VERSION ?0000? [length 0005]
(1) eap_peap: >>> TLS 1.2 [length 0004]
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 212 length 1004
(1) eap: EAP session adding &reply:State = 0x2ea7ef802f73f6df
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 145 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(1) EAP-Message =
0x01d403ec19c00000068916030300510200004d0303c1eb884d2b3536af449cf4a93561b305e3195256922b69dcf3ef67329bc6be2320c929510df244ed060c53cd90e9b2940df2add6e931aeaca3a7602f0ec476608b003d000005ff0100010016030306250b00062100061e00061b30820617308203ff
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x2ea7ef802f73f6df3693c3c995d521f2
(1) Finished request
Waking up in 4.8 seconds.
(2) Received Access-Request Id 146 from 10.10.10.169:43523 to
10.10.10.41:1812 length 64
(2) EAP-Message = 0x02d400061908
(2) State = 0x2ea7ef802f73f6df3693c3c995d521f2
(2) Message-Authenticator = 0xf9e31e911cf62e72c012f342e6166bc5
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> TRUE
(2) if (!&User-Name) {
(2) [noop] = noop
(2) } # if (!&User-Name) = noop
(2) if (&User-Name =~ / /) {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) if (&User-Name =~ /@.*@/ ) {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) if (&User-Name =~ /\.\./ ) {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) if (&User-Name =~ /\.$/) {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) if (&User-Name =~ /(a)\./) {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) } # policy filter_username = noop
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Proxy reply, or no User-Name. Ignoring
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 212 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x2ea7ef802f73f6df
(2) eap: Finished EAP session with state 0x2ea7ef802f73f6df
(2) eap: Previous EAP request found for state 0x2ea7ef802f73f6df, released
from the list
(2) eap: Broken NAS did not set User-Name, setting from EAP Identity
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 213 length 685
(2) eap: EAP session adding &reply:State = 0x2ea7ef802c72f6df
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 146 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(2) EAP-Message =
0x01d502ad1900cfea35d39782f46061d022042bb4194ed0a223fa5762d7c7e24a5e998e6e2c9f6371e35a051824cf7218e3a44842b28cdfbdaf0203010001a350304e301d0603551d0e04160414ad524818982efdf05efcf0c1bb04aefbc27999a6301f0603551d23041830168014ad524818982efdf05e
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x2ea7ef802c72f6df3693c3c995d521f2
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 147 from 10.10.10.169:43523 to
10.10.10.41:1812 length 707
(3) User-Name = "swadmin"
(3) NAS-IP-Address = 10.10.10.41
(3) NAS-Port = 0
(3) State = 0x2ea7ef802c72f6df3693c3c995d521f2
(3) EAP-Message =
0x02d5027019800000026616030302061000020202008fca9cfef4ddbdd0e3baf0650fb8345df69c663ac80402206eb34b2ff3215c37dde7b91687097abb7b4678af40b578afa06a813b2ca77de4f3ef36ce30f448c66527d3a30ef62683bd4e80a84d6692abf5e1ee26f666c85b30e31007e34bd788382d
(3) Message-Authenticator = 0x75c8703c7078ea211732e29514301e7f
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (!&User-Name) {
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 213 length 624
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x2ea7ef802c72f6df
(3) eap: Finished EAP session with state 0x2ea7ef802c72f6df
(3) eap: Previous EAP request found for state 0x2ea7ef802c72f6df, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 614 bytes
(3) eap_peap: Got complete TLS record (614 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(3) eap_peap: <<< TLS 1.2 [length 0206]
(3) eap_peap: TLS_accept: SSLv3 read client key exchange A
(3) eap_peap: TLS_accept: SSLv3 read certificate verify A
(3) eap_peap: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(3) eap_peap: <<< TLS 1.2 [length 0001]
(3) eap_peap: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(3) eap_peap: <<< TLS 1.2 [length 0010]
(3) eap_peap: TLS_accept: SSLv3 read finished A
(3) eap_peap: >>> UNKNOWN TLS VERSION ?0000? [length 0005]
(3) eap_peap: >>> TLS 1.2 [length 0001]
(3) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(3) eap_peap: >>> UNKNOWN TLS VERSION ?0000? [length 0005]
(3) eap_peap: >>> TLS 1.2 [length 0010]
(3) eap_peap: TLS_accept: SSLv3 write finished A
(3) eap_peap: TLS_accept: SSLv3 flush data
(3) eap_peap: (other): SSL negotiation finished successfully
(3) eap_peap: SSL Connection Established
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 214 length 97
(3) eap: EAP session adding &reply:State = 0x2ea7ef802d71f6df
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 147 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(3) EAP-Message =
0x01d600611900140303000101160303005079a7c2b0c0613f044ad8f016dd974af82c9894c546d8e9e79e1aa76f704d6347f83d69f301718c272bb284836a51a4f103de7594eb506dbd068b3bc3d59f3e972b591b5a27a1ee886d9083331cb2f7a0
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x2ea7ef802d71f6df3693c3c995d521f2
(3) Finished request
Waking up in 4.6 seconds.
(4) Received Access-Request Id 148 from 10.10.10.169:43523 to
10.10.10.41:1812 length 85
(4) User-Name = "swadmin"
(4) NAS-IP-Address = 10.10.10.41
(4) NAS-Port = 0
(4) State = 0x2ea7ef802d71f6df3693c3c995d521f2
(4) EAP-Message = 0x02d600061900
(4) Message-Authenticator = 0xab692927925f945469e6ba632403c514
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (!&User-Name) {
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 214 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x2ea7ef802d71f6df
(4) eap: Finished EAP session with state 0x2ea7ef802d71f6df
(4) eap: Previous EAP request found for state 0x2ea7ef802d71f6df, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(4) eap_peap: [eaptls verify] = success
(4) eap_peap: [eaptls process] = success
(4) eap_peap: Session established. Decoding tunneled attributes
(4) eap_peap: PEAP state TUNNEL ESTABLISHED
>>> UNKNOWN TLS VERSION ?0000? [length 0005]
(4) eap: Sending EAP Request (code 1) ID 215 length 75
(4) eap: EAP session adding &reply:State = 0x2ea7ef802a70f6df
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 148 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(4) EAP-Message =
0x01d7004b190017030300401aeaef07c9c4a249c81611f692e0264c010b134b01aa5103124201302cbc7da20e363d84e2df1fa5affdd908edf1fabbbfc2c7ae4b528534d61c7fb2503b991c
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x2ea7ef802a70f6df3693c3c995d521f2
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 149 from 10.10.10.169:43523 to
10.10.10.41:1812 length 154
(5) User-Name = "swadmin"
(5) NAS-IP-Address = 10.10.10.41
(5) NAS-Port = 0
(5) State = 0x2ea7ef802a70f6df3693c3c995d521f2
(5) EAP-Message =
0x02d7004b1900170303004048503b60df80d3cc3e54ca84aced721f1ac4b552e6154d41dfd00507d9d1d536c231a056c02eae6747ae7787ea269b0c7320b15d06eba81bd7e8144c2499d9af
(5) Message-Authenticator = 0xea1c0115468240cb351d04a41322e224
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (!&User-Name) {
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 215 length 75
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x2ea7ef802a70f6df
(5) eap: Finished EAP session with state 0x2ea7ef802a70f6df
(5) eap: Previous EAP request found for state 0x2ea7ef802a70f6df, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: [eaptls verify] = ok
(5) eap_peap: Done initial handshake
(5) eap_peap: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(5) eap_peap: [eaptls process] = ok
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(5) eap_peap: Identity - swadmin
(5) eap_peap: Got inner identity 'swadmin'
(5) eap_peap: Setting default EAP type for tunneled EAP session
(5) eap_peap: Got tunneled request
(5) eap_peap: EAP-Message = 0x02d7000c01737761646d696e
(5) eap_peap: Setting User-Name to swadmin
(5) eap_peap: Sending tunneled request to inner-tunnel
(5) eap_peap: EAP-Message = 0x02d7000c01737761646d696e
(5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_peap: User-Name = "swadmin"
(5) Virtual server inner-tunnel received request
(5) EAP-Message = 0x02d7000c01737761646d696e
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) User-Name = "swadmin"
(5) server inner-tunnel {
(5) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(5) authorize {
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 215 length 12
(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Peer sent packet with method EAP Identity (1)
(5) eap: Calling submodule eap_mschapv2 to process data
(5) eap_mschapv2: Issuing Challenge
(5) eap: Sending EAP Request (code 1) ID 216 length 43
(5) eap: EAP session adding &reply:State = 0x7030667570e87c8f
(5) [eap] = handled
(5) } # authenticate = handled
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) EAP-Message =
0x01d8002b1a01d80026103aa0ad783679564939103c1f7b0dc5cb667265657261646975732d332e302e3130
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x7030667570e87c8f84ba25d6b5fb17c3
(5) eap_peap: Got tunneled reply code 11
(5) eap_peap: EAP-Message =
0x01d8002b1a01d80026103aa0ad783679564939103c1f7b0dc5cb667265657261646975732d332e302e3130
(5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_peap: State = 0x7030667570e87c8f84ba25d6b5fb17c3
(5) eap_peap: Got tunneled reply RADIUS code 11
(5) eap_peap: EAP-Message =
0x01d8002b1a01d80026103aa0ad783679564939103c1f7b0dc5cb667265657261646975732d332e302e3130
(5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_peap: State = 0x7030667570e87c8f84ba25d6b5fb17c3
(5) eap_peap: Got tunneled Access-Challenge
>>> UNKNOWN TLS VERSION ?0000? [length 0005]
(5) eap: Sending EAP Request (code 1) ID 216 length 107
(5) eap: EAP session adding &reply:State = 0x2ea7ef802b7ff6df
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 149 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(5) EAP-Message =
0x01d8006b19001703030060c9bdab5d392e1aec871e65586db7025cbca5ee23a681c6b15b518d3c2177dad94f504c1f91720adde5df703748c43883ab1007f8b755c9cdaf472c16b9a72788c6a02e5a05e3ec011d943af98faf54aaa2830d8530eb6df8892cc18b52f38d41
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x2ea7ef802b7ff6df3693c3c995d521f2
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 150 from 10.10.10.169:43523 to
10.10.10.41:1812 length 202
(6) User-Name = "swadmin"
(6) NAS-IP-Address = 10.10.10.41
(6) NAS-Port = 0
(6) State = 0x2ea7ef802b7ff6df3693c3c995d521f2
(6) EAP-Message =
0x02d8007b190017030300705f59d5dcd2ffacb0f62dc04b137c705df7c038f6c4fc41717f0a4ba04f10401556438a673f041b1ad6be8d571a04e9b33b0660df6fb81d3e583e1d7da9d4a162f6299601ced4393ee45053db3775b95da03a66759e2ee8f1440ef8b862aaac03b529721bf89ad6093364f785
(6) Message-Authenticator = 0x3b4888281df61cf5b2e770293b1ccb99
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (!&User-Name) {
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ ) {
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 216 length 123
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x7030667570e87c8f
(6) eap: Finished EAP session with state 0x2ea7ef802b7ff6df
(6) eap: Previous EAP request found for state 0x2ea7ef802b7ff6df, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state phase2
(6) eap_peap: EAP method MSCHAPv2 (26)
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message =
0x02d800431a02d8003f316652b1aeefe86844cec805f6771b674700000000000000007bf917464e3670b7150d2f0124303d00ab612db1096bf76a00737761646d696e00
(6) eap_peap: Setting User-Name to swadmin
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message =
0x02d800431a02d8003f316652b1aeefe86844cec805f6771b674700000000000000007bf917464e3670b7150d2f0124303d00ab612db1096bf76a00737761646d696e00
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "swadmin"
(6) eap_peap: State = 0x7030667570e87c8f84ba25d6b5fb17c3
(6) Virtual server inner-tunnel received request
(6) EAP-Message =
0x02d800431a02d8003f316652b1aeefe86844cec805f6771b674700000000000000007bf917464e3670b7150d2f0124303d00ab612db1096bf76a00737761646d696e00
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "swadmin"
(6) State = 0x7030667570e87c8f84ba25d6b5fb17c3
(6) server inner-tunnel {
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 216 length 67
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) files: users: Matched entry swadmin at line 240
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) pap: WARNING: Auth-Type already set. Not setting to PAP
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0x7030667570e87c8f
(6) eap: Finished EAP session with state 0x7030667570e87c8f
(6) eap: Previous EAP request found for state 0x7030667570e87c8f, released
from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(6) eap_mschapv2: Auth-Type MS-CHAP {
(6) mschap: Found Cleartext-Password, hashing to create NT-Password
(6) mschap: Found Cleartext-Password, hashing to create LM-Password
(6) mschap: WARNING: User-Name (swadmin) is not the same as MS-CHAP Name
(swadmin) from EAP-MSCHAPv2
(6) mschap: Creating challenge hash with username: swadmin
(6) mschap: Client is using MS-CHAPv2
(6) mschap: Adding MS-CHAPv2 MPPE keys
(6) [mschap] = ok
(6) } # Auth-Type MS-CHAP = ok
(6) MSCHAP Success
(6) eap: Sending EAP Request (code 1) ID 217 length 51
(6) eap: EAP session adding &reply:State = 0x7030667571e97c8f
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) Brocade-Auth-Role = "admin"
(6) Brocade-AVPairs1 = "HomeLF=128"
(6) Brocade-AVPairs2 = "LFRoleList=admin:1-128"
(6) Brocade-AVPairs3 = "ChassisRole=admin"
(6) EAP-Message =
0x01d900331a03d8002e533d43433231363030394334444346333341463038384439363345333045323745323143323639334430
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x7030667571e97c8f84ba25d6b5fb17c3
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: Brocade-Auth-Role = "admin"
(6) eap_peap: Brocade-AVPairs1 = "HomeLF=128"
(6) eap_peap: Brocade-AVPairs2 = "LFRoleList=admin:1-128"
(6) eap_peap: Brocade-AVPairs3 = "ChassisRole=admin"
(6) eap_peap: EAP-Message =
0x01d900331a03d8002e533d43433231363030394334444346333341463038384439363345333045323745323143323639334430
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x7030667571e97c8f84ba25d6b5fb17c3
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: Brocade-Auth-Role = "admin"
(6) eap_peap: Brocade-AVPairs1 = "HomeLF=128"
(6) eap_peap: Brocade-AVPairs2 = "LFRoleList=admin:1-128"
(6) eap_peap: Brocade-AVPairs3 = "ChassisRole=admin"
(6) eap_peap: EAP-Message =
0x01d900331a03d8002e533d43433231363030394334444346333341463038384439363345333045323745323143323639334430
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x7030667571e97c8f84ba25d6b5fb17c3
(6) eap_peap: Got tunneled Access-Challenge
>>> UNKNOWN TLS VERSION ?0000? [length 0005]
(6) eap: Sending EAP Request (code 1) ID 217 length 107
(6) eap: EAP session adding &reply:State = 0x2ea7ef80287ef6df
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 150 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(6) EAP-Message =
0x01d9006b190017030300607af71da555afee854417f9ca8e0d54adeb166c468816e5f79198f9c51a1c75a15ba3ee3ad04597d52f18f53731dd9d81373dc08cfbe3bc2af50908a436103b48139bb885bc58eb99b30ffe9b0a1feb3450ba960c330f7dbc8e74efe62425f82a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x2ea7ef80287ef6df3693c3c995d521f2
(6) Finished request
Waking up in 4.6 seconds.
