Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 12 participants
- 27047 discussions
Hello out there,
I am using freeradius2 in a raspberry pi3 with last version of LEDE and FreeRADIUS Version 2.2.9, and it happens something really weird, an infinite loop when a user tries to connect from a wifi hotspot.
After installing freeradius, I only change 2 things:
Add:ricardo Cleartext-Password := “testing”to /etc/freeradius2/users
Comment out this# interface = br-lan from /etc/freeradius2/radiusd.conf
I test the radius server using:root@LEDE:/etc/freeradius2# echo "User-Name = ricardo, User-Password = testing" | radclient -x 127.0.0.1 auth testing123
And it works:Sending Access-Request of id 28 to 127.0.0.1 port 1812 User-Name = "ricardo" User-Password = "testing"rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=28, length=20
However, when I setup WPA 2 Enterprise in the LEDE router (the same with freeradius server) and a user tries to connect, this infinite loop happens:https://vimeo.com/233192357
No error or warning message when running radiusd -XXXHere the log:https://gist.github.com/Ricardo1980/a5a7047fd0a03a6b10aea3b82f5e7cdf
I think it is not related with certificates, because I can see this in the log:Sun Sep 10 14:07:31 2017 : Info: [peap] (other): SSL negotiation finished successfully
Apart from that, I have this package installed:freeradius2-democerts
And in the iPhone, it says that the expiration date is next year.
Do you have any idea or suggestion? Probably it is a small detail but I cannot see it.Thanks a lot for your time.
2
4
09 Sep '17
Hello everyone,
I have problems with authenticating some clients using PEAP-MSCHAP. I've
seen two (unrelated) devices having this issue so far: an Android phone
and a Windows 7 PC. Other clients do not have this problem.
The debug output is:
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 99 bytes
(2) eap_peap: Got complete TLS record (99 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.2 [length 005e]
(2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:1417D18C:SSL routines:tls_process_client_hello:version too low
(2) eap_peap: ERROR: System call (I/O) error (-1)
(2) eap_peap: ERROR: TLS receive handshake failed during operation
(2) eap_peap: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(2) eap: Sending EAP Failure (code 4) ID 230 length 4
(2) eap: Failed in EAP select
(2) [eap] = invalid
(2) } # authenticate = invalid
(2) Failed to authenticate the user
I'm not sure if I'm interpreting this correctly, but it seems that the
client is trying to talk in TLSv1.2 while FreeRADIUS doesn't support that?
I don't know what started this problem. PEAP always worked in the past,
until now. The only thing I can think of is that I've recently generated
new certificates (old ones were expired). There has also been a
FreeRADIUS update (just regular Debian updates, I'm on 3.0.15 now).
Could that be related?
Thanks in advance for your help,
Lars
4
13
09 Sep '17
>
> On 9 Sep 2017, at 21:30, Fajar A. Nugraha <list(a)fajar.net> wrote:
>
> On Sat, Sep 9, 2017 at 7:56 PM, Alan DeKok <aland(a)deployingradius.com> wrote:
>> On Sep 9, 2017, at 12:11 AM, Fajar A. Nugraha <list(a)fajar.net> wrote:
>>> I think the problem arise because users see the debian directory, and
>>> expect to build it successfully (i.e. following
>>> https://wiki.freeradius.org/building/Debian-and-Ubuntu) But that
>>> fails for debian 9.
>>
>> I can't feel overly responsible for distributions which break application software.
>>
>> There's really no other way to describe this. They've added patches to Debian after 3.0.15 was released, and those patches break *all* versions of FreeRADIUS.
>>
>>> IMHO some possible options are:
>>> (a) add some instructions (e.g. on
>>> https://wiki.freeradius.org/building/Debian-and-Ubuntu) something
>>> like 'if you're absolutely sure you're using patched/non-vulnerable
>>> versions of openssl, then you can edit these files manually, but don't
>>> complain if it's broken", and so on. And point any
>>> debian-package-related queries there. OR
>>
>> I've pushed patches to v3.0.x which should help. I'll see if I can add notes to the wiki.
I think there's some confusion here...
Those were an adaptation of the fixes that I put into v4.0.x to call the new OpenSSL 1.1.0 API to set min/max TLS versions, they won't affect debian packaging, or alter which security issues FreeRADIUS flags.
...they will however allow users to override the TLS restrictions in Debian 9, which only allowed TLS 1.2 to be used, which was the subject of another thread.
I'm working on a new docker build image for Debian 9, after that's done we should be able to look at the packaging issues in v3.0.x on Debian 9.
As for discovering packaging issues early, yes there is a the beginnings of a Jenkins based CIT system, that publishes packages for centos7 and ubuntu to packages.networkradius.com.
The main issues are that packages aren't pushed for every debian/ubuntu/centos flavour, and there's currently no notifications of when a build fails.
>> We'll try to get automated builds set up... right now, we're up to a backlog of ~10-20 systems that people want.
It's up, it's just sort of, half finished, and not overly useful in its current form. Not to say it couldn't be useful, it just isn't right now, seeing as it doesn't publish notifications in any form... outside of maybe the jobs triggered by pull requests. Anyway that's an internal discussion.
-Arran
Arran Cudbard-Bell <a.cudbardb(a)freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
2
1
Getting error for LDAP-UserDN Module. Anybody has seen it ?
0) level1_and_duopush : Executing: /idm/idmt_home/srv/radius-mfa-scripts/bin/DuoFactor.pl %{config:modules.ldap.identity} %{config:modules.ldap.password} %{config:modules.ldap.server} %{config:modules.ldap.base_dn} %{check:LDAP-UserDn} %{config:modules.ldap.level-1_kdc} %{config:modules.ldap.logFILEname} %{config:modules.ldap.duo_host} %{config:modules.ldap.duo_ikey} %{config:modules.ldap.duo_skey} push
0) level1_and_duopush : EXPAND modules.ldap.identity
(0) level1_and_duopush : --> modules.ldap.identity
(0) level1_and_duopush : EXPAND %{config:modules.ldap.identity}
(0) level1_and_duopush : --> cn=p-idm-radius,o=services
(0) level1_and_duopush : EXPAND modules.ldap.password
(0) level1_and_duopush : --> modules.ldap.password
(0) level1_and_duopush : EXPAND %{config:modules.ldap.password}
(0) level1_and_duopush : --> XXXX
(0) level1_and_duopush : EXPAND modules.ldap.server
(0) level1_and_duopush : --> modules.ldap.server
(0) level1_and_duopush : EXPAND %{config:modules.ldap.server}
(0) level1_and_duopush : --> p-idm-dir1.ent.med.umich.edu
(0) level1_and_duopush : EXPAND modules.ldap.base_dn
(0) level1_and_duopush : --> modules.ldap.base_dn
(0) level1_and_duopush : EXPAND %{config:modules.ldap.base_dn}
(0) level1_and_duopush : --> dc=umich,dc=edu
(0) ERROR: level1_and_duopush : %{check:LDAP-UserDn}
(0) ERROR: level1_and_duopush : ^ Unknown module
(0) level1_and_duopush : EXPAND modules.ldap.level-1_kdc
(0) level1_and_duopush : --> modules.ldap.level-1_kdc
(0) level1_and_duopush : EXPAND %{config:modules.ldap.level-1_kdc}
(0) level1_and_duopush : --> UMICH.EDU
(0) level1_and_duopush : EXPAND modules.ldap.logFILEname
(0) level1_and_duopush : --> modules.ldap.logFILEname
(0) level1_and_duopush : EXPAND %{config:modules.ldap.logFILEname}
(0) level1_and_duopush : --> /idm/idmt_home/srv/radius-mfa-scripts/log/umhspf.log
(0) level1_and_duopush : EXPAND modules.ldap.duo_host
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
3
2
New functionality is being added in v4.0.x to allow new sub-requests to be generated by requests received by the server.
The basic format is:
<keyword> [virtual-server.]<packet-type> {
<sub-request-attr0> := <parent attr0>
<sub-request-attr1> += <parent attr1>
<sub-request-attrN> += <parent attrN>
}
There's debate about what <keyword> should be, and whether there should be multiple <keywords> for async - where we split the lifetime of the sub-request from its parent, and synchronous behaviour - where we wait for the sub-request to return before we continue processing.
The original keyword was "fork", and has since been changed to "create". Do people have any opinions on what the easiest to infer and most consistent keyword to use here would be?
Some other ideas were "spawn", and "child".
There's no guarantee that the most popular keyword/idea will be used, but it'll at least inform us of general public opinion :)
-Arran
5
10
In rlm_exec to execute perl script what is
wait = yes
output = none
#input_pairs = request
output_pairs = none
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues
3
3
Hello,
I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth
from samba. I use default settings, follow freeradius-active-directory-
integration-howto. All work correctly for username length up to 5
characters, but when I use username, where the length is more than 5
characters, freeradius terminated due memory corruption.
(freeradius v.3.0.15, running on debian Wheezy64).
debug for username length more than 5 characters:
...
