Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 13 participants
- 27047 discussions
Hi,
When i use radmin ... -e 'hup main.log', linelog (log_request, log_control
& log_reply) will not write information into main.log. Why ?
Before calling radmin (main.log):
Mon Oct 17 10:13:15 2016 : Info: REQUEST(stefan.kudacek(a)orangenet.sk):
User-Name = "stefan.kudacek(a)orangenet.sk", User-Password = "???",
Service-Type = Framed-User, Framed-Protocol = PPP, NAS-Identifier =
"N-101-BA-BAS-10", NAS-Port = 83951616, NAS-Real-Port = 1358957324,
NAS-Port-Type = Virtual, NAS-Port-Id = "5/1 vlan-id 2828 pppoe 13058",
Medium-Type = DSL, Mac-Addr = "e8-94-f6-c3-ea-70", Platform-Type = 6,
OS-Version = "12.1.1.10p1", Agent-Circuit-Id =
0x4d4154555f433532382d323223313132353539303236232061746d20322f35343a312e3332,
ADSL-Agent-Circuit-Id =
0x4d4154555f433532382d323223313132353539303236232061746d20322f35343a312e3332,
Event-Timestamp = "Oct 17 2016 10:13:15 CEST", NAS-IP-Address =
213.151.237.216, Huntgroup-Name = "BRAS"
Mon Oct 17 10:13:15 2016 : Info REPLY(stefan.kudacek(a)orangenet.sk):
Framed-Protocol = PPP, Context-Name = "INET", Qos-Policing-Profile-Name =
"in1024K", Qos-Policy-Queuing = "pwfq8192K", Subscriber-Profile-Name =
"IPv6_SUBS", Service-Type = Framed-User, Class = 0x30333133393232333937,
Bind-Int-Interface-Name = "Virtual-Template6", Qos-Metering-Profile-Name =
"down8192K"
Mon Oct 17 10:13:15 2016 : Auth: (0) Login OK: [
stefan.kudacek(a)orangenet.sk/???] (from client BRAS1(Massmarket) port
83951616)
After calling radmin (main.log):
Mon Oct 17 10:17:35 2016 : Auth: (10) Login OK: [
stefan.kudacek(a)orangenet.sk/???] (from client BRAS1(Massmarket) port
83941716)
Debug output:
Server was built with:
accounting : yes
authentication : yes
ascend-binary-attributes : yes
coa : yes
control-socket : yes
detail : yes
dhcp : yes
dynamic-clients : yes
osfc2 : no
proxy : yes
regex-pcre : no
regex-posix : yes
regex-posix-extended : yes
session-management : yes
stats : yes
tcp : yes
threads : yes
tls : yes
unlang : yes
vmps : yes
developer : yes
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 0.9.8b release
Endianness:
little
Compilation flags:
cppflags :
cflags : -I/home/radiusd/freeradius-server-3.0.11
-I/home/radiusd/freeradius-server-3.0.11/src -include
/home/radiusd/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h
-include
/home/radiusd/freeradius-server-3.0.11/src/freeradius-devel/build.h
-include
/home/radiusd/freeradius-server-3.0.11/src/freeradius-devel/features.h
-include
/home/radiusd/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h
-fno-strict-aliasing -g3 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wshadow -Wpointer-arith
-Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W
-Wredundant-decls -Wundef -Wformat-y2k -Wno-format-extra-args
-Wno-format-zero-length -Wno-cast-align -Wformat-nonliteral
-Wformat-security -Wformat=2 -DWITH_VERIFY_PTR=1 -DIS_MODULE=1
ldflags :
libs : -lcrypto -lssl -ltalloc -lnsl -lresolv -ldl -lpthread
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file
/app/radius/freeradius-3.0.11/share/freeradius/dictionary
including dictionary file
/app/radius/freeradius-3.0.11/share/freeradius/dictionary.dhcp
including dictionary file
/app/radius/freeradius-3.0.11/share/freeradius/dictionary.vqp
including dictionary file /app/radius/conf/dsl-massmarket/dictionary
including configuration file /app/radius/conf/dsl-massmarket/radiusd.conf
including configuration file /app/radius/conf/dsl-massmarket/templates.conf
including configuration file /app/radius/conf/dsl-massmarket/clients.conf
including files in directory /app/radius/conf/dsl-massmarket/mods-enabled/
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/unpack
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/files
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/expr
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/preprocess
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/chap
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/always
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/perl
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/realm
including configuration file
/app/radius/conf/dsl-massmarket/mods-enabled/pap
including files in directory /app/radius/conf/dsl-massmarket/policy-enabled/
including configuration file
/app/radius/conf/dsl-massmarket/policy-enabled/bras
including configuration file
/app/radius/conf/dsl-massmarket/policy-enabled/accounting