(7) Received Access-Request Id 151 from 10.10.10.169:43523 to
10.10.10.41:1812 length 154
(7) User-Name = "swadmin"
(7) NAS-IP-Address = 10.10.10.41
(7) NAS-Port = 0
(7) State = 0x2ea7ef80287ef6df3693c3c995d521f2
(7) EAP-Message =
0x02d9004b19001703030040bfc9701f5762ef472c945d8001dd2ae2d1ee074f1254e15e01e6ef9195ef06d156e93d2355429b2fd9fec886e321c35e790418b1f96facfc49cd17a6bd53e33c
(7) Message-Authenticator = 0x4ad3f2e68b3d6b1e81fbf9a43a93215f
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (!&User-Name) {
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 217 length 75
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x7030667571e97c8f
(7) eap: Finished EAP session with state 0x2ea7ef80287ef6df
(7) eap: Previous EAP request found for state 0x2ea7ef80287ef6df, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x02d900061a03
(7) eap_peap: Setting User-Name to swadmin
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x02d900061a03
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "swadmin"
(7) eap_peap: State = 0x7030667571e97c8f84ba25d6b5fb17c3
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x02d900061a03
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "swadmin"
(7) State = 0x7030667571e97c8f84ba25d6b5fb17c3
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 217 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) files: users: Matched entry swadmin at line 240
(7) [files] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x7030667571e97c8f
(7) eap: Finished EAP session with state 0x7030667571e97c8f
(7) eap: Previous EAP request found for state 0x7030667571e97c8f, released
from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap: Sending EAP Success (code 3) ID 217 length 4
(7) eap: Freeing handler
(7) [eap] = ok
(7) } # authenticate = ok
(7) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(7) post-auth { ... } # empty sub-section is ignored
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) Brocade-Auth-Role = "admin"
(7) Brocade-AVPairs1 = "HomeLF=128"
(7) Brocade-AVPairs2 = "LFRoleList=admin:1-128"
(7) Brocade-AVPairs3 = "ChassisRole=admin"
(7) MS-MPPE-Encryption-Policy = Encryption-Allowed
(7) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) MS-MPPE-Send-Key = 0x33b6ff31bf787acfda637a13cde3cf97
(7) MS-MPPE-Recv-Key = 0x47724e674b3ac6f2ad8658bac3500c47
(7) EAP-Message = 0x03d90004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = "swadmin"
(7) eap_peap: Got tunneled reply code 2
(7) eap_peap: Brocade-Auth-Role = "admin"
(7) eap_peap: Brocade-AVPairs1 = "HomeLF=128"
(7) eap_peap: Brocade-AVPairs2 = "LFRoleList=admin:1-128"
(7) eap_peap: Brocade-AVPairs3 = "ChassisRole=admin"
(7) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(7) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) eap_peap: MS-MPPE-Send-Key = 0x33b6ff31bf787acfda637a13cde3cf97
(7) eap_peap: MS-MPPE-Recv-Key = 0x47724e674b3ac6f2ad8658bac3500c47
(7) eap_peap: EAP-Message = 0x03d90004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: User-Name = "swadmin"
(7) eap_peap: Got tunneled reply RADIUS code 2
(7) eap_peap: Brocade-Auth-Role = "admin"
(7) eap_peap: Brocade-AVPairs1 = "HomeLF=128"
(7) eap_peap: Brocade-AVPairs2 = "LFRoleList=admin:1-128"
(7) eap_peap: Brocade-AVPairs3 = "ChassisRole=admin"
(7) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(7) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) eap_peap: MS-MPPE-Send-Key = 0x33b6ff31bf787acfda637a13cde3cf97
(7) eap_peap: MS-MPPE-Recv-Key = 0x47724e674b3ac6f2ad8658bac3500c47
(7) eap_peap: EAP-Message = 0x03d90004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: User-Name = "swadmin"
(7) eap_peap: Tunneled authentication was successful
(7) eap_peap: SUCCESS
>>> UNKNOWN TLS VERSION ?0000? [length 0005]
(7) eap: Sending EAP Request (code 1) ID 218 length 75
(7) eap: EAP session adding &reply:State = 0x2ea7ef80297df6df
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 151 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(7) EAP-Message =
0x01da004b190017030300400b6d3844237e81e2b4974b625b0d106880b733bac6465822e027576124a9bb1dbf6116625a93ba3591752ee1b02bae725bd54f609388e86a03663eb050bdf265
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x2ea7ef80297df6df3693c3c995d521f2
(7) Finished request
Waking up in 4.6 seconds.
(8) Received Access-Request Id 152 from 10.10.10.169:43523 to
10.10.10.41:1812 length 154
(8) User-Name = "swadmin"
(8) NAS-IP-Address = 10.10.10.41
(8) NAS-Port = 0
(8) State = 0x2ea7ef80297df6df3693c3c995d521f2
(8) EAP-Message =
0x02da004b190017030300401ca8412f64b2a64783cf02e13ce56d48eac71bb1b7c912704f95673053ba6c48d8c6ba5ef6f1b92680a2b631c14a91a9eb4642700ff61364ff94957617797d39
(8) Message-Authenticator = 0x9e7abcbbcd46d0a587f3205bd42b3df2
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (!&User-Name) {
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ ) {
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 218 length 75
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x2ea7ef80297df6df
(8) eap: Finished EAP session with state 0x2ea7ef80297df6df
(8) eap: Previous EAP request found for state 0x2ea7ef80297df6df, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv success
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: Success
(8) eap_peap: No information to cache: session caching will be disabled for
session c929510df244ed060c53cd90e9b2940df2add6e931aeaca3a7602f0ec476608b
(8) eap: Sending EAP Success (code 3) ID 218 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(8) post-auth {
(8) update {
(8) No attributes updated
(8) } # update = noop
(8) [exec] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # post-auth = noop
(8) Sent Access-Accept Id 152 from 10.10.10.41:1812 to 10.10.10.169:43523
length 0
(8) MS-MPPE-Recv-Key =
0xb2cc66124674f4d4f89ec8157c5cf0d0aff128a59ca2639710ca2b4ee8f104b3
(8) MS-MPPE-Send-Key =
0xa9d0387844078ce9b898d64c14b05afaae367e89184f9557a85cb24f79b16f93
(8) EAP-Message = 0x03da0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "swadmin"
(8) Finished request
Waking up in 4.6 seconds.
(9) Received Accounting-Request Id 7 from 10.10.10.169:18022 to
10.10.10.41:1813 length 85
(9) User-Name = "swadmin"
(9) NAS-IP-Address = 10.10.10.169
(9) NAS-Identifier = "HuaweiWedgeSec"
(9) NAS-Port = 16997
(9) NAS-Port-Type = Virtual
(9) Acct-Status-Type = Start
(9) Acct-Session-Id = "00016997"
(9) Acct-Authentic = RADIUS
(9) # Executing section preacct from file /etc/raddb/sites-enabled/default
(9) preacct {
(9) [preprocess] = ok
(9) policy acct_unique {
(9) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(9) EXPAND %{string:Class}
(9) -->
(9) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(9) else {
(9) update request {
(9) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(9) --> 767dde204e68d7d421422d0bcd251691
(9) &Acct-Unique-Session-Id := 767dde204e68d7d421422d0bcd251691
(9) } # update request = noop
(9) } # else = noop
(9) } # policy acct_unique = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) [files] = noop
(9) } # preacct = ok
(9) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(9) accounting {
(9) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(9) detail: --> /var/log/radius/radacct/10.10.10.169/detail-20170919
(9) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.10.10.169/detail-20170919
(9) detail: EXPAND %t
(9) detail: --> Tue Sep 19 14:50:25 2017
(9) [detail] = ok
(9) [unix] = ok
(9) [exec] = noop
(9) attr_filter.accounting_response: EXPAND %{User-Name}
(9) attr_filter.accounting_response: --> swadmin
(9) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(9) [attr_filter.accounting_response] = updated
(9) } # accounting = updated
(9) Sent Accounting-Response Id 7 from 10.10.10.41:1813 to
10.10.10.169:18022 length 0
(9) Finished request
(9) Cleaning up request packet ID 7 with timestamp +226
Waking up in 4.4 seconds.
(10) Received Accounting-Request Id 183 from 10.10.10.169:18022 to
10.10.10.41:1813 length 91
(10) User-Name = "swadmin"
(10) NAS-IP-Address = 10.10.10.169
(10) NAS-Identifier = "HuaweiWedgeSec"
(10) NAS-Port = 16997
(10) NAS-Port-Type = Virtual
(10) Acct-Status-Type = Stop
(10) Acct-Session-Id = "00016997"
(10) Acct-Authentic = RADIUS
(10) Acct-Session-Time = 0
(10) # Executing section preacct from file /etc/raddb/sites-enabled/default
(10) preacct {
(10) [preprocess] = ok
(10) policy acct_unique {
(10) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(10) EXPAND %{string:Class}
(10) -->
(10) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(10) else {
(10) update request {
(10) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(10) --> 767dde204e68d7d421422d0bcd251691
(10) &Acct-Unique-Session-Id := 767dde204e68d7d421422d0bcd251691
(10) } # update request = noop
(10) } # else = noop
(10) } # policy acct_unique = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "swadmin", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) [files] = noop
(10) } # preacct = ok
(10) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(10) accounting {
(10) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(10) detail: --> /var/log/radius/radacct/10.10.10.169/detail-20170919
(10) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.10.10.169/detail-20170919
(10) detail: EXPAND %t
(10) detail: --> Tue Sep 19 14:50:25 2017
(10) [detail] = ok
(10) [unix] = ok
(10) [exec] = noop
(10) attr_filter.accounting_response: EXPAND %{User-Name}
(10) attr_filter.accounting_response: --> swadmin
(10) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(10) [attr_filter.accounting_response] = updated
(10) } # accounting = updated
(10) Sent Accounting-Response Id 183 from 10.10.10.41:1813 to
10.10.10.169:18022 length 0
(10) Finished request
I attempted to start radiusd with -Xx in case that is helpful, but I still
am not sure if this is reading the dictionary.
My users contains:
swadmin Cleartext-Password := "supersecret"
Brocade-Auth-Role = "admin",
Brocade-AVPairs1 = "HomeLF=128",
Brocade-AVPairs2 = "LFRoleList=admin:1-128",
Brocade-AVPairs3 = "ChassisRole=admin"
swuser Cleartext-Password := "supersecret"
Brocade-Auth-Role = "user",
Brocade-AVPairs1 = "HomeLF=128",
Brocade-AVPairs2 = "LFRoleList=user:1-128",
Brocade-AVPairs3 = "ChassisRole=user",
Brocade-Passwd-ExpiryDate = "10/01/2017",
Brocade-Passwd-WarnPeriod = "31"
Thanks for any assistance,
Chris
3
2
Here: http://wiki.freeradius.org/guide/eduroam
Nitpick away...
-Arran
1
0
Hi,
I'm seeing quite a few
Mon Sep 18 15:02:40 2017 : Warning: EAP packets are arriving from two
different upstream servers. Has there been a proxy fail-over?
messages on my ORPS servers and I'm trying to find out where they come
from.
In normal log file they appear as shown.
Mon Sep 18 15:02:34 2017 : Auth: (46576) Login OK: [sa1043(a)york.ac.uk]
(from client roaming1.ja.net port 0 cli 48-74-6E-A3-67-2D
via TLS tunnel)
Mon Sep 18 15:02:36 2017 : Auth: (46591) Login OK: [hi555(a)york.ac.uk]
(from client roaming0.ja.net6 port 8 cli 0C-D7-46-D9-46-66
via TLS tunnel)
Mon Sep 18 15:02:36 2017 : Auth: (46592) Login OK: [hi555(a)york.ac.uk] (from
client roaming0.ja.net6 port 8 cli 0C-D7-46-D9-46-66)
Mon Sep 18 15:02:40 2017 : Warning: EAP packets are arriving from two
different upstream servers. Has there been a proxy fail-over?
Mon Sep 18 15:02:40 2017 : Auth: (46608) Login OK: [jr1236(a)york.ac.uk]
(from client roaming1.ja.net port 0 cli CC-3A-61-EC-61-7A)
Mon Sep 18 15:02:41 2017 : Auth: (46612) Login incorrect (eap: rlm_eap
(EAP): No EAP session matching state 0x8cdc674b8cdd7eac): [gdv504(a)york.ac.uk]
(from client roaming2.ja.net6 port 53 cli 38-0F-4A-30-B2-9C)
Mon Sep 18 15:02:43 2017 : Auth: (46619) Login OK: [hbna500(a)york.ac.uk]
(from client roaming0.ja.net port 8 cli 60-92-17-A5-51-75)
Mon Sep 18 15:02:44 2017 : Info: Need 1 more connections to reach 10 spares
However, when I try running FR in degug mode I never see the above errors.