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL
(10) ntdomain: No such realm "NULL"
(10) [ntdomain] = noop
(10) update control {
(10) &Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 11 length 6
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [logintime] = noop
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/inner
(10) authenticate {
(10) eap: Expiring EAP session with state 0x00b1f6cf01baecde
(10) eap: Finished EAP session with state 0x00b1f6cf01baecde
(10) eap: Previous EAP request found for state 0x00b1f6cf01baecde, released
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap: Sending EAP Success (code 3) ID 11 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/sites-
enabled/inner
(10) post-auth {
(10) if (1) {
(10) if (1) -> TRUE
(10) if (1) {
(10) update reply {
(10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7
efef0171bb6]
*** glibc detected *** freeradius: free(): invalid next size (fast): 0x
0000000000b61230 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7efef017695c]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7efef159d089]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7efef15998b3]
/usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x7
efef2023b56]
/usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x7efef
2263c9d]
freeradius[0x4278ad]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius(modcall+0x43)[0x4286a3]
freeradius(indexed_modcall+0xa5)[0x423205]
freeradius(rad_postauth+0x80)[0x4118a0]
freeradius(rad_virtual_server+0x3d0)[0x4128f0]
/usr/lib/freeradius/rlm_eap_peap.so(eappeap_process+0x772)[0x7efee953c872]
/usr/lib/freeradius/rlm_eap_peap.so(+0x1de2)[0x7efee953ade2]
/usr/lib/freeradius/rlm_eap.so(+0x3bbb)[0x7efeeab60bbb]
/usr/lib/freeradius/rlm_eap.so(eap_method_select+0xc8)[0x7efeeab60e58]
/usr/lib/freeradius/rlm_eap.so(+0x2e15)[0x7efeeab5fe15]
freeradius[0x4283b2]
freeradius[0x4272aa]
freeradius[0x42752d]
freeradius(modcall+0x43)[0x4286a3]
freeradius(indexed_modcall+0xa5)[0x423205]
freeradius(rad_authenticate+0x73d)[0x4122bd]
freeradius[0x4368ba]
freeradius[0x4322ad]
freeradius(request_receive+0x337)[0x433f97]
freeradius[0x41d5b9]
freeradius[0x4316ad]
/usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7efef2036
c59]
freeradius(main+0x6af)[0x410dbf]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7efef011aead]
freeradius[0x411105]
======= Memory map: ========
00400000-00463000 r-xp 00000000 01:01 77414 /
usr/sbin/freeradius
00662000-00665000 r--p 00062000 01:01 77414 /
usr/sbin/freeradius
00665000-00669000 rw-p 00065000 01:01 77414 /
usr/sbin/freeradius
00669000-0066a000 rw-p 00000000 00:00 0
00800000-00b9b000 rw-p 00000000 00:00 0
[heap]
...
and now the same situation, username length up to 5 characters:
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "test2", looking up realm NULL
(10) ntdomain: No such realm "NULL"
(10) [ntdomain] = noop
(10) update control {
(10) &Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 64
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [logintime] = noop
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/inner
(10) authenticate {
(10) eap: Expiring EAP session with state 0x3dd92fdb3dd3359e
(10) eap: Finished EAP session with state 0x3dd92fdb3dd3359e
(10) eap: Previous EAP request found for state 0x3dd92fdb3dd3359e, released
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap_mschapv2: # Executing group from file /etc/freeradius/sites-
enabled/inner
(10) eap_mschapv2: authenticate {
(10) mschap: Creating challenge hash with username: test2
(10) mschap: Client is using MS-CHAPv2
(10) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --username
=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL} --
challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(10) mschap: EXPAND --username=%{mschap:User-Name:-None}
(10) mschap: --> --username=test2
...
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) } # post-auth = ok
(12) Sent Access-Accept Id 252 from 10.255.246.120:1812 to 10.255.246.253:
1812 length 0
(12) MS-MPPE-Recv-Key = 0x1f4851b2d1ec7efab075df3b8442ee2f92405e46935f2739
e329efbe06bc0e1e
(12) MS-MPPE-Send-Key = 0xe75f33f2f6e0d814306d365d1c2d55da8296b7df034ad29b
762d516c0cc10f7f
(12) EAP-Message = 0x030c0004
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) User-Name = "test2"
(12) EAP-Key-Name := 0x1959b11211ec00b494af0aff7ea172e56e202f0fa593dd5f9b
40334b1906ab90534867b6668b5466cce813501306b028a585698afddf1dafb6937c56a41b
6241ff
(12) Finished request
But when I try radtest with username length more than 5 characters, no
problem:
----------------------------------------------------------------------------
-------------------------
radius-test:~# radtest -t mschap abcdef 12345#W 10.255.246.120 1
SharedSecret
Sent Access-Request Id 238 from 0.0.0.0:52211 to 10.255.246.120:1812 length
132
User-Name = "abcdef"
MS-CHAP-Password = "12345#W"
NAS-IP-Address = 10.255.246.120
NAS-Port = 1
Message-Authenticator = 0x00
Cleartext-Password = "12345#W"
MS-CHAP-Challenge = 0x838e90923dacd16e
MS-CHAP-Response = 0x
0001000000000000000000000000000000000000000000000000ce64b63fc3d55e1391b5f4ac
516373cd10bd09574a21bb8c
Received Access-Accept Id 238 from 10.255.246.120:1812 to 0.0.0.0:0 length
37
Than you for any help, Petr Linke
4
12
Hi
You've enabled the SQL module but that then activates the default
conditional modules, you want to comment out the SQL (well, -sql) in the
authorize etc sections and only use your unlang SQL
This may mean that you need to add SQL to the instantiate section of the
radiusd.conf main file
alan
On 5 Sep 2017 5:29 pm, "Adam Cage" <adamcage27(a)gmail.com> wrote:
Dear Alan and people, I tell you again I succeeded in authorize with LDAP
and authenticate against AD. But when I add the SQL authorization check to
the existing LDAP check, I fail. I've followed Alan's suggestion, and I did
these settings:
1- Installed the freeradius-mysql Debian package
2- Edited /etc/freeradius/sql.conf with the remote DB MySQL parameters (IP,
user, pass, DB name, port). When I start Freeradius, and I execute tcpdump,
I can see traffic to the remote DB on port 3306)
3- Uncommented $INCLUDE sql.conf in /etc/freeradius/radiusd.conf
4- Edited /etc/freeradius/sites-available/default file in this manner:
authorize {
if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ &&
"%{sql:SELECT COUNT(MacAddress) FROM FILTERS WHERE MacAddress =
'%{Calling-Station-Id}'}" > 0) {
update reply {
Reply-Message = "Access enabled to WiFi"
}
ok
}
else {
reject
}
}
5- Edited /etc/freeradius/sites-available/inner-tunnel file in this manner:
authorize {
if (LDAP-Group == "GROUP1" && Called-Station-Id =~ /:Free/ &&
"%{sql:SELECT COUNT(MacAddress) FROM FILTERS WHERE MacAddress =
'%{outer.request:Calling-Station-Id}'}" > 0) {
update reply {
Reply-Message = "Access enabled to WiFi"
}
ok
}
else {
reject
}
}
Finally, the debug is this....Can you help me please ??? Thanks!!!
# freeradius -X
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built
on Oct 24 2014 at 02:05:28
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/krb5
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.12.1.1 {
require_message_authenticator = no
secret = "xxxxx"
shortname = "WLC"
nastype = "cisco"
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file ?
modules {
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = ntlm_auth
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-COMPANY}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Instantiating module "ntlm_auth" from file
/etc/freeradius/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=COMPANY
--username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "172.31.18.19"
port = "3306"
login = "usrFiltradoMac"
password = "xxxx"
radius_db = "filtromac"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/freeradius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 32
lifetime = 0
max_queries = 0
sql_user_name = ""
default_user_profile = ""
nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_group_check_query = ""
authorize_group_reply_query = ""
accounting_onoff_query = ""
accounting_update_query = ""
accounting_update_query_alt = ""
accounting_start_query = ""
accounting_start_query_alt = ""
accounting_stop_query = ""
accounting_stop_query_alt = ""
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = ""
postauth_query = ""
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to
usrFiltradoMac@172.31.28.79:3306/filtromac
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): starting 5
rlm_sql (sql): Attempting to connect rlm_sql_mysql #5
rlm_sql_mysql: Starting connect to MySQL server for #5
rlm_sql (sql): Connected new DB handle, #5
rlm_sql (sql): starting 6
rlm_sql (sql): Attempting to connect rlm_sql_mysql #6
rlm_sql_mysql: Starting connect to MySQL server for #6
rlm_sql (sql): Connected new DB handle, #6
rlm_sql (sql): starting 7
rlm_sql (sql): Attempting to connect rlm_sql_mysql #7
rlm_sql_mysql: Starting connect to MySQL server for #7
rlm_sql (sql): Connected new DB handle, #7
rlm_sql (sql): starting 8
rlm_sql (sql): Attempting to connect rlm_sql_mysql #8
rlm_sql_mysql: Starting connect to MySQL server for #8
rlm_sql (sql): Connected new DB handle, #8
rlm_sql (sql): starting 9
rlm_sql (sql): Attempting to connect rlm_sql_mysql #9
rlm_sql_mysql: Starting connect to MySQL server for #9
rlm_sql (sql): Connected new DB handle, #9
rlm_sql (sql): starting 10
rlm_sql (sql): Attempting to connect rlm_sql_mysql #10
rlm_sql_mysql: Starting connect to MySQL server for #10
rlm_sql (sql): Connected new DB handle, #10
rlm_sql (sql): starting 11
rlm_sql (sql): Attempting to connect rlm_sql_mysql #11