including configuration file
/app/radius/conf/dsl-massmarket/policy-enabled/huntgroup
including configuration file
/app/radius/conf/dsl-massmarket/policy-enabled/lns
including configuration file
/app/radius/conf/dsl-massmarket/policy-enabled/username
including configuration file
/app/radius/conf/dsl-massmarket/policy-enabled/nas
including files in directory /app/radius/conf/dsl-massmarket/sites-enabled/
including configuration file
/app/radius/conf/dsl-massmarket/sites-enabled/control-socket
including configuration file
/app/radius/conf/dsl-massmarket/sites-enabled/default
main {
name = "dsl-massmarket"
prefix = "/app/radius/freeradius-v3"
localstatedir = "/app_log/radius/dsl-massmarket/"
sbindir = "/app/radius/freeradius-v3/sbin"
logdir = "/app_log/radius/dsl-massmarket/"
run_dir = "/app_log/radius/dsl-massmarket/"
libdir = "/app/radius/freeradius-v3/lib"
radacctdir = "/app_log/radius/dsl-massmarket//radacct"
panic_action = "gdb -silent -x
/app/radius/conf/dsl-massmarket/panic.gdb %e %p 2>&1 | tee
/app_log/radius/dsl-massmarket//gdb-dsl-massmarket-%p.log"
hostname_lookups = no
max_request_time = 5
cleanup_delay = 2
max_requests = 25600
pidfile = "/app_log/radius/dsl-massmarket//radius.pid"
checkrad = "/app/radius/freeradius-v3/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = yes
allow_vulnerable_openssl = "yes"
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client BRAS1(Massmarket) {
ipv4addr =
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client BRAS2(Massmarket) {
ipv4addr =
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client BRAS3(Massmarket) {
ipv4addr =
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client BRAS1(B2B) {
ipv4addr =
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client BRAS2(B2B) {
ipv4addr =
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_unpack
# Loading module "unpack" from file
/app/radius/conf/dsl-massmarket/mods-enabled/unpack
# Loaded module rlm_files
# Loading module "files" from file
/app/radius/conf/dsl-massmarket/mods-enabled/files
files {
filename =
"/app/radius/conf/dsl-massmarket/mods-config/files/authorize"
usersfile =
"/app/radius/conf/dsl-massmarket/mods-config/files/authorize"
acctusersfile =
"/app/radius/conf/dsl-massmarket/mods-config/files/accounting"
preproxy_usersfile =
"/app/radius/conf/dsl-massmarket/mods-config/files/pre-proxy"
}
# Loaded module rlm_expr
# Loading module "expr" from file
/app/radius/conf/dsl-massmarket/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/app/radius/conf/dsl-massmarket/mods-enabled/preprocess
preprocess {
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_chap
# Loading module "chap" from file
/app/radius/conf/dsl-massmarket/mods-enabled/chap
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename =
"/app/radius/conf/dsl-massmarket/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename =
"/app/radius/conf/dsl-massmarket/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/app/radius/conf/dsl-massmarket/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/app/radius/conf/dsl-massmarket/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/app/radius/conf/dsl-massmarket/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_always
# Loading module "reject" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_linelog
# Loading module "log_request" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
linelog log_request {
filename = "/app_log/radius/dsl-massmarket/log.gen"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "%t : Info: REQUEST(%{User-Name}): %{pairs:request:}"
}
# Loading module "log_control" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
linelog log_control {
filename = "/app_log/radius/dsl-massmarket/log.gen"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "%t : Info: CONTROL(%{User-Name}): %{pairs:control:}"
}
# Loading module "log_proxy_request" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
linelog log_proxy_request {
filename = "/app_log/radius/dsl-massmarket/log.gen"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "%t : Info: PROXY-REQUEST(%{User-Name}):
%{pairs:proxy-request:}"
}
# Loading module "log_reply" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
linelog log_reply {
filename = "/app_log/radius/dsl-massmarket/log.gen"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "%t : Info REPLY(%{User-Name}): %{pairs:reply:}"
}