Have also tried running raddebug to dump output into another file ... and
the normal file still has the aforementioned Warnings but the raddebug
doesn't
How am I supposed to get more info about the what the message relates to?
BTW running 3.0.15
Rgds
Alex
3
8
Hi friends!!
In the company where I work, we have a wireless controller which is
authenitcating with a LDAP server using this configuration:
IP address: 192.168.0.10
LDAP Base DN = "plataform.example.com.co"
Admin DN= "cn=roam,dc=example,dc=com,dc=co"
Admin password = 12345
Key attribute = uid
SearchFilter= "userType=managment"
With that configuration the people from managment department can login in
the wireless network.
I can change to SearchFilter= "userType=guest", so the people from
managment department can not login, but guest people can do it.
No we need to use a FreeRadius server to set a new wireless controller that
can't use LDAP authentication. So, I installed freeradius-ldap package, and
I enabled the module. This is my ldap file:
ldap {
server = "plataform.example.com.co"
identity = "cn=roam,dc=example,dc=com,dc=co"
password = 12345
basedn = "dc=example,dc=com,dc=co"
ldap_connections_number = 5
...
}
I enabled LDAP module, and reloaded the freeradius configuration and every
works great :D I can autheniticate using freeradius and Ldap server.
But the issue is: with that setting people from managment department and
guest people can logging in the wireless network, both of them. That is a
problem for me, I need to apply the same Filter that the previous wirless
controller had enabled ( Key attribute = uid and SearchFilter=
"userType=managment")
I have tried using these attibutes in ldap config file:
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
I have tried many combinations but I cant' do it work.
Can you give me any advice about how can I configure the freeradius-ldap
module in order to do that filter?
Thanks in advance!!!
Andrés!!
4
5
18 Sep '17
Hello.
I've upgraded to 3.0.15 from 2.X and now I have a problem with pap
authorization.
My users saved in a MySQL with an attribute md5. But, from Cisco ASA I
receive header User-Password. In a source code I've found next strings:
case PW_USER_PASSWORD: /* deprecated */
RWDEBUG("!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
RWDEBUG("!!! Ignoring control:User-Password.
Update your !!!");
RWDEBUG("!!! configuration so that the \"known
good\" clear text !!!");
RWDEBUG("!!! password is in Cleartext-Password and
NOT in !!!");
RWDEBUG("!!! User-Password.
!!!");
RWDEBUG("!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
break;
Okay. I've found a workaround with unlang and paste it to "authorize"
section:
if (!control:Cleartext-Password && control:User-Password) {
update control {
Cleartext-Password := "%{control:User-Password}"
}
}
But it doesn't work.
How can I save an encrypted password in MySQL and delete header
User-Password which I receive from Cisco ASA (I can't modify software on
the Cisco side)?
--
Best regards,
Anton Kiryushkin
3
3
Update from 3.0.4 to 3.0.13 (RHEL and CentOS 7.3 to 7.4): Reference "${group_attribute}" not found
by Bernd 15 Sep '17
by Bernd 15 Sep '17
15 Sep '17
Hi,
committing an update from CentOS release 7.3.1611 to 7.4.1708 also a
FreeRADIUS update is deployed:
* 7.3.1611: freeradius-3.0.4-8.el7_3.x86_64
* 7.4.1708: freeradius-3.0.13-8.el7_4.x86_64
Afterwards it fails to start. I found a bug report on this (which hit
Fedora 22 back then in the end of 2015):
https://bugzilla.redhat.com/show_bug.cgi?id=1291006
What's the best way to circumvent this? It seems that some
reconfiguration is needed, but I don't see exactly *where*.
A temporary (surely not elegant) fix is to modify
/etc/raddb/mods-config/sql/main/mysql/queries.conf, from
authorize_group_check_query = "\
SELECT id, groupname, attribute, \
Value, op \
FROM ${groupcheck_table} \
WHERE groupname = '%{${group_attribute}}' \
ORDER BY id"
authorize_group_reply_query = "\
SELECT id, groupname, attribute, \
value, op \
FROM ${groupreply_table} \
WHERE groupname = '%{${group_attribute}}' \
ORDER BY id"
in the new 3.0.13 file to
authorize_group_check_query = "\
SELECT id, groupname, attribute, \
Value, op \
FROM ${groupcheck_table} \
WHERE groupname = '%{Sql-Group}' \
ORDER BY id"
authorize_group_reply_query = "\
SELECT id, groupname, attribute, \
value, op \
FROM ${groupreply_table} \
WHERE groupname = '%{Sql-Group}' \
ORDER BY id"
(as it was in 3.0.4).
Best,
Bernd
4
6
15 Sep '17
Hi all,
I have a openldap server with hashed password and am attempting to set up
WPA-Enterprise authentication. I have enabled the ldpap module and straight
authentication usng ldap and pap works. i.e the proxy server authenticates
without any problems.
I have the client configured to use ttls and gtc. I have done the same with
the eap configuration file. I don't get any error messages in the log file
when trying to connect. (I regengerated the ssl certs as hinted at by a
previous message but this took away the ssl cert warning but did not solve
the problem.)
Below is the debug log output. Trying to understand radius and the whole
EAP protocol requires a large amount of effort. I have already understood a
lot more than I did 3 days ago but am not at the end of my concpetual
models ability to trouble shoot this problem. I have tried setting the
Auth-Type: to LDAP in the gtc configuration in the eap conf file as well
but the results are the same.
Any help or hints appreciated. From the log file below it looks like the
client is not responding to the final Access-Challenge. The only other idea
I have is that the User-Password: field is not being passed to the eap
process? Not sure how to fix that or if it is the problem.
Thanks
Ready to process requests
(0) Received Access-Request Id 224 from 192.168.45.05:37339 to
192.168.45.74:1812 length 166
(0) User-Name = "bob"
(0) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Port = 0
(0) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "59B902E8-000000EA"
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02270009016d61726b
(0) Message-Authenticator = 0x4e878ddb529b319d77ea2abfb3131112
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(0) auth_log: EXPAND %t
(0) auth_log: --> Thu Sep 14 11:19:11 2017
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "bob", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 39 length 9
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 40 length 6
(0) eap: EAP session adding &reply:State = 0xbdc37936bdeb6cdd
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Sent Access-Challenge Id 224 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(0) EAP-Message = 0x012800061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xbdc37936bdeb6cdd84932144ea25780b
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 225 from 192.168.45.05:37339 to
192.168.45.74:1812 length 339
(1) User-Name = "bob"
(1) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(1) NAS-Port-Type = Wireless-802.11
(1) NAS-Port = 0
(1) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "59B902E8-000000EA"
(1) Framed-MTU = 1400
(1) EAP-Message =
0x022800a4150016030100990100009503030a1c1c168f1fe7ca21b8e5ee873c19ba1e777641a3b13e1cca092bfa7fe66fc100003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff01000030001700
(1) State = 0xbdc37936bdeb6cdd84932144ea25780b
(1) Message-Authenticator = 0xc6c693312fb56f022f47198c94f4c3c7
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(1) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(1) auth_log: EXPAND %t
(1) auth_log: --> Thu Sep 14 11:19:11 2017
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "bob", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 40 length 164
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xbdc37936bdeb6cdd
(1) eap: Finished EAP session with state 0xbdc37936bdeb6cdd
(1) eap: Previous EAP request found for state 0xbdc37936bdeb6cdd, released
from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: Continuing EAP-TLS
(1) eap_ttls: Got final TLS record fragment (158 bytes)
(1) eap_ttls: WARNING: Total received TLS record fragments (158 bytes),
does not equal indicated TLS record length (0 bytes)
(1) eap_ttls: [eaptls verify] = ok
(1) eap_ttls: Done initial handshake
(1) eap_ttls: (other): before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: <<< recv TLS 1.2 [length 0099]
(1) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(1) eap_ttls: >>> send TLS 1.2 [length 003d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(1) eap_ttls: >>> send TLS 1.2 [length 08d3]
(1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(1) eap_ttls: >>> send TLS 1.2 [length 014d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(1) eap_ttls: >>> send TLS 1.2 [length 0004]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server done
(1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_ttls: In SSL Handshake Phase
(1) eap_ttls: In SSL Accept mode
(1) eap_ttls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 41 length 1004
(1) eap: EAP session adding &reply:State = 0xbdc37936bcea6cdd
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Sent Access-Challenge Id 225 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(1) EAP-Message =
0x012903ec15c000000a75160303003d020000390303bfef2af615bb30a1795e1502febfbbcfaf0829baff49038576161b0bbe9082d500c030000011ff01000100000b0004030001020017000016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d0101
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xbdc37936bcea6cdd84932144ea25780b
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 226 from 192.168.45.05:37339 to
192.168.45.74:1812 length 181
(2) User-Name = "bob"
(2) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(2) NAS-Port-Type = Wireless-802.11
(2) NAS-Port = 0
(2) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) Acct-Session-Id = "59B902E8-000000EA"
(2) Framed-MTU = 1400
(2) EAP-Message = 0x022900061500
(2) State = 0xbdc37936bcea6cdd84932144ea25780b
(2) Message-Authenticator = 0x5e81d512883c3437d5d7c4b1576509da
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(2) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(2) auth_log: EXPAND %t
(2) auth_log: --> Thu Sep 14 11:19:11 2017
(2) [auth_log] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "bob", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 41 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xbdc37936bcea6cdd
(2) eap: Finished EAP session with state 0xbdc37936bcea6cdd
(2) eap: Previous EAP request found for state 0xbdc37936bcea6cdd, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 42 length 1004
(2) eap: EAP session adding &reply:State = 0xbdc37936bfe96cdd
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Sent Access-Challenge Id 226 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(2) EAP-Message =
0x012a03ec15c000000a75318c53693caf5cec07a26c179201b35044f8b0a36585e88ac8887724d038dace205f76b50f376be76dd9ebe975518e8d82a931d370995cd79469cd39278883b89faf674e3bc275747a253d0cab0004e8308204e4308203cca003020102020900acfa1c7c27c4f226300d06092a
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xbdc37936bfe96cdd84932144ea25780b
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 227 from 192.168.45.05:37339 to
192.168.45.74:1812 length 181
(3) User-Name = "bob"
(3) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(3) NAS-Port-Type = Wireless-802.11
(3) NAS-Port = 0
(3) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) Acct-Session-Id = "59B902E8-000000EA"
(3) Framed-MTU = 1400
(3) EAP-Message = 0x022a00061500
(3) State = 0xbdc37936bfe96cdd84932144ea25780b
(3) Message-Authenticator = 0x9fd121549085c6c53071b12b8b96285a
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(3) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(3) auth_log: EXPAND %t
(3) auth_log: --> Thu Sep 14 11:19:11 2017
(3) [auth_log] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "bob", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 42 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xbdc37936bfe96cdd
(3) eap: Finished EAP session with state 0xbdc37936bfe96cdd
(3) eap: Previous EAP request found for state 0xbdc37936bfe96cdd, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 43 length 699
(3) eap: EAP session adding &reply:State = 0xbdc37936bee86cdd
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Sent Access-Challenge Id 227 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(3) EAP-Message =
0x012b02bb158000000a750101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100e3995c54d00cee2fbbc14478b89b75b38a11643e5c1a51
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xbdc37936bee86cdd84932144ea25780b
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 228 from 192.168.45.05:37339 to
192.168.45.74:1812 length 307
(4) User-Name = "bob"
(4) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(4) NAS-Port-Type = Wireless-802.11
(4) NAS-Port = 0
(4) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) Acct-Session-Id = "59B902E8-000000EA"
(4) Framed-MTU = 1400
(4) EAP-Message =
0x022b0084150016030300461000004241047d7abad05d5661d82c204f0d953f0ce6f5b508de608abf44b528fc3897c2f548baacdb60f5cd867ea90d976f1ad767249c4fc28ba8a810d62bb1102d57fd00e514030300010116030300280000000000000000c227b6f946893e02d0eac613069cdc09d93578
(4) State = 0xbdc37936bee86cdd84932144ea25780b
(4) Message-Authenticator = 0xb50eb2de770b6149c3752e62afebe833
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(4) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(4) auth_log: EXPAND %t
(4) auth_log: --> Thu Sep 14 11:19:11 2017
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "bob", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 43 length 132
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xbdc37936bee86cdd
(4) eap: Finished EAP session with state 0xbdc37936bee86cdd
(4) eap: Previous EAP request found for state 0xbdc37936bee86cdd, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: [eaptls verify] = ok
(4) eap_ttls: Done initial handshake
(4) eap_ttls: TLS_accept: SSLv3/TLS write server done
(4) eap_ttls: <<< recv TLS 1.2 [length 0046]
(4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_ttls: <<< recv TLS 1.2 [length 0010]
(4) eap_ttls: TLS_accept: SSLv3/TLS read finished
(4) eap_ttls: >>> send TLS 1.2 [length 0001]
(4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_ttls: >>> send TLS 1.2 [length 0010]
(4) eap_ttls: TLS_accept: SSLv3/TLS write finished
(4) eap_ttls: (other): SSL negotiation finished successfully
(4) eap_ttls: SSL Connection Established
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 44 length 61
(4) eap: EAP session adding &reply:State = 0xbdc37936b9ef6cdd
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Sent Access-Challenge Id 228 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(4) EAP-Message =
0x012c003d1580000000331403030001011603030028471e30dc08a6d794f227f69ef0ae81d75a7082e5643ef6c65d9ee2604fcd4f7c55114fc65525a838
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xbdc37936b9ef6cdd84932144ea25780b
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 229 from 192.168.45.05:37339 to
192.168.45.74:1812 length 230
(5) User-Name = "bob"
(5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Port = 0
(5) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "59B902E8-000000EA"
(5) Framed-MTU = 1400
(5) EAP-Message =
0x022c00371500170303002c0000000000000001595cecb3de730e899e84a9f3e32a5b344f7831ba3a3b08486ae4ed71c158e57359dded07
(5) State = 0xbdc37936b9ef6cdd84932144ea25780b
(5) Message-Authenticator = 0x04079a652bd0207cdffa3715b865b41a
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /var/log/freeradius/radacct/
192.168.45.05/auth-detail-20170914
(5) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914
(5) auth_log: EXPAND %t
(5) auth_log: --> Thu Sep 14 11:19:11 2017
(5) [auth_log] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "bob", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 44 length 55
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xbdc37936b9ef6cdd
(5) eap: Finished EAP session with state 0xbdc37936b9ef6cdd
(5) eap: Previous EAP request found for state 0xbdc37936b9ef6cdd, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: [eaptls process] = ok
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls: EAP-Message = 0x02000009016d61726b
(5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Got tunneled identity of bob
(5) eap_ttls: Setting default EAP type for tunneled EAP session
(5) eap_ttls: Sending tunneled request
(5) Virtual server inner-tunnel received request
(5) EAP-Message = 0x02000009016d61726b
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) User-Name = "bob"
(5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean"
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Port = 0
(5) Calling-Station-Id = "60-FE-1E-A0-4F-C4"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "59B902E8-000000EA"
(5) Framed-MTU = 1400
(5) Event-Timestamp = "Sep 14 2017 11:19:11 SAST"
(5) NAS-IP-Address = 192.168.45.05
(5) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(5) server inner-tunnel {
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "bob", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 0 length 9
(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Peer sent packet with method EAP Identity (1)
(5) eap: Calling submodule eap_gtc to process data
(5) eap_gtc: EXPAND Password:
(5) eap_gtc: --> Password:
(5) eap: Sending EAP Request (code 1) ID 1 length 15
(5) eap: EAP session adding &reply:State = 0x939300d7939206e6
(5) [eap] = handled
(5) } # authenticate = handled
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) EAP-Message = 0x0101000f0650617373776f72643a20
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x939300d7939206e632565a4a2d1be287
(5) eap_ttls: Got tunneled Access-Challenge
(5) eap: Sending EAP Request (code 1) ID 45 length 63
(5) eap: EAP session adding &reply:State = 0xbdc37936b8ee6cdd
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Sent Access-Challenge Id 229 from 192.168.45.74:1812 to
192.168.45.05:37339 length 0
(5) EAP-Message =
0x012d003f1580000000351703030030471e30dc08a6d79553ed6a4977806816b7ccd9f91d3c7e620176ceb206f3a0d52f0918d696626cf670769ccb64d27449
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xbdc37936b8ee6cdd84932144ea25780b
(5) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 224 with timestamp +10
(1) Cleaning up request packet ID 225 with timestamp +10
(2) Cleaning up request packet ID 226 with timestamp +10
(3) Cleaning up request packet ID 227 with timestamp +10
(4) Cleaning up request packet ID 228 with timestamp +10
(5) Cleaning up request packet ID 229 with timestamp +10
3
7
Hello,
I have trouble assigning the vlan to users in different groups. If I
have one group and if the user is in this group gets a VLAN 200. If
another user is in another group (add another entry in the users file
with the group and vlan), it does not log on or continue to receive the
vlan 200 and I want it to get vlan 216. Below debug with login.