rlm_sql_mysql: Starting connect to MySQL server for #11
rlm_sql (sql): Connected new DB handle, #11
rlm_sql (sql): starting 12
rlm_sql (sql): Attempting to connect rlm_sql_mysql #12
rlm_sql_mysql: Starting connect to MySQL server for #12
rlm_sql (sql): Connected new DB handle, #12
rlm_sql (sql): starting 13
rlm_sql (sql): Attempting to connect rlm_sql_mysql #13
rlm_sql_mysql: Starting connect to MySQL server for #13
rlm_sql (sql): Connected new DB handle, #13
rlm_sql (sql): starting 14
rlm_sql (sql): Attempting to connect rlm_sql_mysql #14
rlm_sql_mysql: Starting connect to MySQL server for #14
rlm_sql (sql): Connected new DB handle, #14
rlm_sql (sql): starting 15
rlm_sql (sql): Attempting to connect rlm_sql_mysql #15
rlm_sql_mysql: Starting connect to MySQL server for #15
rlm_sql (sql): Connected new DB handle, #15
rlm_sql (sql): starting 16
rlm_sql (sql): Attempting to connect rlm_sql_mysql #16
rlm_sql_mysql: Starting connect to MySQL server for #16
rlm_sql (sql): Connected new DB handle, #16
rlm_sql (sql): starting 17
rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
rlm_sql_mysql: Starting connect to MySQL server for #17
rlm_sql (sql): Connected new DB handle, #17
rlm_sql (sql): starting 18
rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
rlm_sql_mysql: Starting connect to MySQL server for #18
rlm_sql (sql): Connected new DB handle, #18
rlm_sql (sql): starting 19
rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
rlm_sql_mysql: Starting connect to MySQL server for #19
rlm_sql (sql): Connected new DB handle, #19
rlm_sql (sql): starting 20
rlm_sql (sql): Attempting to connect rlm_sql_mysql #20
rlm_sql_mysql: Starting connect to MySQL server for #20
rlm_sql (sql): Connected new DB handle, #20
rlm_sql (sql): starting 21
rlm_sql (sql): Attempting to connect rlm_sql_mysql #21
rlm_sql_mysql: Starting connect to MySQL server for #21
rlm_sql (sql): Connected new DB handle, #21
rlm_sql (sql): starting 22
rlm_sql (sql): Attempting to connect rlm_sql_mysql #22
rlm_sql_mysql: Starting connect to MySQL server for #22
rlm_sql (sql): Connected new DB handle, #22
rlm_sql (sql): starting 23
rlm_sql (sql): Attempting to connect rlm_sql_mysql #23
rlm_sql_mysql: Starting connect to MySQL server for #23
rlm_sql (sql): Connected new DB handle, #23
rlm_sql (sql): starting 24
rlm_sql (sql): Attempting to connect rlm_sql_mysql #24
rlm_sql_mysql: Starting connect to MySQL server for #24
rlm_sql (sql): Connected new DB handle, #24
rlm_sql (sql): starting 25
rlm_sql (sql): Attempting to connect rlm_sql_mysql #25
rlm_sql_mysql: Starting connect to MySQL server for #25
rlm_sql (sql): Connected new DB handle, #25
rlm_sql (sql): starting 26
rlm_sql (sql): Attempting to connect rlm_sql_mysql #26
rlm_sql_mysql: Starting connect to MySQL server for #26
rlm_sql (sql): Connected new DB handle, #26
rlm_sql (sql): starting 27
rlm_sql (sql): Attempting to connect rlm_sql_mysql #27
rlm_sql_mysql: Starting connect to MySQL server for #27
rlm_sql (sql): Connected new DB handle, #27
rlm_sql (sql): starting 28
rlm_sql (sql): Attempting to connect rlm_sql_mysql #28
rlm_sql_mysql: Starting connect to MySQL server for #28
rlm_sql (sql): Connected new DB handle, #28
rlm_sql (sql): starting 29
rlm_sql (sql): Attempting to connect rlm_sql_mysql #29
rlm_sql_mysql: Starting connect to MySQL server for #29
rlm_sql (sql): Connected new DB handle, #29
rlm_sql (sql): starting 30
rlm_sql (sql): Attempting to connect rlm_sql_mysql #30
rlm_sql_mysql: Starting connect to MySQL server for #30
rlm_sql (sql): Connected new DB handle, #30
rlm_sql (sql): starting 31
rlm_sql (sql): Attempting to connect rlm_sql_mysql #31
rlm_sql_mysql: Starting connect to MySQL server for #31
rlm_sql (sql): Connected new DB handle, #31
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "ldap.company.net"
port = 636
password = "xxx"
expect_password = yes
identity = "cn=connect,ou=Company,dc=company,dc=net"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "OU=Company,DC=company,DC=net"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
chase_referrals = yes
rebind = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = no
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x10e9b30
Module: Linked to module rlm_always
Module: Instantiating module "ok" from file /etc/freeradius/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
Module: Instantiating module "reject" from file
/etc/freeradius/modules/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 51567
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.12.1.1 port 32769, id=238,
length=246
User-Name = "adam"
Calling-Station-Id = "54:27:1e:0c:0b:fc"
Called-Station-Id = "44:ad:d9:0e:dd:40:Free"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=ac1f0c620000023159aecc35"
NAS-IP-Address = 10.12.1.1
NAS-Identifier = "WLC"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message = 0x0203000f0165616c6d6f6e61636964
Message-Authenticator = 0x501b12ce48af68714f1030855775ae2a
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "adam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
rlm_sql (sql): Reserving sql socket id: 30
[sql] expand: ->
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 30
++[sql] = fail
+} # group authorize = fail
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> adam
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 238 to 10.12.1.1 port 32769
Waking up in 4.9 seconds.
Cleaning up request 1 ID 238 with timestamp +52
Ready to process requests.
2017-09-04 10:28 GMT-03:00 Alan DeKok <aland(a)deployingradius.com>:
> On Sep 4, 2017, at 9:09 AM, Adam Cage <adamcage27(a)gmail.com> wrote:
> >
> > Dear Alan, thanks for your response....just two things for the moment:
> >
> >> You may need to install v3. Honestly, just install 3.0.15, and go with
> > that.
> >
> > Ok, but can I use my current server with version 2.2.5 in order to test
> the
> > SQL authorization or the use of version 3.x is mandatory ???
>
> It's easier with v3.
>
> >> You will need to edit raddb/sites-enabled/default, and also the
> > raddb/mods-enabled/sql
> >
> > Now I have edited default and inner-tunnel files, but you tell me to
edit
> > just default (and also sql module)...inner-tunel is not necessary???
>
> It may be. Some amount of thinking for yourself is useful, too.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
4
6
hello everyone,
have a working installation of FreeRADIUS Version 3.0.15 that "look for AD group matching" to distinguish allowed users per NAS.
shortly, having proof that it is working for many but not all workers have observed that in working case
...........
(2) } # Auth-Type ntlm_auth = ok
(2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(2) post-auth {
(2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") {
(2) Executing: /bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}:
(2) EXPAND %{User-Name}
(2) --> USER1.admin
(2) Program returned code (0) and output '.....list of 38 groups for 850 chars....... MYDOMAYN\UNIX Admins .......... and 11 more groups for 279 chars'
(2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") -> TRUE
(2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") {
(2) update reply {
(2) Service-Type = Administrative-User
(2) Cisco-AVpair = "shell:priv-lvl=15"
(2) }
...........
while in non-working case we have
...............
(1) } # Auth-Type ntlm_auth = ok
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1) post-auth {
(1) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") {
(1) Executing: /bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}:
(1) EXPAND %{User-Name}
(1) --> USER2.admin
(1) Program returned code (0) and output '........list of 81 groups for 1115 chars...... MYDOMAIN\UNIX Admins ....... and 16 more groups for 402 chars......'
(1) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") -> FALSE
............
so, it seem that 1115 is outside some limit (I guess 1024) but am not aware IF and WHERE can I expand it.
as far as I can see (using grep -Ri 1024 *) no textfile in /usr/local/etc/raddb includes a 1024 meaningful for the case (well, src files have some more of them....); so please :
a) confirm if there is a string-length-limit in substring matching
b) if yes suggest where to interact with the system to increase it (at least twice, better 4 times the original value)
regards
Alessandro
2
3
Resending since the other one was rejected for being long. Apologies
On 5 September 2017 at 22:19, Matthew Pulis <mpulis(a)gmail.com> wrote:
> Dear all
>
> Many many thanks for your support. We are moving towards a complete
> solution :)
>
> Windows 10 works fine without the need to install a certificate. The
> certificates on the server were all expired so I renewed everything and Win
> 10 worked out of the box - no need to install anything.
>
> Windows 7 is different. I pushed ca.der to the Win 7 client. Installed it
> using cert util and double checked it via mmc.
>
> Before connecting this is the warning the network showed: The server "The
> Seminary Local Certificate Authority" presented a valid certificate issued
> by "The Seminary Local Certificate Authority", but "The Seminary Local
> Certificate Authority" is not configured as a valid trust anchor for this
> profile. Further, the server "The Seminary Local Certificate Authority" is
> not configured as a valid NPS server to connect to for this profile.
>
> It seems to be a problem with Win 7. Do you have any pointers? Should I
> enable MSCHAPv2 too? or is there something for EAP please?
>
> Should something like this work: https://documentation.
> meraki.com/MR/Encryption_and_Authentication/Enabling_EAP-TLS_in_Windows_7?
>
> Thanks a lot for your help and support!