# Loading module "log_proxy_reply" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
linelog log_proxy_reply {
filename = "/app_log/radius/dsl-massmarket/log.gen"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "%t : Info PROXY-REPLY(%{User-Name}):
Packet-Type=%{proxy-reply:Packet-Type} %{pairs:proxy-reply:}"
}
# Loaded module rlm_perl
# Loading module "perl" from file
/app/radius/conf/dsl-massmarket/mods-enabled/perl
perl {
filename = "/app/radius/conf/dsl-massmarket/mods-config/perl/radius.pm
"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_post_auth = "post_auth"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
# Loaded module rlm_realm
# Loading module "suffix" from file
/app/radius/conf/dsl-massmarket/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_pap
# Loading module "pap" from file
/app/radius/conf/dsl-massmarket/mods-enabled/pap
pap {
normalise = yes
}
instantiate {
# Instantiating module "perl" from file
/app/radius/conf/dsl-massmarket/mods-enabled/perl
config {
logdir = /app_log/radius/dsl-massmarket/
confdir = /app/radius/conf/dsl-massmarket/
name = dsl-massmarket
}
rlm_perl: Special Loading groups ...
rlm_perl: Special Info: Cannot stat cache file: No such file or directory
}
# Instantiating module "files" from file
/app/radius/conf/dsl-massmarket/mods-enabled/files
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/files/authorize
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/files/authorize
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/files/accounting
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file
/app/radius/conf/dsl-massmarket/mods-enabled/preprocess
# Instantiating module "attr_filter.post-proxy" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/app/radius/conf/dsl-massmarket/mods-enabled/attr_filter
reading pairlist file
/app/radius/conf/dsl-massmarket/mods-config/attr_filter/accounting_response
# Instantiating module "reject" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "fail" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "ok" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "handled" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "invalid" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "userlock" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "notfound" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "noop" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "updated" from file
/app/radius/conf/dsl-massmarket/mods-enabled/always
# Instantiating module "log_request" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
# Instantiating module "log_control" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
# Instantiating module "log_proxy_request" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
# Instantiating module "log_reply" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
# Instantiating module "log_proxy_reply" from file
/app/radius/conf/dsl-massmarket/mods-enabled/linelog
# Instantiating module "suffix" from file
/app/radius/conf/dsl-massmarket/mods-enabled/realm
# Instantiating module "pap" from file
/app/radius/conf/dsl-massmarket/mods-enabled/pap
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /app/radius/conf/dsl-massmarket/radiusd.conf
} # server
server default { # from file
/app/radius/conf/dsl-massmarket/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "control"
listen {
socket = "/app/radius/conf/dsl-massmarket/control.socket"
mode = "rw"
peercred = yes
}
}
listen {
type = "auth"
ipv4addr = *
port = 10812
limit {
max_pps = 0
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on command file /app/radius/conf/dsl-massmarket/control.socket
Listening on auth address * port 1812 bound to server default
Ready to process requests
2
3
I'm configuring a new deployment using the libwbclient integration.
Can I authenticate users supplying plain-text passwords (e.g. TTLS/PAP) using the libwbclient integration, or do I need to configure a fallback to ntlm_auth for such requests?
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
5
11
Hi,
I have an odd question... I know in the case of the 'cui' and the
'moonshot-targeted-ids' policies, there is a salt value that is by default
'changeme'. Is there any ability for a policy to emit a warning in debug
mode when it finds that one of its components is not changed from the
default 'changeme'?
Just a thought... I want to make sure that those deploying the latter
policy are warned before/prevented from using the policy when the salt is
not changed.