Users are sure to exist and in the appropriate groups
Fri Sep 15 09:07:01 2017 : Info: freeradius: FreeRADIUS Version 2.2.5,
for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:25:15
Fri Sep 15 09:07:01 2017 : Debug: Server was built with:
Fri Sep 15 09:07:01 2017 : Debug: accounting
Fri Sep 15 09:07:01 2017 : Debug: authentication
Fri Sep 15 09:07:01 2017 : Debug: WITH_DHCP
Fri Sep 15 09:07:01 2017 : Debug: WITH_VMPS
Fri Sep 15 09:07:01 2017 : Debug: Server core libs:
Fri Sep 15 09:07:01 2017 : Debug: ssl: OpenSSL 1.0.1t 3 May 2016
Fri Sep 15 09:07:01 2017 : Info: Copyright (C) 1999-2013 The FreeRADIUS
server project and contributors.
Fri Sep 15 09:07:01 2017 : Info: There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A
Fri Sep 15 09:07:01 2017 : Info: PARTICULAR PURPOSE.
Fri Sep 15 09:07:01 2017 : Info: You may redistribute copies of
FreeRADIUS under the terms of the
Fri Sep 15 09:07:01 2017 : Info: GNU General Public License.
Fri Sep 15 09:07:01 2017 : Info: For more information about these
matters, see the file named COPYRIGHT.
Fri Sep 15 09:07:01 2017 : Info: Starting - reading configuration files ...
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/radiusd.conf
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/proxy.conf
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/clients.conf
Fri Sep 15 09:07:01 2017 : Debug: including files in directory
/etc/freeradius/modules/
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/attr_filter
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/pap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/radrelay
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/mschap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/etc_group
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/sradutmp
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/detail.example.com
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/ippool
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/always
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/rediswho
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/smsotp
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/chap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/exec
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/replicate
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/attr_rewrite
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/checkval
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/krb5
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/smbpasswd
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/counter
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/detail
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/inner-eap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/realm
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/sql_log
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/perl
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/redis
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/passwd
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/radutmp
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/digest
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/preprocess
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/ntlm_auth
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/mac2vlan
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/detail.log
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/policy
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/acct_unique
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/dhcp_sqlippool
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/dynamic_clients
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/mac2ip
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/soh
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/ldap
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/wimax
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/expiration
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/pam
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/logintime
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/files
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/cache
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/unix
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/echo
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/otp
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/opendirectory
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/expr
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/cui
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/modules/linelog
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/eap.conf
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/policy.conf
Fri Sep 15 09:07:01 2017 : Debug: including files in directory
/etc/freeradius/sites-enabled/
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:01 2017 : Debug: including configuration file
/etc/freeradius/sites-enabled/default.orig
Fri Sep 15 09:07:01 2017 : Debug: main {
Fri Sep 15 09:07:01 2017 : Debug: user = "freerad"
Fri Sep 15 09:07:01 2017 : Debug: group = "freerad"
Fri Sep 15 09:07:01 2017 : Debug: allow_core_dumps = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: including dictionary file
/etc/freeradius/dictionary
Fri Sep 15 09:07:01 2017 : Debug: main {
Fri Sep 15 09:07:01 2017 : Debug: name = "freeradius"
Fri Sep 15 09:07:01 2017 : Debug: prefix = "/usr"
Fri Sep 15 09:07:01 2017 : Debug: localstatedir = "/var"
Fri Sep 15 09:07:01 2017 : Debug: sbindir = "/usr/sbin"
Fri Sep 15 09:07:01 2017 : Debug: logdir = "/var/log/freeradius"
Fri Sep 15 09:07:01 2017 : Debug: run_dir = "/var/run/freeradius"
Fri Sep 15 09:07:01 2017 : Debug: libdir = "/usr/lib/freeradius"
Fri Sep 15 09:07:01 2017 : Debug: radacctdir =
"/var/log/freeradius/radacct"
Fri Sep 15 09:07:01 2017 : Debug: hostname_lookups = no
Fri Sep 15 09:07:01 2017 : Debug: max_request_time = 30
Fri Sep 15 09:07:01 2017 : Debug: cleanup_delay = 5
Fri Sep 15 09:07:01 2017 : Debug: max_requests = 1024
Fri Sep 15 09:07:01 2017 : Debug: pidfile =
"/var/run/freeradius/freeradius.pid"
Fri Sep 15 09:07:01 2017 : Debug: checkrad = "/usr/sbin/checkrad"
Fri Sep 15 09:07:01 2017 : Debug: debug_level = 0
Fri Sep 15 09:07:01 2017 : Debug: proxy_requests = yes
Fri Sep 15 09:07:01 2017 : Debug: log {
Fri Sep 15 09:07:01 2017 : Debug: stripped_names = no
Fri Sep 15 09:07:01 2017 : Debug: auth = no
Fri Sep 15 09:07:01 2017 : Debug: auth_badpass = no
Fri Sep 15 09:07:01 2017 : Debug: auth_goodpass = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: security {
Fri Sep 15 09:07:01 2017 : Debug: max_attributes = 200
Fri Sep 15 09:07:01 2017 : Debug: reject_delay = 1
Fri Sep 15 09:07:01 2017 : Debug: status_server = yes
Fri Sep 15 09:07:01 2017 : Debug: allow_vulnerable_openssl = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Loading Realms and Home
Servers ####
Fri Sep 15 09:07:01 2017 : Debug: proxy server {
Fri Sep 15 09:07:01 2017 : Debug: retry_delay = 5
Fri Sep 15 09:07:01 2017 : Debug: retry_count = 3
Fri Sep 15 09:07:01 2017 : Debug: default_fallback = no
Fri Sep 15 09:07:01 2017 : Debug: dead_time = 120
Fri Sep 15 09:07:01 2017 : Debug: wake_all_if_all_dead = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: home_server radius149.156.2.40 {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 149.156.2.40
Fri Sep 15 09:07:01 2017 : Debug: port = 1812
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: secret =
"CyirkOswir23vyaw2Flymmy7g2yik4shJediajWog"
Fri Sep 15 09:07:01 2017 : Debug: response_window = 20
Fri Sep 15 09:07:01 2017 : Debug: max_outstanding = 65536
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = yes
Fri Sep 15 09:07:01 2017 : Debug: zombie_period = 40
Fri Sep 15 09:07:01 2017 : Debug: status_check = "status-server"
Fri Sep 15 09:07:01 2017 : Debug: ping_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: check_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: num_answers_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: num_pings_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: revive_interval = 300
Fri Sep 15 09:07:01 2017 : Debug: status_check_timeout = 4
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: home_server radius149.156.2.66 {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 149.156.2.66
Fri Sep 15 09:07:01 2017 : Debug: port = 1812
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: secret =
"CyirkOswir23vyaw2Flymmy7g2yik4shJediajWog"
Fri Sep 15 09:07:01 2017 : Debug: response_window = 20
Fri Sep 15 09:07:01 2017 : Debug: max_outstanding = 65536
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = yes
Fri Sep 15 09:07:01 2017 : Debug: zombie_period = 40
Fri Sep 15 09:07:01 2017 : Debug: status_check = "status-server"
Fri Sep 15 09:07:01 2017 : Debug: ping_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: check_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: num_answers_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: num_pings_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: revive_interval = 300
Fri Sep 15 09:07:01 2017 : Debug: status_check_timeout = 4
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: home_server localhost {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 127.0.0.1
Fri Sep 15 09:07:01 2017 : Debug: port = 1812
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: secret = "testing123"
Fri Sep 15 09:07:01 2017 : Debug: response_window = 20
Fri Sep 15 09:07:01 2017 : Debug: no_response_fail = no
Fri Sep 15 09:07:01 2017 : Debug: max_outstanding = 65536
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = yes
Fri Sep 15 09:07:01 2017 : Debug: zombie_period = 40
Fri Sep 15 09:07:01 2017 : Debug: status_check = "status-server"
Fri Sep 15 09:07:01 2017 : Debug: ping_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: check_interval = 30
Fri Sep 15 09:07:01 2017 : Debug: num_answers_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: num_pings_to_alive = 3
Fri Sep 15 09:07:01 2017 : Debug: revive_interval = 120
Fri Sep 15 09:07:01 2017 : Debug: status_check_timeout = 4
Fri Sep 15 09:07:01 2017 : Debug: coa {
Fri Sep 15 09:07:01 2017 : Debug: irt = 2
Fri Sep 15 09:07:01 2017 : Debug: mrt = 16
Fri Sep 15 09:07:01 2017 : Debug: mrc = 5
Fri Sep 15 09:07:01 2017 : Debug: mrd = 30
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: realm NULL {
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: realm LOCAL {
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: realm mydomain.com {
Fri Sep 15 09:07:01 2017 : Debug: authhost = LOCAL
Fri Sep 15 09:07:01 2017 : Debug: accthost = LOCAL
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: home_server_pool CYFRONET_pool {
Fri Sep 15 09:07:01 2017 : Debug: type = fail-over
Fri Sep 15 09:07:01 2017 : Debug: home_server = radius149.156.2.66
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: realm DEFAULT {
Fri Sep 15 09:07:01 2017 : Debug: auth_pool = CYFRONET_pool
Fri Sep 15 09:07:01 2017 : Debug: nostrip
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Loading Clients ####
Fri Sep 15 09:07:01 2017 : Debug: client localhost {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 127.0.0.1
Fri Sep 15 09:07:01 2017 : Debug: netmask = 32
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = no
Fri Sep 15 09:07:01 2017 : Debug: secret = "testing123"
Fri Sep 15 09:07:01 2017 : Debug: shortname = "localhost"
Fri Sep 15 09:07:01 2017 : Debug: nastype = "other"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: client 10.24.100.41 {
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 10.24.100.41
Fri Sep 15 09:07:01 2017 : Debug: netmask = 32
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = no
Fri Sep 15 09:07:01 2017 : Debug: secret = "vFayVjKTby3o"
Fri Sep 15 09:07:01 2017 : Debug: nastype = "cisco"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: client 149.156.2.40 {
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = no
Fri Sep 15 09:07:01 2017 : Debug: secret =
"CyirkOswir23vyaw2Flymmy7g2yik4shJediajWog"
Fri Sep 15 09:07:01 2017 : Debug: nastype = "other"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: client 149.156.2.66 {
Fri Sep 15 09:07:01 2017 : Debug: require_message_authenticator = no
Fri Sep 15 09:07:01 2017 : Debug: secret =
"CyirkOswir23vyaw2Flymmy7g2yik4shJediajWog"
Fri Sep 15 09:07:01 2017 : Debug: nastype = "other"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Instantiating modules ####
Fri Sep 15 09:07:01 2017 : Debug: instantiate {
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_exec, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_exec
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "exec"
from file /etc/freeradius/modules/exec
Fri Sep 15 09:07:01 2017 : Debug: exec {
Fri Sep 15 09:07:01 2017 : Debug: wait = no
Fri Sep 15 09:07:01 2017 : Debug: input_pairs = "request"
Fri Sep 15 09:07:01 2017 : Debug: shell_escape = yes
Fri Sep 15 09:07:01 2017 : Debug: timeout = 10
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_expr, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_expr
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "expr"
from file /etc/freeradius/modules/expr
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_expiration, checking
if it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_expiration
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"expiration" from file /etc/freeradius/modules/expiration
Fri Sep 15 09:07:01 2017 : Debug: expiration {
Fri Sep 15 09:07:01 2017 : Debug: reply-message = "Password Has
Expired "
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_logintime, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_logintime
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"logintime" from file /etc/freeradius/modules/logintime
Fri Sep 15 09:07:01 2017 : Debug: logintime {
Fri Sep 15 09:07:01 2017 : Debug: reply-message = "You are calling
outside your allowed timespan "
Fri Sep 15 09:07:01 2017 : Debug: minimum-timeout = 60
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Loading Virtual Servers ####
Fri Sep 15 09:07:01 2017 : Debug: server { # from file ?