>
> This is the full log
>
> radius@radius:~$ sudo freeradius -X
> FreeRADIUS Version 3.0.15
> Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/freeradius/dictionary
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/proxy.conf
> including configuration file /etc/freeradius/clients.conf
> including files in directory /etc/freeradius/mods-enabled/
> including configuration file /etc/freeradius/mods-enabled/mschap
> including configuration file /etc/freeradius/mods-enabled/adldap
> including configuration file /etc/freeradius/mods-enabled/always
> including configuration file /etc/freeradius/mods-enabled/soh
> including configuration file /etc/freeradius/mods-enabled/eap
> including configuration file /etc/freeradius/mods-enabled/dynamic_clients
> including configuration file /etc/freeradius/mods-enabled/logintime
> including configuration file /etc/freeradius/mods-enabled/exec
> including configuration file /etc/freeradius/mods-enabled/realm
> including configuration file /etc/freeradius/mods-enabled/utf8
> including configuration file /etc/freeradius/mods-enabled/date
> including configuration file /etc/freeradius/mods-enabled/echo
> including configuration file /etc/freeradius/mods-enabled/unix
> including configuration file /etc/freeradius/mods-enabled/detail.log
> including configuration file /etc/freeradius/mods-enabled/expr
> including configuration file /etc/freeradius/mods-enabled/ntlm_auth
> including configuration file /etc/freeradius/mods-enabled/pap
> including configuration file /etc/freeradius/mods-enabled/ldap
> including configuration file /etc/freeradius/mods-enabled/digest
> including configuration file /etc/freeradius/mods-enabled/files
> including configuration file /etc/freeradius/mods-enabled/preprocess
> including configuration file /etc/freeradius/mods-enabled/cache_eap
> including configuration file /etc/freeradius/mods-enabled/detail
> including configuration file /etc/freeradius/mods-enabled/expiration
> including configuration file /etc/freeradius/mods-enabled/chap
> including configuration file /etc/freeradius/mods-enabled/sradutmp
> including configuration file /etc/freeradius/mods-enabled/radutmp
> including configuration file /etc/freeradius/mods-enabled/passwd
> including configuration file /etc/freeradius/mods-enabled/linelog
> including configuration file /etc/freeradius/mods-enabled/unpack
> including configuration file /etc/freeradius/mods-enabled/attr_filter
> including configuration file /etc/freeradius/mods-enabled/replicate
> including files in directory /etc/freeradius/policy.d/
> including configuration file /etc/freeradius/policy.d/filter
> including configuration file /etc/freeradius/policy.d/control
> including configuration file /etc/freeradius/policy.d/canonicalization
> including configuration file /etc/freeradius/policy.d/eap
> including configuration file /etc/freeradius/policy.d/debug
> including configuration file /etc/freeradius/policy.d/dhcp
> including configuration file /etc/freeradius/policy.d/
> moonshot-targeted-ids
> including configuration file /etc/freeradius/policy.d/accounting
> including configuration file /etc/freeradius/policy.d/abfab-tr
> including configuration file /etc/freeradius/policy.d/cui
> including configuration file /etc/freeradius/policy.d/operator-name
> including files in directory /etc/freeradius/sites-enabled/
> including configuration file /etc/freeradius/sites-enabled/inner-tunnel
> including configuration file /etc/freeradius/sites-enabled/default
> main {
> security {
> user = "freerad"
> group = "freerad"
> allow_core_dumps = no
> }
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> }
> main {
> name = "freeradius"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/freeradius"
> run_dir = "/var/run/freeradius"
> libdir = "/usr/lib/freeradius"
> radacctdir = "/var/log/freeradius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 16384
> pidfile = "/var/run/freeradius/freeradius.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> resources {
> }
> security {
> max_attributes = 200
> reject_delay = 1.000000
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20.000000
> response_timeouts = 1
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> check_timeout = 4
> num_answers_to_alive = 3
> revive_interval = 120
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> proto = "*"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client localhost_ipv6 {
> ipv6addr = ::1
> require_message_authenticator = no
> secret = <<< secret >>>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client 192.168.100.1/24 {
> require_message_authenticator = no
> secret = <<< secret >>>
> shortname = "NAS"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client
> 192.168.100.1/24. Please fix your configuration
> Support for old-style clients will be removed in a future release
> Debugger not attached
> # Creating Auth-Type = eap
> # Creating Auth-Type = PAP
> # Creating Auth-Type = CHAP
> # Creating Auth-Type = MS-CHAP
> # Creating Auth-Type = digest
> radiusd: #### Instantiating modules ####
> modules {
> # Loaded module rlm_mschap
> # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> winbind_retry_with_normalised_username = no
> }
> # Loaded module rlm_ldap
> # Loading module "adldap" from file /etc/freeradius/mods-enabled/adldap
> ldap adldap {
> server = "localhost"
> identity = "cn=admin,dc=seminary,dc=local"
> password = <<< secret >>>
> sasl {
> }
> user {
> scope = "sub"
> access_positive = yes
> sasl {
> }
> }
> group {
> filter = "(objectClass=posixGroup)"
> scope = "sub"
> name_attribute = "cn"
> membership_attribute = "memberOf"
> cacheable_name = no
> cacheable_dn = no
> }
> client {
> filter = "(objectClass=radiusClient)"
> scope = "sub"
> base_dn = "ou=School,dc=seminary,dc=ad"
> }
> profile {
> }
> options {
> ldap_debug = 40
> chase_referrals = yes
> rebind = yes
> net_timeout = 1
> res_timeout = 10
> srv_timelimit = 3
> idle = 60
> probes = 3
> interval = 3
> }
> tls {
> start_tls = no
> }
> }
> Creating attribute adldap-LDAP-Group
> # Loaded module rlm_always
> # Loading module "reject" from file /etc/freeradius/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Loading module "fail" from file /etc/freeradius/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Loading module "ok" from file /etc/freeradius/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Loading module "handled" from file /etc/freeradius/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Loading module "invalid" from file /etc/freeradius/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Loading module "userlock" from file /etc/freeradius/mods-enabled/
> always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Loading module "notfound" from file /etc/freeradius/mods-enabled/
> always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Loading module "noop" from file /etc/freeradius/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Loading module "updated" from file /etc/freeradius/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_soh
> # Loading module "soh" from file /etc/freeradius/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Loaded module rlm_eap
> # Loading module "eap" from file /etc/freeradius/mods-enabled/eap
> eap {
> default_eap_type = "ttls"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 16384
> }
> # Loaded module rlm_dynamic_clients
> # Loading module "dynamic_clients" from file
> /etc/freeradius/mods-enabled/dynamic_clients
> # Loaded module rlm_logintime
> # Loading module "logintime" from file /etc/freeradius/mods-enabled/
> logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_exec
> # Loading module "exec" from file /etc/freeradius/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_realm
> # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/
> realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_utf8
> # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8
> # Loaded module rlm_date
> # Loading module "date" from file /etc/freeradius/mods-enabled/date
> date {
> format = "%b %e %Y %H:%M:%S %Z"
> utc = no
> }
> # Loading module "echo" from file /etc/freeradius/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Loaded module rlm_unix
> # Loading module "unix" from file /etc/freeradius/mods-enabled/unix
> unix {
> radwtmp = "/var/log/freeradius/radwtmp"
> }
> Creating attribute Unix-Group
> # Loaded module rlm_detail
> # Loading module "auth_log" from file /etc/freeradius/mods-enabled/
> detail.log
> detail auth_log {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "reply_log" from file /etc/freeradius/mods-enabled/
> detail.log
> detail reply_log {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/
> reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/
> detail.log
> detail pre_proxy_log {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-
> proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/
> detail.log
> detail post_proxy_log {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/
> post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_expr
> # Loading module "expr" from file /etc/freeradius/mods-enabled/expr
> expr {
> safe_characters = "@abcdefghijklmnopqrstuvwxyzABCD
> EFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇ
> ÈÉÊËÎÏÔŒÙÛÜŸ"
> }
> # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/
> ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_pap
> # Loading module "pap" from file /etc/freeradius/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loading module "ldap" from file /etc/freeradius/mods-enabled/ldap
> ldap {
> server = "localhost"
> identity = "cn=admin,dc=seminary,dc=local"
> password = <<< secret >>>
> sasl {
> }
> user {
> scope = "sub"
> access_positive = yes
> sasl {
> }
> }
> group {
> filter = "(objectClass=posixGroup)"
> scope = "sub"
> name_attribute = "cn"
> membership_attribute = "memberOf"
> cacheable_name = no
> cacheable_dn = no
> }
> client {
> filter = "(objectClass=radiusClient)"
> scope = "sub"
> base_dn = "ou=SeminaryOU,dc=seminary,dc=local"
> }
> profile {
> }
> options {
> ldap_debug = 40
> chase_referrals = yes
> rebind = yes
> net_timeout = 1
> res_timeout = 10
> srv_timelimit = 3
> idle = 60
> probes = 3
> interval = 3
> }
> tls {
> start_tls = no
> }
> }
> Creating attribute LDAP-Group
> # Loaded module rlm_digest
> # Loading module "digest" from file /etc/freeradius/mods-enabled/digest
> # Loaded module rlm_files
> # Loading module "files" from file /etc/freeradius/mods-enabled/files
> files {
> filename = "/etc/freeradius/mods-config/files/authorize"
> acctusersfile = "/etc/freeradius/mods-config/files/accounting"
> preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy"
> }
> # Loaded module rlm_preprocess
> # Loading module "preprocess" from file /etc/freeradius/mods-enabled/
> preprocess
> preprocess {
> huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups"
> hints = "/etc/freeradius/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> # Loaded module rlm_cache
> # Loading module "cache_eap" from file /etc/freeradius/mods-enabled/
> cache_eap
> cache cache_eap {
> driver = "rlm_cache_rbtree"
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 0
> epoch = 0
> add_stats = no
> }
> # Loading module "detail" from file /etc/freeradius/mods-enabled/detail
> detail {
> filename = "/var/log/freeradius/radacct/%
> {%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> escape_filenames = no
> log_packet_header = no
> }
> # Loaded module rlm_expiration
> # Loading module "expiration" from file /etc/freeradius/mods-enabled/
> expiration
> # Loaded module rlm_chap
> # Loading module "chap" from file /etc/freeradius/mods-enabled/chap
> # Loaded module rlm_radutmp
> # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/
> sradutmp
> radutmp sradutmp {
> filename = "/var/log/freeradius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loading module "radutmp" from file /etc/freeradius/mods-enabled/
> radutmp
> radutmp {
> filename = "/var/log/freeradius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_passwd
> # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/
> passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> # Loaded module rlm_linelog
> # Loading module "linelog" from file /etc/freeradius/mods-enabled/
> linelog
> linelog {
> filename = "/var/log/freeradius/linelog"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{reply:Packet-Type}:-default}"
> }
> # Loading module "log_accounting" from file /etc/freeradius/mods-enabled/
> linelog
> linelog log_accounting {
> filename = "/var/log/freeradius/linelog-accounting"
> escape_filenames = no
> syslog_severity = "info"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_unpack
> # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack
> # Loaded module rlm_attr_filter
> # Loading module "attr_filter.post-proxy" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/freeradius/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.pre-proxy" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> # Loading module "attr_filter.access_reject" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/freeradius/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.access_challenge" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/freeradius/mods-config/
> attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loading module "attr_filter.accounting_response" from file
> /etc/freeradius/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/etc/freeradius/mods-config/attr_filter/accounting_
> response"
> key = "%{User-Name}"
> relaxed = no
> }
> # Loaded module rlm_replicate
> # Loading module "replicate" from file /etc/freeradius/mods-enabled/
> replicate
> instantiate {
> }
> # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/
> mschap
> rlm_mschap (mschap): using internal authentication
> # Instantiating module "adldap" from file /etc/freeradius/mods-enabled/
> adldap
> rlm_ldap: libldap vendor: OpenLDAP, version: 20442
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> }
> post-auth {
> reference = "."