With Regards
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp(a)jabber.dev.ja.net
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
3
2
Hi
I have a problem with my freeradius config where it only proxies POD packets to the first NAS listed in the home server pool. What config do I need to change in order for the Proxy to send COA packets to the correct NAS where the device is connected to? I have looked at documentation on /etc/freeradius/sites-available/originate-coa but not sure if I am on the right track.
clients.conf
.....
coa_server = mobile_discon_pool
}
## Radius workers ##
client freerad-prod-srv1 {
ipaddr = 10.0.10.7
secret = R0cki2nvb0nsnd
}
client freerad-prod-srv2 {
ipaddr = 10.0.10.21
secret = R0cki2nvb0nsnd
}
## NAS IP's ##
client xx.yy.30.161/32 {
secret = rS4aq1)pN
shortname = NAS1
}
client xx.yy.30.162/32 {
secret = rS4aq1)pN
shortname = NAS2
}
......
proxy.conf
home_server NAS1 {
type = coa
ipaddr = xx.yy.30.161
port = 3799
secret = rS4aq1)pN
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server NAS2 {
type = coa
ipaddr = xx.yy.30.162
port = 3799
secret = rS4aq1)pN
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool mobile_discon_pool {
home_server = NAS1
home_server = NAS2
}
......
coa
listen {
type = coa
ipaddr = 10.0.10.25
port = 3799
server = coa
}
server coa {
recv-coa {
update control {
Home-Server-Pool := mobile_discon_pool
}
ok
}
send-coa {
ok
}
}
Thank you
Koos
(null)
Kind Regards
Koos Myburgh
Network Engineer
RSAWEB Internet Services
2
1
I am testing out freeradius with FreeIPA (= 389 directory server). This
is freeradius-3.0.11 from Ubuntu 16.04, talking to FreeIPA under CentOS 7.
The 389 directory server in FreeIPA has a "memberOf" plugin installed
(by default), which exposes all the groups as part of the user record.
For example:
# bcandler, users, accounts, ipa.example.com
dn: uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
objectclass: ipaobject
objectclass: person
objectclass: top
objectclass: ipasshuser
objectclass: inetorgperson
objectclass: organizationalperson
objectclass: krbticketpolicyaux
objectclass: krbprincipalaux
objectclass: inetuser
objectclass: posixaccount
objectclass: ipaSshGroupOfPubKeys
objectclass: mepOriginEntry
objectclass: ipantuserattrs
cn: Brian Candler
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
And I have freeradius's ldap module configured for group membership like
this:
group {
membership_attribute = 'memberOf'
name_attributes = 'cn'
}
The problem is, whenever I touch the LDAP-Group attribute it triggers
off a whole load of LDAP queries, one for each group, to translate the
group DN to the cn.
However, since all I'm asking for the cn, and the cn is the RDN of the
group, the cn could be extracted directly from the DN.
Here's an example of what I see:
(1) if (&Called-Station-Id =~ /:Staff$/ && &LDAP-Group[*] ==
"staff") {
(1) Searching for user in group "staff"
rlm_ldap (ldap): Reserved connection (3)
(1) Using user DN from request
"uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
(1) Checking user object's memberOf attributes
(1) Performing unfiltered search in
"uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com", scope "base"
(1) Waiting for search result...
(1) Processing memberOf value
"cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1) Resolving group DN
"cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to group name
(1) Performing unfiltered search in
"cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope "base"
(1) Waiting for search result...
(1) Group DN
"cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" resolves to
name "ipausers"
(1) Processing memberOf value
"cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1) Resolving group DN
"cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to group
name
(1) Performing unfiltered search in
"cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope
"base"
(1) Waiting for search result...
(1) Group DN
"cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" resolves
to name "server_guru"
(1) Processing memberOf value
"cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1) Resolving group DN
"cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to
group name
(1) Performing unfiltered search in
"cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope
"base"
(1) Waiting for search result...
(1) Group DN
"cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com"
resolves to name "network_guru"
(1) Processing memberOf value
"cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1) Resolving group DN
"cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to group name
(1) Performing unfiltered search in
"cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope "base"
(1) Waiting for search result...
(1) Group DN
"cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" resolves to name
"vpn"
(1) Processing memberOf value
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1) Resolving group DN
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to group name
(1) Performing unfiltered search in
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope "base"
(1) Waiting for search result...