Fri Sep 15 09:07:01 2017 : Debug: modules {
Fri Sep 15 09:07:01 2017 : Debug: Module: Creating Auth-Type = digest
Fri Sep 15 09:07:01 2017 : Debug: Module: Creating Auth-Type = LDAP
Fri Sep 15 09:07:01 2017 : Debug: Module: Creating Post-Auth-Type = REJECT
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking authenticate {...}
for more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_pap, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_pap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "pap"
from file /etc/freeradius/modules/pap
Fri Sep 15 09:07:01 2017 : Debug: pap {
Fri Sep 15 09:07:01 2017 : Debug: encryption_scheme = "auto"
Fri Sep 15 09:07:01 2017 : Debug: auto_header = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_chap, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_chap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "chap"
from file /etc/freeradius/modules/chap
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_mschap, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_mschap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "mschap"
from file /etc/freeradius/modules/mschap
Fri Sep 15 09:07:01 2017 : Debug: mschap {
Fri Sep 15 09:07:01 2017 : Debug: use_mppe = no
Fri Sep 15 09:07:01 2017 : Debug: require_encryption = no
Fri Sep 15 09:07:01 2017 : Debug: require_strong = no
Fri Sep 15 09:07:01 2017 : Debug: with_ntdomain_hack = no
Fri Sep 15 09:07:01 2017 : Debug: ntlm_auth = "/usr/bin/ntlm_auth
--request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Fri Sep 15 09:07:01 2017 : Debug: allow_retry = yes
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_digest, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_digest
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "digest"
from file /etc/freeradius/modules/digest
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_ldap, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_ldap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "ldap"
from file /etc/freeradius/modules/ldap
Fri Sep 15 09:07:01 2017 : Debug: ldap {
Fri Sep 15 09:07:01 2017 : Debug: server = "ldap1.mydomain.com"
Fri Sep 15 09:07:01 2017 : Debug: port = 389
Fri Sep 15 09:07:01 2017 : Debug: password = "rad--IJP--02"
Fri Sep 15 09:07:01 2017 : Debug: expect_password = yes
Fri Sep 15 09:07:01 2017 : Debug: identity =
"cn=freeradius,ou=services,dc=ijp,dc=pan,dc=local"
Fri Sep 15 09:07:01 2017 : Debug: net_timeout = 1
Fri Sep 15 09:07:01 2017 : Debug: timeout = 4
Fri Sep 15 09:07:01 2017 : Debug: timelimit = 3
Fri Sep 15 09:07:01 2017 : Debug: max_uses = 0
Fri Sep 15 09:07:01 2017 : Debug: tls_mode = no
Fri Sep 15 09:07:01 2017 : Debug: start_tls = no
Fri Sep 15 09:07:01 2017 : Debug: tls_require_cert = "allow"
Fri Sep 15 09:07:01 2017 : Debug: tls {
Fri Sep 15 09:07:01 2017 : Debug: start_tls = no
Fri Sep 15 09:07:01 2017 : Debug: require_cert = "allow"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: basedn = "dc=ijp,dc=pan,dc=local"
Fri Sep 15 09:07:01 2017 : Debug: filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
Fri Sep 15 09:07:01 2017 : Debug: base_filter =
"(objectclass=radiusprofile)"
Fri Sep 15 09:07:01 2017 : Debug: auto_header = no
Fri Sep 15 09:07:01 2017 : Debug: access_attr_used_for_allow = yes
Fri Sep 15 09:07:01 2017 : Debug: chase_referrals = yes
Fri Sep 15 09:07:01 2017 : Debug: rebind = yes
Fri Sep 15 09:07:01 2017 : Debug: groupname_attribute = "cn"
Fri Sep 15 09:07:01 2017 : Debug: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
Fri Sep 15 09:07:01 2017 : Debug: groupmembership_attribute =
"memberOf"
Fri Sep 15 09:07:01 2017 : Debug: dictionary_mapping =
"/etc/freeradius/ldap.attrmap"
Fri Sep 15 09:07:01 2017 : Debug: ldap_debug = 0
Fri Sep 15 09:07:01 2017 : Debug: ldap_connections_number = 5
Fri Sep 15 09:07:01 2017 : Debug: compare_check_items = no
Fri Sep 15 09:07:01 2017 : Debug: do_xlat = yes
Fri Sep 15 09:07:01 2017 : Debug: edir_account_policy_check = no
Fri Sep 15 09:07:01 2017 : Debug: set_auth_type = yes
Fri Sep 15 09:07:01 2017 : Debug: keepalive {
Fri Sep 15 09:07:01 2017 : Debug: idle = 60
Fri Sep 15 09:07:01 2017 : Debug: probes = 3
Fri Sep 15 09:07:01 2017 : Debug: interval = 3
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: Registering ldap_groupcmp
for Ldap-Group
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: Registering ldap_xlat with
xlat_name ldap
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: reading ldap<->radius
mappings from file /etc/freeradius/ldap.attrmap
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCheckItem mapped
to RADIUS $GENERIC$
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusReplyItem mapped
to RADIUS $GENERIC$
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusAuthType mapped
to RADIUS Auth-Type
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusSimultaneousUse
mapped to RADIUS Simultaneous-Use
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCalledStationId
mapped to RADIUS Called-Station-Id
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCallingStationId
mapped to RADIUS Calling-Station-Id
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP lmPassword mapped to
RADIUS LM-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP ntPassword mapped to
RADIUS NT-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP sambaLmPassword mapped
to RADIUS LM-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP sambaNtPassword mapped
to RADIUS NT-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP dBCSPwd mapped to
RADIUS LM-Password
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP userPassword mapped to
RADIUS Password-With-Header
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP acctFlags mapped to
RADIUS SMB-Account-CTRL-TEXT
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusExpiration mapped
to RADIUS Expiration
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusNASIpAddress
mapped to RADIUS NAS-IP-Address
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusServiceType
mapped to RADIUS Service-Type
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedProtocol
mapped to RADIUS Framed-Protocol
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedIPAddress
mapped to RADIUS Framed-IP-Address
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedIPNetmask
mapped to RADIUS Framed-IP-Netmask
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedRoute
mapped to RADIUS Framed-Route
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedRouting
mapped to RADIUS Framed-Routing
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFilterId mapped
to RADIUS Filter-Id
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedMTU mapped
to RADIUS Framed-MTU
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedCompression
mapped to RADIUS Framed-Compression
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginIPHost
mapped to RADIUS Login-IP-Host
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginService
mapped to RADIUS Login-Service
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginTCPPort
mapped to RADIUS Login-TCP-Port
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCallbackNumber
mapped to RADIUS Callback-Number
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusCallbackId mapped
to RADIUS Callback-Id
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusFramedIPXNetwork
mapped to RADIUS Framed-IPX-Network
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusClass mapped to
RADIUS Class
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusSessionTimeout
mapped to RADIUS Session-Timeout
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusIdleTimeout
mapped to RADIUS Idle-Timeout
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusTerminationAction
mapped to RADIUS Termination-Action
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginLATService
mapped to RADIUS Login-LAT-Service
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginLATNode
mapped to RADIUS Login-LAT-Node
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginLATGroup
mapped to RADIUS Login-LAT-Group
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP
radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP
radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP
radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusPortLimit mapped
to RADIUS Port-Limit
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusLoginLATPort
mapped to RADIUS Login-LAT-Port
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusReplyMessage
mapped to RADIUS Reply-Message
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusTunnelType mapped
to RADIUS Tunnel-Type
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP radiusTunnelMediumType
mapped to RADIUS Tunnel-Medium-Type
Fri Sep 15 09:07:01 2017 : Debug: rlm_ldap: LDAP
radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
Fri Sep 15 09:07:01 2017 : Debug: conns: 0x2706520
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_eap, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_eap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "eap"
from file /etc/freeradius/eap.conf
Fri Sep 15 09:07:01 2017 : Debug: eap {
Fri Sep 15 09:07:01 2017 : Debug: default_eap_type = "md5"
Fri Sep 15 09:07:01 2017 : Debug: timer_expire = 60
Fri Sep 15 09:07:01 2017 : Debug: ignore_unknown_eap_types = no
Fri Sep 15 09:07:01 2017 : Debug: cisco_accounting_username_bug = no
Fri Sep 15 09:07:01 2017 : Debug: max_sessions = 1024
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_md5
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-md5
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_leap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-leap
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_gtc
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-gtc
Fri Sep 15 09:07:01 2017 : Debug: gtc {
Fri Sep 15 09:07:01 2017 : Debug: challenge = "Password: "
Fri Sep 15 09:07:01 2017 : Debug: auth_type = "PAP"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_tls
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-tls
Fri Sep 15 09:07:01 2017 : Debug: tls {
Fri Sep 15 09:07:01 2017 : Debug: rsa_key_exchange = no
Fri Sep 15 09:07:01 2017 : Debug: dh_key_exchange = yes
Fri Sep 15 09:07:01 2017 : Debug: rsa_key_length = 512
Fri Sep 15 09:07:01 2017 : Debug: dh_key_length = 512
Fri Sep 15 09:07:01 2017 : Debug: verify_depth = 0
Fri Sep 15 09:07:01 2017 : Debug: CA_path = "/etc/freeradius/certs"
Fri Sep 15 09:07:01 2017 : Debug: pem_file_type = yes
Fri Sep 15 09:07:01 2017 : Debug: private_key_file =
"/etc/freeradius/certs/server.key"
Fri Sep 15 09:07:01 2017 : Debug: certificate_file =
"/etc/freeradius/certs/server.pem"
Fri Sep 15 09:07:01 2017 : Debug: CA_file =
"/etc/freeradius/certs/ca.pem"
Fri Sep 15 09:07:01 2017 : Debug: private_key_password =
"si7ys4mxs984mxksj4oi"
Fri Sep 15 09:07:01 2017 : Debug: dh_file =
"/etc/freeradius/certs/dh"
Fri Sep 15 09:07:01 2017 : Debug: random_file = "/dev/urandom"
Fri Sep 15 09:07:01 2017 : Debug: fragment_size = 1024
Fri Sep 15 09:07:01 2017 : Debug: include_length = yes
Fri Sep 15 09:07:01 2017 : Debug: check_crl = no
Fri Sep 15 09:07:01 2017 : Debug: cipher_list = "DEFAULT"
Fri Sep 15 09:07:01 2017 : Debug: make_cert_command =
"/etc/freeradius/certs/bootstrap"
Fri Sep 15 09:07:01 2017 : Debug: ecdh_curve = "prime256v1"
Fri Sep 15 09:07:01 2017 : Debug: cache {
Fri Sep 15 09:07:01 2017 : Debug: enable = no
Fri Sep 15 09:07:01 2017 : Debug: lifetime = 24
Fri Sep 15 09:07:01 2017 : Debug: max_entries = 255
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: verify {
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: ocsp {
Fri Sep 15 09:07:01 2017 : Debug: enable = no
Fri Sep 15 09:07:01 2017 : Debug: override_cert_url = yes
Fri Sep 15 09:07:01 2017 : Debug: url = "http://127.0.0.1/ocsp/"
Fri Sep 15 09:07:01 2017 : Debug: use_nonce = yes
Fri Sep 15 09:07:01 2017 : Debug: timeout = 0
Fri Sep 15 09:07:01 2017 : Debug: softfail = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_ttls
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-ttls
Fri Sep 15 09:07:01 2017 : Debug: ttls {
Fri Sep 15 09:07:01 2017 : Debug: default_eap_type = "md5"
Fri Sep 15 09:07:01 2017 : Debug: copy_request_to_tunnel = yes
Fri Sep 15 09:07:01 2017 : Debug: use_tunneled_reply = yes
Fri Sep 15 09:07:01 2017 : Debug: virtual_server = "inner-tunnel"
Fri Sep 15 09:07:01 2017 : Debug: include_length = yes