> }
> rlm_ldap (adldap): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 32
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> spread = no
> }
> rlm_ldap (adldap): Opening additional connection (0), 1 of 32 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> rlm_ldap (adldap): Opening additional connection (1), 1 of 31 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> rlm_ldap (adldap): Opening additional connection (2), 1 of 30 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> rlm_ldap (adldap): Opening additional connection (3), 1 of 29 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> rlm_ldap (adldap): Opening additional connection (4), 1 of 28 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> # Instantiating module "reject" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "fail" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "ok" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "handled" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "noop" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "updated" from file /etc/freeradius/mods-enabled/
> always
> # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_leap
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> verify_depth = 0
> ca_path = "/etc/freeradius/certs"
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/server.pem"
> certificate_file = "/etc/freeradius/certs/server.pem"
> ca_file = "/etc/freeradius/certs/ca.pem"
> private_key_password = <<< secret >>>
> dh_file = "/etc/freeradius/certs/dh"
> random_file = "/dev/urandom"
> fragment_size = 1024
> include_length = yes
> auto_chain = yes
> check_crl = no
> check_all_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24
> max_entries = 255
> }
> verify {
> skip_if_ocsp_ok = no
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = no
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> tls: Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Instantiating module "logintime" from file
> /etc/freeradius/mods-enabled/logintime
> # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/
> realm
> # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/
> realm
> # Instantiating module "realmpercent" from file
> /etc/freeradius/mods-enabled/realm
> # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/
> realm
> # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/
> detail.log
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
> # Instantiating module "reply_log" from file
> /etc/freeradius/mods-enabled/detail.log
> # Instantiating module "pre_proxy_log" from file
> /etc/freeradius/mods-enabled/detail.log
> # Instantiating module "post_proxy_log" from file
> /etc/freeradius/mods-enabled/detail.log
> # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap
> # Instantiating module "ldap" from file /etc/freeradius/mods-enabled/
> ldap
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> }
> post-auth {
> reference = "."
> }
> rlm_ldap (ldap): Initialising connection pool
> pool {
> start = 5
> min = 3
> max = 32
> spare = 10
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 30
> spread = no
> }
> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> # Instantiating module "files" from file /etc/freeradius/mods-enabled/
> files
> reading pairlist file /etc/freeradius/mods-config/files/authorize
> reading pairlist file /etc/freeradius/mods-config/files/accounting
> reading pairlist file /etc/freeradius/mods-config/files/pre-proxy
> # Instantiating module "preprocess" from file
> /etc/freeradius/mods-enabled/preprocess
> reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
> reading pairlist file /etc/freeradius/mods-config/preprocess/hints
> # Instantiating module "cache_eap" from file
> /etc/freeradius/mods-enabled/cache_eap
> rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
> loaded and linked
> # Instantiating module "detail" from file /etc/freeradius/mods-enabled/
> detail
> # Instantiating module "expiration" from file
> /etc/freeradius/mods-enabled/expiration
> # Instantiating module "etc_passwd" from file
> /etc/freeradius/mods-enabled/passwd
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/
> linelog
> # Instantiating module "log_accounting" from file
> /etc/freeradius/mods-enabled/linelog
> # Instantiating module "attr_filter.post-proxy" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/
> attr_filter/access_reject
> [/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
> [/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item
> "FreeRADIUS-Response-Delay-USec" found in filter list for realm
> "DEFAULT".
> # Instantiating module "attr_filter.access_challenge" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/
> attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /etc/freeradius/mods-enabled/attr_filter
> reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_
> response
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/freeradius/radiusd.conf
> } # server
> server inner-tunnel { # from file /etc/freeradius/sites-enabled/
> inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> } # server inner-tunnel
> server default { # from file /etc/freeradius/sites-enabled/default
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipv6addr = ::
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
> Listening on auth address * port 1812 bound to server default
> Listening on acct address * port 1813 bound to server default
> Listening on auth address :: port 1812 bound to server default
> Listening on acct address :: port 1813 bound to server default
> Listening on proxy address * port 37387
> Listening on proxy address :: port 45616
> Ready to process requests
>
>
>
>
>
>
> TRYING TO LOG IN FROM WINDOWS 7
>
>
>
>
>
>
>
>
>
>
>
>
>
> (0) Received Access-Request Id 1 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 189
> (0) User-Name = "bchristopher848"
> (0) NAS-IP-Address = 10.0.150.19
> (0) NAS-Identifier = "802aa849d031"
> (0) NAS-Port = 0
> (0) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (0) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (0) Framed-MTU = 1400
> (0) NAS-Port-Type = Wireless-802.11
> (0) Connect-Info = "CONNECT 0Mbps 802.11b"
> (0) EAP-Message = 0x0269001401626368726973746f70686572383438
> (0) Message-Authenticator = 0x60dc6e98028e3f9af87c442e20dbd98b
> (0) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /(a)\./) {
> (0) if (&User-Name =~ /(a)\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 105 length 20
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_ttls to process data
> (0) eap_ttls: Initiating new EAP-TLS session
> (0) eap_ttls: Flushing SSL sessions (of #0)
> (0) eap_ttls: [eaptls start] = request
> (0) eap: Sending EAP Request (code 1) ID 106 length 6
> (0) eap: EAP session adding &reply:State = 0xb5449406b52e8100
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found. Ignoring.
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) Sent Access-Challenge Id 1 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (0) EAP-Message = 0x016a00061520
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xb5449406b52e81001eb003264d869845
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 2 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 193
> (1) User-Name = "bchristopher848"
> (1) NAS-IP-Address = 10.0.150.19
> (1) NAS-Identifier = "802aa849d031"
> (1) NAS-Port = 0
> (1) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (1) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (1) Framed-MTU = 1400
> (1) NAS-Port-Type = Wireless-802.11
> (1) Connect-Info = "CONNECT 0Mbps 802.11b"
> (1) EAP-Message = 0x026a00060319
> (1) State = 0xb5449406b52e81001eb003264d869845
> (1) Message-Authenticator = 0x9229ace477f82c7e771de427669cfad1
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /(a)\./) {
> (1) if (&User-Name =~ /(a)\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 106 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (1) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) ldap: --> (cn=bchristopher848)
> (1) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
> filter "(cn=bchristopher848)", scope "sub"
> (1) ldap: Waiting for search result...
> (1) ldap: User object found at DN "cn=bchristopher848,cn=
> Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (1) ldap: Processing user attributes
> (1) ldap: control:Password-With-Header += '{ssha}o1fjrtGMqroWxrIgC8G/
> jwK8GK5BxvANe+pK7w=='
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (1) [ldap] = updated
> rlm_ldap (adldap): Reserved connection (0)
> (1) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) adldap: --> (cn=bchristopher848)
> (1) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter
> "(cn=bchristopher848)", scope "sub"
> (1) adldap: Waiting for search result...
> (1) adldap: The specified DN wasn't found
> (1) adldap: Search returned no results
> rlm_ldap (adldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (adldap): Opening additional connection (5), 1 of 27 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> (1) [adldap] = notfound
> (1) [expiration] = noop
> (1) [logintime] = noop
> (1) pap: Converted: &control:Password-With-Header ->
> &control:SSHA1-Password
> (1) pap: Removing &control:Password-With-Header
> (1) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
> bytes
> (1) pap: WARNING: Auth-Type already set. Not setting to PAP
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0xb5449406b52e8100
> (1) eap: Finished EAP session with state 0xb5449406b52e8100
> (1) eap: Previous EAP request found for state 0xb5449406b52e8100, released
> from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Found mutually acceptable type PEAP (25)
> (1) eap: Calling submodule eap_peap to process data
> (1) eap_peap: Initiating new EAP-TLS session
> (1) eap_peap: [eaptls start] = request
> (1) eap: Sending EAP Request (code 1) ID 107 length 6
> (1) eap: EAP session adding &reply:State = 0xb5449406b42f8d00
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found. Ignoring.
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) Sent Access-Challenge Id 2 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (1) EAP-Message = 0x016b00061920
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0xb5449406b42f8d001eb003264d869845
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 3 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 300
> (2) User-Name = "bchristopher848"
> (2) NAS-IP-Address = 10.0.150.19
> (2) NAS-Identifier = "802aa849d031"
> (2) NAS-Port = 0
> (2) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (2) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (2) Framed-MTU = 1400
> (2) NAS-Port-Type = Wireless-802.11
> (2) Connect-Info = "CONNECT 0Mbps 802.11b"
> (2) EAP-Message = 0x026b007119800000006716030100
> 620100005e030159af03804becec9c3cef8903818c79121606d4cc4552b8
> 68a83f76270fc4ef9200001cc014c013003900330035002fc00ac0090038
> 0032000a00130005000401000019000a0006000400170018000b00020100
> 00170000ff01000100
> (2) State = 0xb5449406b42f8d001eb003264d869845
> (2) Message-Authenticator = 0x03f782e6095d0d07dc5d1122f1876d00
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /(a)\./) {
> (2) if (&User-Name =~ /(a)\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 107 length 113
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0xb5449406b42f8d00
> (2) eap: Finished EAP session with state 0xb5449406b42f8d00
> (2) eap: Previous EAP request found for state 0xb5449406b42f8d00, released
> from the list
> (2) eap: Peer sent packet with method EAP PEAP (25)
> (2) eap: Calling submodule eap_peap to process data
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be 103 bytes
> (2) eap_peap: Got complete TLS record (103 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: (other): before/accept initialization
> (2) eap_peap: TLS_accept: before/accept initialization
> (2) eap_peap: <<< recv TLS 1.0 Handshake [length 0062], ClientHello
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 0982], Certificate
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: TLS_accept: unknown state
> (2) eap_peap: TLS_accept: Need to read more data: unknown state
> (2) eap_peap: TLS_accept: Need to read more data: unknown state
> (2) eap_peap: In SSL Handshake Phase
> (2) eap_peap: In SSL Accept mode
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 108 length 1004
> (2) eap: EAP session adding &reply:State = 0xb5449406b7288d00
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found. Ignoring.