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module rlm_eap_peap
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-peap
Fri Sep 15 09:07:01 2017 : Debug: peap {
Fri Sep 15 09:07:01 2017 : Debug: default_eap_type = "mschapv2"
Fri Sep 15 09:07:01 2017 : Debug: copy_request_to_tunnel = yes
Fri Sep 15 09:07:01 2017 : Debug: use_tunneled_reply = yes
Fri Sep 15 09:07:01 2017 : Debug: proxy_tunneled_request_as_eap = yes
Fri Sep 15 09:07:01 2017 : Debug: virtual_server = "inner-tunnel"
Fri Sep 15 09:07:01 2017 : Debug: soh = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to sub-module
rlm_eap_mschapv2
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating eap-mschapv2
Fri Sep 15 09:07:01 2017 : Debug: mschapv2 {
Fri Sep 15 09:07:01 2017 : Debug: with_ntdomain_hack = no
Fri Sep 15 09:07:01 2017 : Debug: send_error = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking authorize {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_preprocess, checking
if it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_preprocess
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"preprocess" from file /etc/freeradius/modules/preprocess
Fri Sep 15 09:07:01 2017 : Debug: preprocess {
Fri Sep 15 09:07:01 2017 : Debug: huntgroups =
"/etc/freeradius/huntgroups"
Fri Sep 15 09:07:01 2017 : Debug: hints = "/etc/freeradius/hints"
Fri Sep 15 09:07:01 2017 : Debug: with_ascend_hack = no
Fri Sep 15 09:07:01 2017 : Debug: ascend_channels_per_line = 23
Fri Sep 15 09:07:01 2017 : Debug: with_ntdomain_hack = no
Fri Sep 15 09:07:01 2017 : Debug: with_specialix_jetstream_hack = no
Fri Sep 15 09:07:01 2017 : Debug: with_cisco_vsa_hack = no
Fri Sep 15 09:07:01 2017 : Debug: with_alvarion_vsa_hack = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/huntgroups
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/hints
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_realm, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_realm
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "suffix"
from file /etc/freeradius/modules/realm
Fri Sep 15 09:07:01 2017 : Debug: realm suffix {
Fri Sep 15 09:07:01 2017 : Debug: format = "suffix"
Fri Sep 15 09:07:01 2017 : Debug: delimiter = "@"
Fri Sep 15 09:07:01 2017 : Debug: ignore_default = no
Fri Sep 15 09:07:01 2017 : Debug: ignore_null = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_files, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_files
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "files"
from file /etc/freeradius/modules/files
Fri Sep 15 09:07:01 2017 : Debug: files {
Fri Sep 15 09:07:01 2017 : Debug: usersfile = "/etc/freeradius/users"
Fri Sep 15 09:07:01 2017 : Debug: acctusersfile =
"/etc/freeradius/acct_users"
Fri Sep 15 09:07:01 2017 : Debug: preproxy_usersfile =
"/etc/freeradius/preproxy_users"
Fri Sep 15 09:07:01 2017 : Debug: compat = "no"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/users
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/acct_users
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/preproxy_users
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking preacct {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_acct_unique, checking
if it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_acct_unique
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"acct_unique" from file /etc/freeradius/modules/acct_unique
Fri Sep 15 09:07:01 2017 : Debug: acct_unique {
Fri Sep 15 09:07:01 2017 : Debug: key = "User-Name,
Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking accounting {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_detail, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_detail
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "detail"
from file /etc/freeradius/modules/detail
Fri Sep 15 09:07:01 2017 : Debug: detail {
Fri Sep 15 09:07:01 2017 : Debug: detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
Fri Sep 15 09:07:01 2017 : Debug: header = "%t"
Fri Sep 15 09:07:01 2017 : Debug: detailperm = 384
Fri Sep 15 09:07:01 2017 : Debug: dirperm = 493
Fri Sep 15 09:07:01 2017 : Debug: locking = no
Fri Sep 15 09:07:01 2017 : Debug: log_packet_header = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_unix, checking if it's
valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_unix
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module "unix"
from file /etc/freeradius/modules/unix
Fri Sep 15 09:07:01 2017 : Debug: unix {
Fri Sep 15 09:07:01 2017 : Debug: radwtmp =
"/var/log/freeradius/radwtmp"
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_attr_filter, checking
if it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_attr_filter
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
Fri Sep 15 09:07:01 2017 : Debug: attr_filter
attr_filter.accounting_response {
Fri Sep 15 09:07:01 2017 : Debug: attrsfile =
"/etc/freeradius/attrs.accounting_response"
Fri Sep 15 09:07:01 2017 : Debug: key = "%{User-Name}"
Fri Sep 15 09:07:01 2017 : Debug: relaxed = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/attrs.accounting_response
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking session {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: (Loaded rlm_radutmp, checking if
it's valid)
Fri Sep 15 09:07:01 2017 : Debug: Module: Linked to module rlm_radutmp
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"radutmp" from file /etc/freeradius/modules/radutmp
Fri Sep 15 09:07:01 2017 : Debug: radutmp {
Fri Sep 15 09:07:01 2017 : Debug: filename =
"/var/log/freeradius/radutmp"
Fri Sep 15 09:07:01 2017 : Debug: username = "%{User-Name}"
Fri Sep 15 09:07:01 2017 : Debug: case_sensitive = yes
Fri Sep 15 09:07:01 2017 : Debug: check_with_nas = yes
Fri Sep 15 09:07:01 2017 : Debug: perm = 384
Fri Sep 15 09:07:01 2017 : Debug: callerid = yes
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking post-proxy {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking post-auth {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Instantiating module
"attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
Fri Sep 15 09:07:01 2017 : Debug: attr_filter attr_filter.access_reject {
Fri Sep 15 09:07:01 2017 : Debug: attrsfile =
"/etc/freeradius/attrs.access_reject"
Fri Sep 15 09:07:01 2017 : Debug: key = "%{User-Name}"
Fri Sep 15 09:07:01 2017 : Debug: relaxed = no
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: reading pairlist file
/etc/freeradius/attrs.access_reject
Fri Sep 15 09:07:01 2017 : Debug: } # modules
Fri Sep 15 09:07:01 2017 : Debug: } # server
Fri Sep 15 09:07:01 2017 : Debug: server inner-tunnel { # from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:01 2017 : Debug: modules {
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking authenticate {...}
for more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking authorize {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking session {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking post-proxy {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: Module: Checking post-auth {...} for
more modules to load
Fri Sep 15 09:07:01 2017 : Debug: } # modules
Fri Sep 15 09:07:01 2017 : Debug: } # server
Fri Sep 15 09:07:01 2017 : Debug: radiusd: #### Opening IP addresses and
Ports ####
Fri Sep 15 09:07:01 2017 : Debug: listen {
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = *
Fri Sep 15 09:07:01 2017 : Debug: port = 0
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: listen {
Fri Sep 15 09:07:01 2017 : Debug: type = "acct"
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = *
Fri Sep 15 09:07:01 2017 : Debug: port = 0
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: listen {
Fri Sep 15 09:07:01 2017 : Debug: type = "auth"
Fri Sep 15 09:07:01 2017 : Debug: ipaddr = 127.0.0.1
Fri Sep 15 09:07:01 2017 : Debug: port = 18120
Fri Sep 15 09:07:01 2017 : Debug: }
Fri Sep 15 09:07:01 2017 : Debug: ... adding new socket proxy address *
port 51874
Fri Sep 15 09:07:01 2017 : Debug: ... adding new socket proxy address *
port 60324
Fri Sep 15 09:07:01 2017 : Debug: ... adding new socket proxy address *
port 57887
Fri Sep 15 09:07:01 2017 : Debug: Listening on authentication address *
port 1812
Fri Sep 15 09:07:01 2017 : Debug: Listening on accounting address * port
1813
Fri Sep 15 09:07:01 2017 : Debug: Listening on authentication address
127.0.0.1 port 18120 as server inner-tunnel
Fri Sep 15 09:07:01 2017 : Debug: Listening on proxy address * port 1814
Fri Sep 15 09:07:01 2017 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=30, length=287
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x02020017017073697461727a40696a702e70616e2e706c
Message-Authenticator = 0xe3b9300c51ffe43e482510eccd899c44
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 2
length 23
Fri Sep 15 09:07:16 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = updated
Fri Sep 15 09:07:16 2017 : Info: [files] users: Matched entry DEFAULT at
line 12
Fri Sep 15 09:07:16 2017 : Info: ++[files] = ok
Fri Sep 15 09:07:16 2017 : Info: [ldap] performing user authorization
for psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
%{Stripped-User-Name} -> psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
dc=ijp,dc=pan,dc=local -> dc=ijp,dc=pan,dc=local
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] attempting LDAP reconnection
Fri Sep 15 09:07:16 2017 : Debug: [ldap] (re)connect to
ldap1.mydomain.com:389, authentication 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] bind as
cn=freeradius,ou=services,dc=ijp,dc=pan,dc=local/rad--IJP--02 to
ldap1.mydomain.com:389
Fri Sep 15 09:07:16 2017 : Debug: [ldap] waiting for bind result ...
Fri Sep 15 09:07:16 2017 : Debug: [ldap] Bind was successful
Fri Sep 15 09:07:16 2017 : Debug: [ldap] performing search in
dc=ijp,dc=pan,dc=local, with filter (sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Debug: [ldap] rebind to URL
ldap://mydomain.com/CN=Configuration,DC=ijp,DC=pan,DC=local
Fri Sep 15 09:07:16 2017 : Info: [ldap] No default NMAS login sequence
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for check items in
directory...
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for reply items in
directory...
Fri Sep 15 09:07:16 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 15 09:07:16 2017 : Info: ++[ldap] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[expiration] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[logintime] = noop
Fri Sep 15 09:07:16 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Sep 15 09:07:16 2017 : Info: ++[pap] = noop
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = updated
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP Identity
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type md5
Fri Sep 15 09:07:16 2017 : Debug: rlm_eap_md5: Issuing Challenge
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 30 to 10.24.100.41 port 32773
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "200"
Reply-Message = "YYYY HIT: my_wifi"
EAP-Message = 0x01030016041093d2cac6b3d1336be38f63896a404f69
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebcc2d4be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 0.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=31, length=288
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020300060319
State = 0xbcc1d00ebcc2d4be84f2b34ad01933f1
Message-Authenticator = 0xa15f469880c1d97b82fba834c87bd10b
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 3
length 6
Fri Sep 15 09:07:16 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = updated
Fri Sep 15 09:07:16 2017 : Info: [files] users: Matched entry DEFAULT at
line 12
Fri Sep 15 09:07:16 2017 : Info: ++[files] = ok
Fri Sep 15 09:07:16 2017 : Info: [ldap] performing user authorization
for psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
%{Stripped-User-Name} -> psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
dc=ijp,dc=pan,dc=local -> dc=ijp,dc=pan,dc=local
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] performing search in
dc=ijp,dc=pan,dc=local, with filter (sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Debug: [ldap] rebind to URL
ldap://mydomain.com/CN=Configuration,DC=ijp,DC=pan,DC=local
Fri Sep 15 09:07:16 2017 : Info: [ldap] No default NMAS login sequence
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for check items in
directory...
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for reply items in
directory...