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) Sent Access-Challenge Id 3 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (2) EAP-Message = 0x016c03ec19c000000b3e16030100
> 5902000055030198325853d6a4ea0a8a0ddc62e8252c55dce33ce836984b
> 265c5d4a2663c775ad20a5464acc7366d8b86f656371288daf4a0e68ce7f
> 820f064ff457b9622cb4e509c01400000dff01000100000b000403000102
> 16030109820b00097e00097b000426
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0xb5449406b7288d001eb003264d869845
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 4 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 193
> (3) User-Name = "bchristopher848"
> (3) NAS-IP-Address = 10.0.150.19
> (3) NAS-Identifier = "802aa849d031"
> (3) NAS-Port = 0
> (3) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (3) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (3) Framed-MTU = 1400
> (3) NAS-Port-Type = Wireless-802.11
> (3) Connect-Info = "CONNECT 0Mbps 802.11b"
> (3) EAP-Message = 0x026c00061900
> (3) State = 0xb5449406b7288d001eb003264d869845
> (3) Message-Authenticator = 0xe754c603a90fd754f21a295dadc62814
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /(a)\./) {
> (3) if (&User-Name =~ /(a)\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 108 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0xb5449406b7288d00
> (3) eap: Finished EAP session with state 0xb5449406b7288d00
> (3) eap: Previous EAP request found for state 0xb5449406b7288d00, released
> from the list
> (3) eap: Peer sent packet with method EAP PEAP (25)
> (3) eap: Calling submodule eap_peap to process data
> (3) eap_peap: Continuing EAP-TLS
> (3) eap_peap: Peer ACKed our handshake fragment
> (3) eap_peap: [eaptls verify] = request
> (3) eap_peap: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 109 length 1000
> (3) eap: EAP session adding &reply:State = 0xb5449406b6298d00
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found. Ignoring.
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) Sent Access-Challenge Id 4 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (3) EAP-Message = 0x016d03e81940380fa68fefb0adb1
> 60bf876008cdd25df7f1bb575a26398125bf6a36bcf24e3cf136422c1048
> b034887efbcce1ad27c885f67ae13c739af72b5bbff6b9f7cc41b9b006ed
> dd88d6cf5d54f66bb9884ac2f40853d3af5d741bb79faa72df0324c58d44
> 8bd2c5583caee59c318907018948f4
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0xb5449406b6298d001eb003264d869845
> (3) Finished request
> Waking up in 4.9 seconds.
> (4) Received Access-Request Id 5 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 193
> (4) User-Name = "bchristopher848"
> (4) NAS-IP-Address = 10.0.150.19
> (4) NAS-Identifier = "802aa849d031"
> (4) NAS-Port = 0
> (4) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (4) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (4) Framed-MTU = 1400
> (4) NAS-Port-Type = Wireless-802.11
> (4) Connect-Info = "CONNECT 0Mbps 802.11b"
> (4) EAP-Message = 0x026d00061900
> (4) State = 0xb5449406b6298d001eb003264d869845
> (4) Message-Authenticator = 0x1308f82dd9c153d060e2d3f92f0e47c9
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /(a)\./) {
> (4) if (&User-Name =~ /(a)\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 109 length 6
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0xb5449406b6298d00
> (4) eap: Finished EAP session with state 0xb5449406b6298d00
> (4) eap: Previous EAP request found for state 0xb5449406b6298d00, released
> from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer ACKed our handshake fragment
> (4) eap_peap: [eaptls verify] = request
> (4) eap_peap: [eaptls process] = handled
> (4) eap: Sending EAP Request (code 1) ID 110 length 896
> (4) eap: EAP session adding &reply:State = 0xb5449406b12a8d00
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found. Ignoring.
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) Sent Access-Challenge Id 5 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (4) EAP-Message = 0x016e038019003081b5310b300906
> 0355040613024d543111300f06035504080c0849722d5261626174311230
> 1006035504070c0954616c2d566972747531223020060355040a0c195468
> 652041726368626973686f70732053656d696e6172792e3128302606092a
> 864886f70d0109011619746563686e
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0xb5449406b12a8d001eb003264d869845
> (4) Finished request
> Waking up in 4.9 seconds.
> (5) Received Access-Request Id 6 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 331
> (5) User-Name = "bchristopher848"
> (5) NAS-IP-Address = 10.0.150.19
> (5) NAS-Identifier = "802aa849d031"
> (5) NAS-Port = 0
> (5) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (5) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (5) Framed-MTU = 1400
> (5) NAS-Port-Type = Wireless-802.11
> (5) Connect-Info = "CONNECT 0Mbps 802.11b"
> (5) EAP-Message = 0x026e009019800000008616030100
> 46100000424104f8835ccc6647e01b6ec2e669280021622082e4c4d31a30
> ed462cac3b447792cb9763fb1c6f5547b7650c9216b8a36641f100200f17
> d1246ba46fc9eb9cef2cbf140301000101160301003036330cfdd1b9bd52
> 1432d38a6be17cb4205d318a83802a
> (5) State = 0xb5449406b12a8d001eb003264d869845
> (5) Message-Authenticator = 0x7e43591038f26410ddbfc952608bf3e1
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /(a)\./) {
> (5) if (&User-Name =~ /(a)\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 110 length 144
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0xb5449406b12a8d00
> (5) eap: Finished EAP session with state 0xb5449406b12a8d00
> (5) eap: Previous EAP request found for state 0xb5449406b12a8d00, released
> from the list
> (5) eap: Peer sent packet with method EAP PEAP (25)
> (5) eap: Calling submodule eap_peap to process data
> (5) eap_peap: Continuing EAP-TLS
> (5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
> (5) eap_peap: Got complete TLS record (134 bytes)
> (5) eap_peap: [eaptls verify] = length included
> (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: TLS_accept: unknown state
> (5) eap_peap: (other): SSL negotiation finished successfully
> (5) eap_peap: SSL Connection Established
> (5) eap_peap: [eaptls process] = handled
> (5) eap: Sending EAP Request (code 1) ID 111 length 65
> (5) eap: EAP session adding &reply:State = 0xb5449406b02b8d00
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found. Ignoring.
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) Sent Access-Challenge Id 6 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (5) EAP-Message = 0x016f004119001403010001011603
> 01003094086787833117af433bc1c929281ae2f5f7cd6692f7cc59d0a0bf
> 65c818294d2b79cc16f11ac9f86e10a67a7fdb1a6b
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0xb5449406b02b8d001eb003264d869845
> (5) Finished request
> Waking up in 4.9 seconds.
> (6) Received Access-Request Id 7 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 193
> (6) User-Name = "bchristopher848"
> (6) NAS-IP-Address = 10.0.150.19
> (6) NAS-Identifier = "802aa849d031"
> (6) NAS-Port = 0
> (6) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (6) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (6) Framed-MTU = 1400
> (6) NAS-Port-Type = Wireless-802.11
> (6) Connect-Info = "CONNECT 0Mbps 802.11b"
> (6) EAP-Message = 0x026f00061900
> (6) State = 0xb5449406b02b8d001eb003264d869845
> (6) Message-Authenticator = 0x89f89025177c0801e5cd47b689bb35ec
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /(a)\./) {
> (6) if (&User-Name =~ /(a)\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 111 length 6
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0xb5449406b02b8d00
> (6) eap: Finished EAP session with state 0xb5449406b02b8d00
> (6) eap: Previous EAP request found for state 0xb5449406b02b8d00, released
> from the list
> (6) eap: Peer sent packet with method EAP PEAP (25)
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: Continuing EAP-TLS
> (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
> (6) eap_peap: [eaptls verify] = success
> (6) eap_peap: [eaptls process] = success
> (6) eap_peap: Session established. Decoding tunneled attributes
> (6) eap_peap: PEAP state TUNNEL ESTABLISHED
> (6) eap: Sending EAP Request (code 1) ID 112 length 43
> (6) eap: EAP session adding &reply:State = 0xb5449406b3348d00
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found. Ignoring.
> (6) # Executing group from file /etc/freeradius/sites-enabled/default
> (6) Sent Access-Challenge Id 7 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (6) EAP-Message = 0x0170002b1900170301002091eabc
> 824030fa0d118d08413389ff5a78d63a9561aa4704edb36913865e9641
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0xb5449406b3348d001eb003264d869845
> (6) Finished request
> Waking up in 2.6 seconds.
> (7) Received Access-Request Id 8 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 246
> (7) User-Name = "bchristopher848"
> (7) NAS-IP-Address = 10.0.150.19
> (7) NAS-Identifier = "802aa849d031"
> (7) NAS-Port = 0
> (7) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (7) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (7) Framed-MTU = 1400
> (7) NAS-Port-Type = Wireless-802.11
> (7) Connect-Info = "CONNECT 0Mbps 802.11b"
> (7) EAP-Message = 0x0270003b19001703010030c8fbf0
> 015e3e5a875a826ccd41cd45b083183d0fbf452e6e4ccdc2b10c2d758557
> f2bf2ba865abb148620ece26115524
> (7) State = 0xb5449406b3348d001eb003264d869845
> (7) Message-Authenticator = 0x0ec21e66dd7cd4e0a4858c79afabd736
> (7) session-state: No cached attributes
> (7) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 112 length 59
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0xb5449406b3348d00
> (7) eap: Finished EAP session with state 0xb5449406b3348d00
> (7) eap: Previous EAP request found for state 0xb5449406b3348d00, released
> from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: Continuing EAP-TLS
> (7) eap_peap: [eaptls verify] = ok
> (7) eap_peap: Done initial handshake
> (7) eap_peap: [eaptls process] = ok
> (7) eap_peap: Session established. Decoding tunneled attributes
> (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (7) eap_peap: Identity - bchristopher848
> (7) eap_peap: Got inner identity 'bchristopher848'
> (7) eap_peap: Setting default EAP type for tunneled EAP session
> (7) eap_peap: Got tunneled request
> (7) eap_peap: EAP-Message = 0x0270001401626368726973746f70686572383438
> (7) eap_peap: Setting User-Name to bchristopher848
> (7) eap_peap: Sending tunneled request to inner-tunnel
> (7) eap_peap: EAP-Message = 0x0270001401626368726973746f70686572383438
> (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_peap: User-Name = "bchristopher848"
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message = 0x0270001401626368726973746f70686572383438
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = "bchristopher848"
> (7) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (7) server inner-tunnel {
> (7) # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /(a)\./) {
> (7) if (&User-Name =~ /(a)\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 112 length 20
> (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/sites-enabled/
> inner-tunnel
> (7) authenticate {
> (7) eap: Peer sent packet with method EAP Identity (1)
> (7) eap: Calling submodule eap_mschapv2 to process data
> (7) eap_mschapv2: Issuing Challenge
> (7) eap: Sending EAP Request (code 1) ID 113 length 43
> (7) eap: EAP session adding &reply:State = 0x38f91b6e38880129
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) EAP-Message = 0x0171002b1a01710026100f1b0f77
> 8f0e5ff10d130bcde3f0a1f0667265657261646975732d332e302e3135
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x38f91b6e38880129b3a6b459c0f91610
> (7) eap_peap: Got tunneled reply code 11
> (7) eap_peap: EAP-Message = 0x0171002b1a01710026100f1b0f77
> 8f0e5ff10d130bcde3f0a1f0667265657261646975732d332e302e3135
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x38f91b6e38880129b3a6b459c0f91610
> (7) eap_peap: Got tunneled reply RADIUS code 11
> (7) eap_peap: EAP-Message = 0x0171002b1a01710026100f1b0f77
> 8f0e5ff10d130bcde3f0a1f0667265657261646975732d332e302e3135
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x38f91b6e38880129b3a6b459c0f91610
> (7) eap_peap: Got tunneled Access-Challenge
> (7) eap: Sending EAP Request (code 1) ID 113 length 75
> (7) eap: EAP session adding &reply:State = 0xb5449406b2358d00
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) Post-Auth-Type sub-section not found. Ignoring.