Fri Sep 15 09:07:16 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 15 09:07:16 2017 : Info: ++[ldap] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[expiration] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[logintime] = noop
Fri Sep 15 09:07:16 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Sep 15 09:07:16 2017 : Info: ++[pap] = noop
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = updated
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP NAK
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP-NAK asked for EAP-Type/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type tls
Fri Sep 15 09:07:16 2017 : Info: [tls] Initiate
Fri Sep 15 09:07:16 2017 : Info: [tls] Start returned 1
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 31 to 10.24.100.41 port 32773
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "200"
Reply-Message = "YYYY HIT: my_wifi"
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebdc5c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 1.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=32, length=395
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x0204007119800000006716030100620100005e030159bb7c3b7f85ba3410a1b66afdd8eb687b96f62ad26175641d3ed2aa9cee899300001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
State = 0xbcc1d00ebdc5c9be84f2b34ad01933f1
Message-Authenticator = 0xdb5b1081947941e25dbe17961232739c
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 4
length 113
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Debug: TLS Length 103
Fri Sep 15 09:07:16 2017 : Info: [peap] Length Included
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 11
Fri Sep 15 09:07:16 2017 : Info: [peap] (other): before/accept
initialization
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: before/accept
initialization
Fri Sep 15 09:07:16 2017 : Info: [peap] <<< TLS 1.0 Handshake [length
0062], ClientHello
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
0039], ServerHello
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
08a6], Certificate
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
014b], ServerKeyExchange
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
0004], ServerHelloDone
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: Need to read
more data: unknown state
Fri Sep 15 09:07:16 2017 : Debug: In SSL Handshake Phase
Fri Sep 15 09:07:16 2017 : Debug: In SSL Accept mode
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 13
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_HANDLED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 32 to 10.24.100.41 port 32773
EAP-Message =
0x0105040019c000000a4216030100390200003503018185835081a6c1001c29d0732978cd92ae81954b6b08f4e4f5c76d011aebb7b400c01400000dff01000100000b00040300010216030108a60b0008a200089f000488308204843082036ca003020102020100300d06092a864886f70d0101050500308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c
EAP-Message =
0x6f63616c301e170d3137303832313131303233355a170d3332303831373131303233355a308187310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311c301a06035504030c136c646170312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf2015679983021d7e971d84ea7c7f5ba06e4b4808b7674f687fc0880cf4635a2db718cb22982ddd8822afe970ec
EAP-Message =
0x2d745deac6e6acf21e7330b77cd86fdb28ab4e04eda8789771a6e30890e6b67c3e111bcd017b12856072c19afefc1d07fcd1a6c53e66cdd8008e8766a1e7dbce66966e07814e08c6bbc2399cae3694dba14c021b588a967cbf5e23197c8593cf28bd84f44a03ecfdfc4e34000e07e9edf676b57633787cb5c3a7b4406c8f4d535c2ffe08f5ce60756500f3887c62b1c34c1088b27de433a9aef286b914e38f6bb307d322586bb33dcd74352dfc37e28eae33f4299d5d120a521a6c691a0980a22ad63ed220331210383ee14edd24be3088b90203010001a381f73081f430090603551d1304023000302c06096086480186f842010d041f161d4f70656e
EAP-Message =
0x53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143b1a3710cdf72a3288cc76cc3d5ad3e9b2384503301f0603551d23041830168014c1d62dd5cd9967b990856c18acc7f2e64f40a29c304106082b0601050507010104353033303106082b060105050730028625687474703a2f2f6b302e696a702e70616e2e6c6f63616c2f63612f7375626361312e63727430360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f7375626361312e63726c300d06092a864886f70d0101050500038201010062dae87f130c1ab3ef0acf5bd31aed2b4f524b4a84
EAP-Message = 0xaf5192d4e9d1c6301ce43d01
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebec4c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 2.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=33, length=288
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020500061900
State = 0xbcc1d00ebec4c9be84f2b34ad01933f1
Message-Authenticator = 0xfb763038263f85526f7d8abaa936a1bf
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 5
length 6
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] Received TLS ACK
Fri Sep 15 09:07:16 2017 : Info: [peap] ACK handshake fragment handler
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 1
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 13
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_HANDLED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 33 to 10.24.100.41 port 32773
EAP-Message =
0x010603fc1940b01e45053cb5d289d8a07c691f42babbaf4150ea36d712beb08a0c1eaa301b5df2b9d6975f9dfecbe42c847567bd961d58a520d68fb34854326b7dba525597e4ac0b1a5a66b9d677be1f5e0adfd325311af927356634a7f8aee2770898b4044daf46d89745f7262026f2e1b81caa53a4aebd5310ba988cd6364fd6b79795f38e23d047ad0af23bbcd5407317cb01b49b61eac8d67cf784948797aba3968b094cdfb93c2177da70b000f1797bf3bd979b8317daec32cd87cfa3a471d891abdacea5776581fb2416c93b2f01ba6b6728099d7e26d7974eec099035ee212077e70004113082040d308202f5a003020102020900fda7ea2091
EAP-Message =
0x83fda3300d06092a864886f70d01010505003077310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b696531263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c14726f6f7463612e696a702e70616e2e6c6f63616c301e170d3137303832313130343434315a170d3337303831363130343434315a308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120
EAP-Message =
0x506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cec338083565b45728e1f8176ba4daabda4ea88555201f503e3977492e85b49759cd232e7934acd16194ca3889d6975a29f68017427738b2fe57db0951e879afb9f5eae6a75a8d8b96cc12acb9686227322a555ec7e298b77b139874e9c0935d52117991a27281644f351bbacf3f804a1da86f26e784a507ec21e3aacfaf5e686fc01e570397f2dcc5822edd7c0b59f20dc48c408453ba7e9ea170a72c175ca352818c
EAP-Message =
0xf095d192d42cf58272c00c477f2e1755104ced45567186bd44f7b3ab6c947a427e0f3e54c5d88e544c349f16737de5c8191785c2a5af1be735466dff6bdb08682494b1b54c25429014c59437925c441f4c1e42ceb12b7d060b7159f5350203010001a38189308186301d0603551d0e04160414c1d62dd5cd9967b990856c18acc7f2e64f40a29c301f0603551d230418301680148ae199d104b425c1279d439e0b0d2487dfda236c300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f726f6f7463612e63726c300d06092a864886f70d0101050500
EAP-Message = 0x0382010100a7ba01
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebfc7c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 3.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=34, length=288
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020600061900
State = 0xbcc1d00ebfc7c9be84f2b34ad01933f1
Message-Authenticator = 0x78af48b2e32899574eb459692278e13a
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 6
length 6
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] Received TLS ACK
Fri Sep 15 09:07:16 2017 : Info: [peap] ACK handshake fragment handler
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 1
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 13
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_HANDLED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 34 to 10.24.100.41 port 32773
EAP-Message =
0x0107025c19004d16d1c7a4c127b06c3974533a055af202e7fe05f13dc5f78bf50eb852b25913965c85f981b45b174003af43ddbb5d8754406a26645dd06a9d4ce4b1622de1b4cec8a3d91f973b6332ba5fd78ff18e6feb1b87e664ee981c68523c4d9517a9c8f97abbefd1d76ba66dbeee1fe4e8d4420f6606ff280119897d3026e466910f5ebb892ce764e60fc8d7e4eb2f1609348a405b6e92133d1f4a6f612f4a6eee9c1c04677bcf3e574dc88d64e8972be7d01a080968f189d9258bca3419feff11a7409ae6471a32eab899837f79f8c8116f27ecf63daf802cd7b0df1b3a767d46bb4a40f07b0ead84f31ba36292b6df736e38d9b2f25e2e1483
EAP-Message =
0x6e854d35643c160301014b0c0001470300174104c749e5af44a1f2c9b879f1f7d840237935fd1df922ab61437f05c1d22a4638aff08e10339671937adc00893635bd845462fc0154817d3b5a116d142e1bac5f4201001bbdf61538895d0d92597c97b5d1ee8399d775cccb53cb7d67b3794daf6a2b452b4e6050d41d9a7411b7457c7294b2e1d736c4ab51ffd5208739525e84115b183aad5ba3e02874c3156f2f6167996e546d7f0e18cec93d124251d483a82cada947992d2c9c8f961939b12d388095aa01a11f88be2dc8517174d7dcc89b1119c5f66512194b940e795c6f119440bfcfdaeceda9855551af8932e73270689e74e474adfd1d07157e
EAP-Message =
0x0ee4449c6e6b535f410007efc4607971c3efa594861aa9ee3561f2ad2bc786e7709f9b5e094d809c2561d9d78eecba382efdac6303efd502c1f3b56822599f13b73c72693373256bc1d266769a2ed2201947a1444b2424e3b216030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00eb8c6c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 4.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=35, length=426
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x0207009019800000008616030100461000004241049d9710b7a426a3513d57e030bab3b25a4edf8ca94bbb7eee10006e28e28e5c512206aed775a97bec0a76df64f1fc669507917cabfe556cde04b31ca9f6ac756e1403010001011603010030bda12143c44ac47dd3649040750bb5bb2087fa7dc17179928504e7e470dd78ddfd264d269d3f2fd70711f63f11e67949
State = 0xbcc1d00eb8c6c9be84f2b34ad01933f1
Message-Authenticator = 0x06d4628d7d8179d2d01a8385b86bcfd0
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 7
length 144
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Debug: TLS Length 134
Fri Sep 15 09:07:16 2017 : Info: [peap] Length Included
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 11
Fri Sep 15 09:07:16 2017 : Info: [peap] <<< TLS 1.0 Handshake [length
0046], ClientKeyExchange
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] <<< TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Sep 15 09:07:16 2017 : Info: [peap] <<< TLS 1.0 Handshake [length
0010], Finished
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] >>> TLS 1.0 Handshake [length
0010], Finished
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] TLS_accept: unknown state
Fri Sep 15 09:07:16 2017 : Info: [peap] (other): SSL negotiation
finished successfully
Fri Sep 15 09:07:16 2017 : Debug: SSL Connection Established
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 13
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_HANDLED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 35 to 10.24.100.41 port 32773
EAP-Message =
0x01080041190014030100010116030100309cd4d10a07b4d67d561d06430c7165c09277f7946aa722b96cf27f896ea980206825dc614435f7bf0835e8e484977d23
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00eb9c9c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 5.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=36, length=288
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020800061900
State = 0xbcc1d00eb9c9c9be84f2b34ad01933f1
Message-Authenticator = 0x262dea598010395c76016ea6f7099a1f
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 8
length 6
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] Received TLS ACK
Fri Sep 15 09:07:16 2017 : Info: [peap] ACK handshake is finished
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 3
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 3
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_SUCCESS
Fri Sep 15 09:07:16 2017 : Info: [peap] Session established. Decoding
tunneled attributes.
Fri Sep 15 09:07:16 2017 : Info: [peap] Peap state TUNNEL ESTABLISHED
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 36 to 10.24.100.41 port 32773
EAP-Message =
0x0109002b19001703010020364933ca1f707384c392a6841c48ed1c0e1a241b99f5e087dc818743cb2507d4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebac8c9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 6.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=37, length=341
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x0209003b1900170301003064732805af4010f3b1137dfc4a31da6d74eb906b3a7c681a01e0f7c9a0fd015df5ebb14b96b6a7c44354cc2260b91b2a
State = 0xbcc1d00ebac8c9be84f2b34ad01933f1
Message-Authenticator = 0x329df1765f0c2fc1e6a35faab42c2056
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 9
length 59
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] Done initial handshake
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_OK
Fri Sep 15 09:07:16 2017 : Info: [peap] Session established. Decoding
tunneled attributes.
Fri Sep 15 09:07:16 2017 : Info: [peap] Peap state WAITING FOR INNER
IDENTITY
Fri Sep 15 09:07:16 2017 : Info: [peap] Identity - psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Info: [peap] Got inner identity
'psitarz(a)mydomain.com'
Fri Sep 15 09:07:16 2017 : Info: [peap] Setting default EAP type for
tunneled EAP session.
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled request
EAP-Message = 0x02090017017073697461727a40696a702e70616e2e706c
server {
Fri Sep 15 09:07:16 2017 : Info: [peap] Setting User-Name to
psitarz(a)mydomain.com
Sending tunneled request
EAP-Message = 0x02090017017073697461727a40696a702e70616e2e706c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 9
length 23
Fri Sep 15 09:07:16 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = updated
Fri Sep 15 09:07:16 2017 : Info: [files] users: Matched entry DEFAULT at
line 12
Fri Sep 15 09:07:16 2017 : Info: ++[files] = ok
Fri Sep 15 09:07:16 2017 : Info: [ldap] performing user authorization
for psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
%{Stripped-User-Name} -> psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
dc=ijp,dc=pan,dc=local -> dc=ijp,dc=pan,dc=local
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] performing search in
dc=ijp,dc=pan,dc=local, with filter (sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Debug: [ldap] rebind to URL
ldap://mydomain.com/CN=Configuration,DC=ijp,DC=pan,DC=local
Fri Sep 15 09:07:16 2017 : Info: [ldap] No default NMAS login sequence
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for check items in
directory...
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for reply items in
directory...
Fri Sep 15 09:07:16 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 15 09:07:16 2017 : Info: ++[ldap] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[expiration] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[logintime] = noop
Fri Sep 15 09:07:16 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Sep 15 09:07:16 2017 : Info: ++[pap] = noop
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = updated
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP Identity
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type mschapv2
Fri Sep 15 09:07:16 2017 : Debug: rlm_eap_mschapv2: Issuing Challenge
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
} # server inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled reply code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "200"
Reply-Message = "YYYY HIT: my_wifi"
EAP-Message =
0x010a002c1a010a0027105c28e3c5119990bfecac594ca8283abe7073697461727a40696a702e70616e2e706c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd9fc6e1ed9f6747899ae3f4494b5bd42
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "200"
Reply-Message = "YYYY HIT: my_wifi"
EAP-Message =
0x010a002c1a010a0027105c28e3c5119990bfecac594ca8283abe7073697461727a40696a702e70616e2e706c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd9fc6e1ed9f6747899ae3f4494b5bd42
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled Access-Challenge
PEAP tunnel data out 0000: 1a 01 0a 00 27 10 5c 28 e3 c5 11 99 90 bf
ec ac
PEAP tunnel data out 0010: 59 4c a8 28 3a be 70 73 69 74 61 72 7a 40
69 6a
PEAP tunnel data out 0020: 70 2e 70 61 6e 2e 70 6c
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 37 to 10.24.100.41 port 32773
EAP-Message =
0x010a004b190017030100400aa668edae7f810d1ee048d420a7e0da4ed981b1f3600eaf99fcc21365740c8f52c6f995b1dda5c3672245d5189d2e57e02017247a53c2e6bae6c1ba226a5676
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00ebbcbc9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 7.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=38, length=389
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x020a006b190017030100609c8e8afad49636b8659624cca08c0af13596288fa47edf937944bdef3d4e0de58e67e9c03e69aa6231ce684940848f416242f7c72b34a5487f1638a87920db4293467e7e0566b999463ba56d78483646a844ed67b203597983e21fe4d551473f
State = 0xbcc1d00ebbcbc9be84f2b34ad01933f1
Message-Authenticator = 0x2f84e9005e5ce14f6b0b4d26cabe49c5
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 10
length 107
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] Done initial handshake
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_OK
Fri Sep 15 09:07:16 2017 : Info: [peap] Session established. Decoding
tunneled attributes.
Fri Sep 15 09:07:16 2017 : Info: [peap] Peap state phase2
Fri Sep 15 09:07:16 2017 : Info: [peap] EAP type mschapv2
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled request
EAP-Message =
0x020a004d1a020a00483127a0255afce7ebd675f5e2580c500e5e0000000000000000dbdff2050731af4d5e7f6bbcc15f6ba740b157f5df29b787007073697461727a40696a702e70616e2e706c
server {
Fri Sep 15 09:07:16 2017 : Info: [peap] Setting User-Name to
psitarz(a)mydomain.com
Sending tunneled request
EAP-Message =
0x020a004d1a020a00483127a0255afce7ebd675f5e2580c500e5e0000000000000000dbdff2050731af4d5e7f6bbcc15f6ba740b157f5df29b787007073697461727a40696a702e70616e2e706c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "psitarz(a)mydomain.com"
State = 0xd9fc6e1ed9f6747899ae3f4494b5bd42
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 10
length 77
Fri Sep 15 09:07:16 2017 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = updated
Fri Sep 15 09:07:16 2017 : Info: [files] users: Matched entry DEFAULT at
line 12
Fri Sep 15 09:07:16 2017 : Info: ++[files] = ok
Fri Sep 15 09:07:16 2017 : Info: [ldap] performing user authorization
for psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
%{Stripped-User-Name} -> psitarz
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Info: [ldap] expand:
dc=ijp,dc=pan,dc=local -> dc=ijp,dc=pan,dc=local
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 15 09:07:16 2017 : Debug: [ldap] performing search in
dc=ijp,dc=pan,dc=local, with filter (sAMAccountName=psitarz)
Fri Sep 15 09:07:16 2017 : Debug: [ldap] rebind to URL
ldap://mydomain.com/CN=Configuration,DC=ijp,DC=pan,DC=local
Fri Sep 15 09:07:16 2017 : Info: [ldap] No default NMAS login sequence
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for check items in
directory...