> (7) # Executing group from file /etc/freeradius/sites-enabled/default
> (7) Sent Access-Challenge Id 8 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (7) EAP-Message = 0x0171004b190017030100403a39fb
> 1bbb95a5bdae36dec7bbaf48cd6d67436cc6fa144c66482d9a55dee6efc1
> 22c2ae145e37423201a0becee44924132e0e197859e4e437513ae27427e3a6
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xb5449406b2358d001eb003264d869845
> (7) Finished request
> Waking up in 2.6 seconds.
> (8) Received Access-Request Id 9 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 294
> (8) User-Name = "bchristopher848"
> (8) NAS-IP-Address = 10.0.150.19
> (8) NAS-Identifier = "802aa849d031"
> (8) NAS-Port = 0
> (8) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (8) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (8) Framed-MTU = 1400
> (8) NAS-Port-Type = Wireless-802.11
> (8) Connect-Info = "CONNECT 0Mbps 802.11b"
> (8) EAP-Message = 0x0271006b19001703010060dc68da
> 606888205a8249468c13811c37cc426f2ad4ed4ed80b369f946ab0e0029d
> 069f9b903b244d4822ebf72b429433c990dcfef3af28b8871c7653e7c286
> d1c4ad435ad1812458eaec44dc637bf173969928be0946944de2762170de365dc0
> (8) State = 0xb5449406b2358d001eb003264d869845
> (8) Message-Authenticator = 0xf489ba028df4298dc612460d97cc98ee
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /(a)\./) {
> (8) if (&User-Name =~ /(a)\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) eap: Peer sent EAP Response (code 2) ID 113 length 107
> (8) eap: Continuing tunnel setup
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/sites-enabled/default
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0x38f91b6e38880129
> (8) eap: Finished EAP session with state 0xb5449406b2358d00
> (8) eap: Previous EAP request found for state 0xb5449406b2358d00, released
> from the list
> (8) eap: Peer sent packet with method EAP PEAP (25)
> (8) eap: Calling submodule eap_peap to process data
> (8) eap_peap: Continuing EAP-TLS
> (8) eap_peap: [eaptls verify] = ok
> (8) eap_peap: Done initial handshake
> (8) eap_peap: [eaptls process] = ok
> (8) eap_peap: Session established. Decoding tunneled attributes
> (8) eap_peap: PEAP state phase2
> (8) eap_peap: EAP method MSCHAPv2 (26)
> (8) eap_peap: Got tunneled request
> (8) eap_peap: EAP-Message = 0x0271004a1a027100453136aadef2
> a35125429a547478d2433260000000000000000026bd920d94eca847c70d
> 9775f4afe71538b455e9932097c600626368726973746f70686572383438
> (8) eap_peap: Setting User-Name to bchristopher848
> (8) eap_peap: Sending tunneled request to inner-tunnel
> (8) eap_peap: EAP-Message = 0x0271004a1a027100453136aadef2
> a35125429a547478d2433260000000000000000026bd920d94eca847c70d
> 9775f4afe71538b455e9932097c600626368726973746f70686572383438
> (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (8) eap_peap: User-Name = "bchristopher848"
> (8) eap_peap: State = 0x38f91b6e38880129b3a6b459c0f91610
> (8) Virtual server inner-tunnel received request
> (8) EAP-Message = 0x0271004a1a027100453136aadef2
> a35125429a547478d2433260000000000000000026bd920d94eca847c70d
> 9775f4afe71538b455e9932097c600626368726973746f70686572383438
> (8) FreeRADIUS-Proxied-To = 127.0.0.1
> (8) User-Name = "bchristopher848"
> (8) State = 0x38f91b6e38880129b3a6b459c0f91610
> (8) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (8) server inner-tunnel {
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /(a)\./) {
> (8) if (&User-Name =~ /(a)\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) &Proxy-To-Realm := LOCAL
> (8) } # update control = noop
> (8) eap: Peer sent EAP Response (code 2) ID 113 length 74
> (8) eap: No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> rlm_ldap (ldap): Reserved connection (1)
> (8) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap: --> (cn=bchristopher848)
> (8) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
> filter "(cn=bchristopher848)", scope "sub"
> (8) ldap: Waiting for search result...
> (8) ldap: User object found at DN "cn=bchristopher848,cn=
> Seminarians,ou=SeminaryOU,dc=seminary,dc=local"
> (8) ldap: Processing user attributes
> (8) ldap: control:Password-With-Header += '{ssha}o1fjrtGMqroWxrIgC8G/
> jwK8GK5BxvANe+pK7w=='
> rlm_ldap (ldap): Released connection (1)
> Need 4 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://localhost:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (8) [ldap] = updated
> rlm_ldap (adldap): Reserved connection (1)
> (8) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) adldap: --> (cn=bchristopher848)
> (8) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter
> "(cn=bchristopher848)", scope "sub"
> (8) adldap: Waiting for search result...
> (8) adldap: The specified DN wasn't found
> (8) adldap: Search returned no results
> rlm_ldap (adldap): Released connection (1)
> Need 4 more connections to reach 10 spares
> rlm_ldap (adldap): Opening additional connection (6), 1 of 26 pending
> slots used
> rlm_ldap (adldap): Connecting to ldap://localhost:389
> rlm_ldap (adldap): Waiting for bind result...
> rlm_ldap (adldap): Bind successful
> (8) [adldap] = notfound
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) pap: Converted: &control:Password-With-Header ->
> &control:SSHA1-Password
> (8) pap: Removing &control:Password-With-Header
> (8) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28
> bytes
> (8) pap: WARNING: Auth-Type already set. Not setting to PAP
> (8) [pap] = noop
> (8) } # authorize = updated
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/sites-enabled/
> inner-tunnel
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0x38f91b6e38880129
> (8) eap: Finished EAP session with state 0x38f91b6e38880129
> (8) eap: Previous EAP request found for state 0x38f91b6e38880129, released
> from the list
> (8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (8) eap: Calling submodule eap_mschapv2 to process data
> (8) eap_mschapv2: # Executing group from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (8) eap_mschapv2: Auth-Type MS-CHAP {
> (8) mschap: WARNING: No Cleartext-Password configured. Cannot create
> NT-Password
> (8) mschap: WARNING: No Cleartext-Password configured. Cannot create
> LM-Password
> (8) mschap: Creating challenge hash with username: bchristopher848
> (8) mschap: Client is using MS-CHAPv2
> (8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
> authentication
> (8) mschap: ERROR: MS-CHAP2-Response is incorrect
> (8) [mschap] = reject
> (8) } # Auth-Type MS-CHAP = reject
> (8) eap: Sending EAP Failure (code 4) ID 113 length 4
> (8) eap: Freeing handler
> (8) [eap] = reject
> (8) } # authenticate = reject
> (8) Failed to authenticate the user
> (8) Using Post-Auth-Type Reject
> (8) # Executing group from file /etc/freeradius/sites-enabled/
> inner-tunnel
> (8) Post-Auth-Type REJECT {
> (8) attr_filter.access_reject: EXPAND %{User-Name}
> (8) attr_filter.access_reject: --> bchristopher848
> (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (8) [attr_filter.access_reject] = updated
> (8) update outer.session-state {
> (8) &Module-Failure-Message := &request:Module-Failure-Message ->
> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
> (8) } # update outer.session-state = noop
> (8) } # Post-Auth-Type REJECT = updated
> (8) } # server inner-tunnel
> (8) Virtual server sending reply
> (8) MS-CHAP-Error = "qE=691 R=1 C=523d66a28c934a7937a449415ae8f8ad V=3
> M=Authentication failed"
> (8) EAP-Message = 0x04710004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Got tunneled reply code 3
> (8) eap_peap: MS-CHAP-Error = "qE=691 R=1 C=
> 523d66a28c934a7937a449415ae8f8ad V=3 M=Authentication failed"
> (8) eap_peap: EAP-Message = 0x04710004
> (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Got tunneled reply RADIUS code 3
> (8) eap_peap: MS-CHAP-Error = "qE=691 R=1 C=
> 523d66a28c934a7937a449415ae8f8ad V=3 M=Authentication failed"
> (8) eap_peap: EAP-Message = 0x04710004
> (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Tunneled authentication was rejected
> (8) eap_peap: FAILURE
> (8) eap: Sending EAP Request (code 1) ID 114 length 43
> (8) eap: EAP session adding &reply:State = 0xb5449406bd368d00
> (8) [eap] = handled
> (8) } # authenticate = handled
> (8) Using Post-Auth-Type Challenge
> (8) Post-Auth-Type sub-section not found. Ignoring.
> (8) # Executing group from file /etc/freeradius/sites-enabled/default
> (8) session-state: Saving cached attributes
> (8) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.
> Cannot perform authentication"
> (8) Sent Access-Challenge Id 9 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 0
> (8) EAP-Message = 0x0172002b190017030100207447ef
> 7e889f505a2467ece5e23e6132aabd5ae2a2b62f44232ce0581e567dc8
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) State = 0xb5449406bd368d001eb003264d869845
> (8) Finished request
> Waking up in 2.6 seconds.
> (9) Received Access-Request Id 10 from 192.168.100.113:34296 to
> 192.168.100.201:1812 length 230
> (9) User-Name = "bchristopher848"
> (9) NAS-IP-Address = 10.0.150.19
> (9) NAS-Identifier = "802aa849d031"
> (9) NAS-Port = 0
> (9) Called-Station-Id = "80-2A-A8-4A-D0-31:SeminaryWiFi"
> (9) Calling-Station-Id = "00-22-FB-6E-1D-C8"
> (9) Framed-MTU = 1400
> (9) NAS-Port-Type = Wireless-802.11
> (9) Connect-Info = "CONNECT 0Mbps 802.11b"
> (9) EAP-Message = 0x0272002b19001703010020c6855d
> 5f0630c6486963b3a872b1ce4479a9d9748bb1a8d28a488183707339de
> (9) State = 0xb5449406bd368d001eb003264d869845
> (9) Message-Authenticator = 0xe32f0f6506920ee010991cab23cdc592
> (9) Restoring &session-state
> (9) &session-state:Module-Failure-Message := "mschap: FAILED: No
> NT/LM-Password. Cannot perform authentication"
> (9) # Executing section authorize from file /etc/freeradius/sites-enabled/
> default
> (9) authorize {
> (9) policy filter_username {
> (9) if (&User-Name) {
> (9) if (&User-Name) -> TRUE
> (9) if (&User-Name) {
> (9) if (&User-Name =~ /@[^@]*@/ ) {
> (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (9) if (&User-Name =~ /\.\./ ) {
> (9) if (&User-Name =~ /\.\./ ) -> FALSE
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
> -> FALSE
> (9) if (&User-Name =~ /\.$/) {
> (9) if (&User-Name =~ /\.$/) -> FALSE
> (9) if (&User-Name =~ /(a)\./) {
> (9) if (&User-Name =~ /(a)\./) -> FALSE
> (9) } # if (&User-Name) = notfound
> (9) } # policy filter_username = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "bchristopher848", looking up realm NULL
> (9) suffix: No such realm "NULL"
> (9) [suffix] = noop
> (9) eap: Peer sent EAP Response (code 2) ID 114 length 43
> (9) eap: Continuing tunnel setup
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = eap
> (9) # Executing group from file /etc/freeradius/sites-enabled/default
> (9) authenticate {
> (9) eap: Expiring EAP session with state 0xb5449406bd368d00
> (9) eap: Finished EAP session with state 0xb5449406bd368d00
> (9) eap: Previous EAP request found for state 0xb5449406bd368d00, released
> from the list
> (9) eap: Peer sent packet with method EAP PEAP (25)
> (9) eap: Calling submodule eap_peap to process data
> (9) eap_peap: Continuing EAP-TLS
> (9) eap_peap: [eaptls verify] = ok
> (9) eap_peap: Done initial handshake
> (9) eap_peap: [eaptls process] = ok
> (9) eap_peap: Session established. Decoding tunneled attributes
> (9) eap_peap: PEAP state send tlv failure
> (9) eap_peap: Received EAP-TLV response
> (9) eap_peap: ERROR: The users session was previously rejected:
> returning reject (again.)
> (9) eap_peap: This means you need to read the PREVIOUS messages in the
> debug output
> (9) eap_peap: to find out the reason why the user was rejected
> (9) eap_peap: Look for "reject" or "fail". Those earlier messages will
> tell you
> (9) eap_peap: what went wrong, and how to fix the problem
> (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
> failed
> (9) eap: Sending EAP Failure (code 4) ID 114 length 4
> (9) eap: Failed in EAP select
> (9) [eap] = invalid
> (9) } # authenticate = invalid
> (9) Failed to authenticate the user
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /etc/freeradius/sites-enabled/default
> (9) Post-Auth-Type REJECT {
> (9) attr_filter.access_reject: EXPAND %{User-Name}
> (9) attr_filter.access_reject: --> bchristopher848
> (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (9) [attr_filter.access_reject] = updated
> (9) [eap] = noop
> (9) policy remove_reply_message_if_eap {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (9) else {
> (9) [noop] = noop
> (9) } # else = noop
> (9) } # policy remove_reply_message_if_eap = noop
> (9) } # Post-Auth-Type REJECT = updated
> (9) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (9) Sending delayed response
> (9) Sent Access-Reject Id 10 from 192.168.100.201:1812 to
> 192.168.100.113:34296 length 44
> (9) EAP-Message = 0x04720004
> (9) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1.6 seconds.
> (0) Cleaning up request packet ID 1 with timestamp +30
> (1) Cleaning up request packet ID 2 with timestamp +30
> (2) Cleaning up request packet ID 3 with timestamp +30
> (3) Cleaning up request packet ID 4 with timestamp +30
> (4) Cleaning up request packet ID 5 with timestamp +30
> (5) Cleaning up request packet ID 6 with timestamp +30
> Waking up in 2.2 seconds.
> (6) Cleaning up request packet ID 7 with timestamp +32
> (7) Cleaning up request packet ID 8 with timestamp +32
> (8) Cleaning up request packet ID 9 with timestamp +32
> (9) Cleaning up request packet ID 10 with timestamp +32
> Ready to process requests
> (10) Received Accounting-Request Id 1 from 192.168.100.115:52712 to
> 192.168.100.201:1813 length 90
> (10) Acct-Status-Type = Accounting-Off
> (10) Acct-Authentic = RADIUS
> (10) NAS-IP-Address = 10.0.148.205
> (10) NAS-Identifier = "802aa849cbcc"
> (10) Called-Station-Id = "80-2A-A8-4A-CB-CC:SeminaryWiFi"
> (10) Acct-Terminate-Cause = NAS-Reboot
> (10) # Executing section preacct from file /etc/freeradius/sites-enabled/
> default
> (10) preacct {
> (10) [preprocess] = ok
> (10) policy acct_unique {
> (10) update request {
> (10) &Tmp-String-9 := "ai:"
> (10) } # update request = noop
> (10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
> (10) EXPAND %{hex:&Class}
> (10) -->
> (10) EXPAND ^%{hex:&Tmp-String-9}
> (10) --> ^61693a
> (10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
> (10) else {
> (10) update request {
> (10) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-
> Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
> (10) --> 3fbd256e7d3667dda249cdebb204aa6c
> (10) &Acct-Unique-Session-Id := 3fbd256e7d3667dda249cdebb204aa6c
> (10) } # update request = noop
> (10) } # else = noop
> (10) } # policy acct_unique = noop
> (10) [suffix] = noop
> (10) [files] = noop
> (10) } # preacct = ok
> (10) # Executing section accounting from file
> /etc/freeradius/sites-enabled/default
> (10) accounting {
> (10) detail: EXPAND /var/log/freeradius/radacct/%{
> %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> (10) detail: --> /var/log/freeradius/radacct/19
> 2.168.100.115/detail-20170905
> (10) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to
> /var/log/freeradius/radacct/192.168.100.115/detail-20170905
> (10) detail: EXPAND %t
> (10) detail: --> Tue Sep 5 22:05:39 2017
> (10) [detail] = ok
> (10) [unix] = noop
> (10) [exec] = noop
> (10) attr_filter.accounting_response: EXPAND %{User-Name}
> (10) attr_filter.accounting_response: -->
> (10) [attr_filter.accounting_response] = noop
> (10) } # accounting = ok
> (10) Sent Accounting-Response Id 1 from 192.168.100.201:1813 to
> 192.168.100.115:52712 length 0
> (10) Finished request
> (10) Cleaning up request packet ID 1 with timestamp +44
> Ready to process requests
> (11) Received Accounting-Request Id 1 from 192.168.100.115:41826 to
> 192.168.100.201:1813 length 90
> (11) Acct-Status-Type = Accounting-Off
> (11) Acct-Authentic = RADIUS
> (11) NAS-IP-Address = 10.0.148.205
> (11) NAS-Identifier = "802aa849cbcc"
> (11) Called-Station-Id = "82-2A-A8-4B-CB-CC:SeminaryWiFi"
> (11) Acct-Terminate-Cause = NAS-Reboot
> (11) # Executing section preacct from file /etc/freeradius/sites-enabled/
> default
> (11) preacct {
> (11) [preprocess] = ok
> (11) policy acct_unique {
> (11) update request {
> (11) &Tmp-String-9 := "ai:"
> (11) } # update request = noop
> (11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
> (11) EXPAND %{hex:&Class}
> (11) -->
> (11) EXPAND ^%{hex:&Tmp-String-9}
> (11) --> ^61693a
> (11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
> ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
> (11) else {
> (11) update request {
> (11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-
> Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
> (11) --> 3fbd256e7d3667dda249cdebb204aa6c
> (11) &Acct-Unique-Session-Id := 3fbd256e7d3667dda249cdebb204aa6c
> (11) } # update request = noop
> (11) } # else = noop
> (11) } # policy acct_unique = noop
> (11) [suffix] = noop
> (11) [files] = noop
> (11) } # preacct = ok
> (11) # Executing section accounting from file
> /etc/freeradius/sites-enabled/default
> (11) accounting {
> (11) detail: EXPAND /var/log/freeradius/radacct/%{
> %{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
> (11) detail: --> /var/log/freeradius/radacct/19
> 2.168.100.115/detail-20170905
> (11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to
> /var/log/freeradius/radacct/192.168.100.115/detail-20170905
> (11) detail: EXPAND %t
> (11) detail: --> Tue Sep 5 22:05:40 2017
> (11) [detail] = ok
> (11) [unix] = noop
> (11) [exec] = noop
> (11) attr_filter.accounting_response: EXPAND %{User-Name}
> (11) attr_filter.accounting_response: -->
> (11) [attr_filter.accounting_response] = noop
> (11) } # accounting = ok
> (11) Sent Accounting-Response Id 1 from 192.168.100.201:1813 to
> 192.168.100.115:41826 length 0
> (11) Finished request
> (11) Cleaning up request packet ID 1 with timestamp +45
> Ready to process requests
>
>
>
>
>
> Matthew Pulis
> mobile / WhatsApp: +356 79539404 <+356%207953%209404>
>
>
>
2
3