Fri Sep 15 09:07:16 2017 : Info: [ldap] looking for reply items in
directory...
Fri Sep 15 09:07:16 2017 : Debug: WARNING: No "known good" password was
found in LDAP. Are you sure that the user is configured correctly?
Fri Sep 15 09:07:16 2017 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 15 09:07:16 2017 : Info: ++[ldap] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[expiration] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[logintime] = noop
Fri Sep 15 09:07:16 2017 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Fri Sep 15 09:07:16 2017 : Info: ++[pap] = noop
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = updated
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/mschapv2
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type mschapv2
Fri Sep 15 09:07:16 2017 : Info: [mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: [mschapv2] +group MS-CHAP {
Fri Sep 15 09:07:16 2017 : Info: [mschap] Creating challenge hash with
username: psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Info: [mschap] Client is using MS-CHAPv2 for
psitarz(a)mydomain.com, we need NT-Password
Fri Sep 15 09:07:16 2017 : Info: [mschap] WARNING: Deprecated
conditional expansion ":-". See "man unlang" for details
Fri Sep 15 09:07:16 2017 : Info: [mschap] expand:
--username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=psitarz
Fri Sep 15 09:07:16 2017 : Info: [mschap] Creating challenge hash with
username: psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Info: [mschap] expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=30cedb6750524fca
Fri Sep 15 09:07:16 2017 : Info: [mschap] expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=dbdff2050731af4d5e7f6bbcc15f6ba740b157f5df29b787
Fri Sep 15 09:07:16 2017 : Debug: Exec output: Logon failure (0xc000006d)
Fri Sep 15 09:07:16 2017 : Debug: Exec plaintext: Logon failure
(0xc000006d)
Fri Sep 15 09:07:16 2017 : Info: [mschap] Exec: program returned: 1
Fri Sep 15 09:07:16 2017 : Info: [mschap] External script failed.
Fri Sep 15 09:07:16 2017 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = reject
Fri Sep 15 09:07:16 2017 : Info: +} # group MS-CHAP = reject
Fri Sep 15 09:07:16 2017 : Info: [eap] Freeing handler
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = reject
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = reject
Fri Sep 15 09:07:16 2017 : Info: Failed to authenticate the user.
Fri Sep 15 09:07:16 2017 : Info: Using Post-Auth-Type REJECT
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: +group REJECT {
Fri Sep 15 09:07:16 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Sep 15 09:07:16 2017 : Info: ++[attr_filter.access_reject] = updated
Fri Sep 15 09:07:16 2017 : Info: +} # group REJECT = updated
} # server inner-tunnel
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled reply code 3
Reply-Message = "YYYY HIT: my_wifi"
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Fri Sep 15 09:07:16 2017 : Info: [peap] Got tunneled reply RADIUS code 3
Reply-Message = "YYYY HIT: my_wifi"
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Fri Sep 15 09:07:16 2017 : Info: [peap] Tunneled authentication was
rejected.
Fri Sep 15 09:07:16 2017 : Info: [peap] FAILURE
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = handled
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 38 to 10.24.100.41 port 32773
EAP-Message =
0x010b002b1900170301002081117f973bff6879014450c7523c384a68e5d5c65e7d952d690f53d929d388a5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbcc1d00eb4cac9be84f2b34ad01933f1
Fri Sep 15 09:07:16 2017 : Info: Finished request 8.
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773,
id=39, length=325
User-Name = "psitarz(a)mydomain.com"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:my_wifi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002ba859bb7b8b"
Acct-Session-Id = "59bb7b8b/08:ed:b9:92:1e:85/506"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "my_wifi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message =
0x020b002b1900170301002018e0dac5f02e034e89760f78d0c904adb33c3619b1c5a0a946f01f7f0beed16d
State = 0xbcc1d00eb4cac9be84f2b34ad01933f1
Message-Authenticator = 0x867f83b390796be84d7ea49fa63c6775
Fri Sep 15 09:07:16 2017 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authorize {
Fri Sep 15 09:07:16 2017 : Info: ++[preprocess] = ok
Fri Sep 15 09:07:16 2017 : Info: ++[chap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[mschap] = noop
Fri Sep 15 09:07:16 2017 : Info: ++[digest] = noop
Fri Sep 15 09:07:16 2017 : Info: [suffix] Looking up realm
"mydomain.com" for User-Name = "psitarz(a)mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Found realm "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Stripped-User-Name =
"psitarz"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Adding Realm = "mydomain.com"
Fri Sep 15 09:07:16 2017 : Info: [suffix] Authentication realm is LOCAL.
Fri Sep 15 09:07:16 2017 : Info: ++[suffix] = ok
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP packet type response id 11
length 43
Fri Sep 15 09:07:16 2017 : Info: [eap] Continuing tunnel setup.
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = ok
Fri Sep 15 09:07:16 2017 : Info: +} # group authorize = ok
Fri Sep 15 09:07:16 2017 : Info: Found Auth-Type = EAP
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group authenticate {
Fri Sep 15 09:07:16 2017 : Info: [eap] Request found, released from the list
Fri Sep 15 09:07:16 2017 : Info: [eap] EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] processing type peap
Fri Sep 15 09:07:16 2017 : Info: [peap] processing EAP-TLS
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_verify returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] Done initial handshake
Fri Sep 15 09:07:16 2017 : Info: [peap] eaptls_process returned 7
Fri Sep 15 09:07:16 2017 : Info: [peap] EAPTLS_OK
Fri Sep 15 09:07:16 2017 : Info: [peap] Session established. Decoding
tunneled attributes.
Fri Sep 15 09:07:16 2017 : Info: [peap] Peap state send tlv failure
Fri Sep 15 09:07:16 2017 : Info: [peap] Received EAP-TLV response.
Fri Sep 15 09:07:16 2017 : Info: [peap] The users session was
previously rejected: returning reject (again.)
Fri Sep 15 09:07:16 2017 : Info: [peap] *** This means you need to read
the PREVIOUS messages in the debug output
Fri Sep 15 09:07:16 2017 : Info: [peap] *** to find out the reason why
the user was rejected.
Fri Sep 15 09:07:16 2017 : Info: [peap] *** Look for "reject" or
"fail". Those earlier messages will tell you.
Fri Sep 15 09:07:16 2017 : Info: [peap] *** what went wrong, and how to
fix the problem.
Fri Sep 15 09:07:16 2017 : Info: [eap] Handler failed in EAP/peap
Fri Sep 15 09:07:16 2017 : Info: [eap] Failed in EAP select
Fri Sep 15 09:07:16 2017 : Info: ++[eap] = invalid
Fri Sep 15 09:07:16 2017 : Info: +} # group authenticate = invalid
Fri Sep 15 09:07:16 2017 : Info: Failed to authenticate the user.
Fri Sep 15 09:07:16 2017 : Info: Using Post-Auth-Type REJECT
Fri Sep 15 09:07:16 2017 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Fri Sep 15 09:07:16 2017 : Info: +group REJECT {
Fri Sep 15 09:07:16 2017 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> psitarz(a)mydomain.com
Fri Sep 15 09:07:16 2017 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Sep 15 09:07:16 2017 : Info: ++[attr_filter.access_reject] = updated
Fri Sep 15 09:07:16 2017 : Info: +} # group REJECT = updated
Fri Sep 15 09:07:16 2017 : Info: Delaying reject of request 9 for 1 seconds
Fri Sep 15 09:07:16 2017 : Debug: Going to the next request
Fri Sep 15 09:07:16 2017 : Debug: Waking up in 0.9 seconds.
Fri Sep 15 09:07:17 2017 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 39 to 10.24.100.41 port 32773
EAP-Message = 0x040b0004
Message-Authenticator = 0x00000000000000000000000000000000
Fri Sep 15 09:07:17 2017 : Debug: Waking up in 3.8 seconds.
--
Z poważaniem / Yours sincerely
Zenon Matuszyk
mobile: 00 48 797 004 938
e-mail: zenon.matuszyk(a)networkers.pl
www: http://www.networkers.pl
2
5
Hi,
I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and
configured the external authentication with 389-DS server using rlm_ldap
module. I would like to authenticate the mac address of all the user which
I have stored in LDAP. The macaddress field in LDAP is a multi value
attribute and the Freeraiud is communicating with LDAP without any issues,
but the freeradius is authenticating only the first macaddress value from
LDAP's multi value field.
I would like to configure the Freeradius to authenticate all the values
from multi value filed. Someone suggested that we can configure this using
rlm_python or rlm_perl module. I am not a coder and I am not able to find
any step by guide to configure the same. Could someone guide me on how to
configure the Freeradius to authenticate Multi-valued LDAP attribute?
Thank you in advance for your time and support.
Regards,
--
Srinivas R
8
18
Peace,
I have free radius 3.0.14 and I managed to authenticate using peap and ttls
using the self signed server certificate. I tried to push it further with
requiring client certificates but that didn't work.
I get the following message in the radius log:
ERROR: (20) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
Wed Sep 13 15:56:33 2017 : Error: tls: TLS_accept: Error in error
Wed Sep 13 15:56:33 2017 : Auth: (20) Login incorrect (eap_peap: TLS Alert
write:fatal:handshake failure): [ameen/<via Auth-Type = eap>] (from client
cisco switch port 50247 cli C3-6F-2F-15-82-3B)
I ducked ducked the internet for the mentioned error and on how to install
client certificates for windows but I couldn't find a solution.
I imagine I correctly imported the server certificate but am unsure about
the client certificate.
I generated the client certificates by editing client.cnf as follows:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/ca.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 1826
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = client
default_bits = 2048
input_password = ameen
output_password = ameen
[client]
countryName = RU
stateOrProvinceName = Samara
localityName = place
organizationName = comp
emailAddress = ameen(a)test.ru <mailto:ameen@test.ru>
commonName = ameen
then I make client .pem and a file named ameen(a)test.ru.pem
<mailto:ameen@test.ru.pem> is generated. For the next certificate I just
change the email and common name and make client.pem again. I tried to
import the client certificate in windows using mmc, then adding the snap-in
certificates and importing ameen(a)test.ru.pem <mailto:ameen@test.ru.pem> to
the trusted root center certificate. I also tried double clicking on
client.p12 and letting it install automatically but that installed in the
private folder. I tried to double click again and import to the trusted root
center certificate but that does the same thing as the pem file and installs
the ameen certificate. I then checked peap in windows and selected to
validate certificate and chose the ca, server and client certificate and
chose mschapv2 as authentication, unchecked use windows logon credentials
and saved the username and password in extra parameters. The username was
saved in mysql using daloradius and it worked fine until I required using
client certificate.
Here is the eap configuration:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
tls-config tls-common {
private_key_password = ameen
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
# auto_chain = yes
# psk_identity = "test"
# psk_hexphrase = "036363823"
dh_file = ${certdir}/dh
random_file = /dev/urandom
# fragment_size = 1024
# include_length = yes
# check_crl = yes
# Check if intermediate CAs have been
revoked.
# check_all_crl = yes
ca_path = ${cadir}
# check_cert_issuer =
"/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
cipher_server_preference = no
# disable_tlsv1_2 = no
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
#name = "EAP module"
#persist_dir =
"${logdir}/tlscache"
}
## EAP-TLS
#
# As of Version 3.0, the TLS configuration for TLS-based
# EAP types is above in the "tls-config" section.
#
tls {
# Point to the common TLS configuration
tls = tls-common
#
# As part of checking a client certificate,
the EAP-TLS
# sets some attributes such as
TLS-Client-Cert-CN. This
# virtual server has access to these
attributes, and can
# be used to accept or reject the request.
#
# virtual_server = check-eap-tls
}
## EAP-TTLS
#
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
ttls {
# Which tls-config section the TLS
negotiation parameters
# are in - see EAP-TLS above for an
explanation.
#
# In the case that an old configuration
from FreeRADIUS
# v2.x is being used, all the options of
the tls-config
# section may also appear instead in the
'tls' section
# above. If that is done, the tls= option
here (and in
# tls above) MUST be commented out.
#
tls = tls-common
# The tunneled EAP session needs a default
EAP type
# which is separate from the one for the
non-tunneled
# EAP module. Inside of the TTLS tunnel,
we recommend
# using EAP-MD5. If the request does not
contain an
# EAP conversation, then this configuration
entry is
# ignored.
#
default_eap_type = mschapv2
# The tunneled authentication request does
not usually
# contain useful attributes like
'Calling-Station-Id',
# etc. These attributes are outside of the
tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
'yes',
# any attribute which is NOT in the
tunneled
# authentication request, but which IS
available
# outside of the tunnel, is copied to the
tunneled
# request.
#
# allowed values: {no, yes}
#
copy_request_to_tunnel = no
#
# As of version 3.0.5, this configuration
item
# is deprecated. Instead, you should use
#
# update outer.session-state {
# ...
#
# }
#
# This will cache attributes for the final
Access-Accept.
#
# The reply attributes sent to the NAS are
usually
# based on the name of the user 'outside'
of the
# tunnel (usually 'anonymous'). If you
want to send
# the reply attributes based on the user
name inside
# of the tunnel, then set this
configuration entry to
# 'yes', and the reply to the NAS will be
taken from
# the reply to the tunneled request.
#
# allowed values: {no, yes}
#
use_tunneled_reply = no
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This has the same meaning, and
overwrites, the
# same field in the "tls" configuration,
above.
# The default value here is "yes".
#
# include_length = yes
#
# Unlike EAP-TLS, EAP-TTLS does not require
a client
# certificate. However, you can require one
by setting the
# following option. You can also override
this option by
# setting
#
# EAP-TLS-Require-Client-Cert =
Yes
#
# in the control items for a request.
#
require_client_cert = yes
}
## EAP-PEAP
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
# proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
# soh = yes
# soh_virtual_server = "soh-server"
require_client_cert = yes
}
Is any more information needed and what am I doing wrong?
2
3