(1) Group DN
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" resolves to
name "staff"
(1) User found in group "staff". Comparison between membership:
name (resolved from DN
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com"), check: name
I guess this is intentional: one group object *could* have multiple cn
attributes, so maybe it's querying the group to be sure. That is,
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
in theory could translate to
LDAP-Group += ipausers
LDAP-Group += another name for ipausers
However in my case I don't need this. Is there a way I can configure
the LDAP module not to do this?
Alternatively I could make an explicit group membership query (i.e.
return all group entries that this user is a member of); but that still
involves two queries, and I would then not be making use of the memberOf
feature.
Thanks,
Brian.
5
11
I have a pfSense box with captive portal using radius authentication. I'm
running freeradius on a Raspberry Pi on the LAN. This works fine and I had
no issues setting up freeradius on the rPi.
I now have a new Orange Pi which I want to set up the same as the Raspberry
Pi. The oPi won't boot off the same image as the rPi so I had to download
armbian for the oPi and reinstall everything from scratch.
Using the oPi as the server, I'm getting authentication errors: "Error
sending request: No valid RADIUS responses received"
I've checked the following configuration files for both pis and they are
identical:
clients.conf
radiusd.conf
sql.conf
users
I have run the server in debug mode and run the output through the
debugging tool (http://networkradius.com/freeradius-debugging/) and there
are a few red lines but they are also present in my working server.
both server debug outputs show this starting at line 150:
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "mysecret"
nastype = "other"
}
There are differences in output but the only one I can see which might be
relevant is the following which is present in my working server but absent
in my non-working server at line 487:
rlm_sql (sql): Read entry
nasname=192.168.225.1,shortname=pfSense,secret=mysecret
rlm_sql (sql): Adding client 192.168.225.1 (pfSense, server=<none>) to
clients list
which would seem to be a show stopper, but I can't figure out where that is
going wrong.
Debug output for the non-working server:
freeradius: FreeRADIUS Version 2.2.5, for host arm-unknown-linux-gnueabihf,
built on Oct 24 2014 at 05:52:01
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/detail.log
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "mysecret"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "root"
password = "rooter"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/freeradius/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 32
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server FROM
nas"
authorize_check_query = "SELECT id, username, attribute, value,
op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value,
op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct
SET acctstoptime = '%S',
acctsessiontime = unix_timestamp('%S')
-
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND
nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <=
'%S'"
accounting_update_query = " UPDATE radacct
SET framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32
|
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO
radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress,
nasportid, nasporttype, acctstarttime,
acctsessiontime, acctauthentic, connectinfo_start,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, servicetype, framedprotocol,
framedipaddress, acctstartdelay,
xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S',
INTERVAL (%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}'
<< 32 | '%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctstoptime,
acctsessiontime, acctauthentic, connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, acctstopdelay, xascendsessionsvrkey)
VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct
SET acctstarttime = '%S', acctstartdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO
radacct (acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay)
VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0})
SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}',
'', '%{Connect-Info}',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}'
<< 32 | '%{%{Acct-Output-Octets}:-0}',
'%{Called-Station-Id}', '%{Calling-Station-Id}',
'%{Acct-Terminate-Cause}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}', '0',
'%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}' ORDER
BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid,
username, nasipaddress, nasportid,
framedipaddress, callingstationid,
framedprotocol FROM
radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to root@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): starting 5
rlm_sql (sql): Attempting to connect rlm_sql_mysql #5
rlm_sql_mysql: Starting connect to MySQL server for #5
rlm_sql (sql): Connected new DB handle, #5
rlm_sql (sql): starting 6
rlm_sql (sql): Attempting to connect rlm_sql_mysql #6
rlm_sql_mysql: Starting connect to MySQL server for #6
rlm_sql (sql): Connected new DB handle, #6
rlm_sql (sql): starting 7
rlm_sql (sql): Attempting to connect rlm_sql_mysql #7
rlm_sql_mysql: Starting connect to MySQL server for #7
rlm_sql (sql): Connected new DB handle, #7
rlm_sql (sql): starting 8
rlm_sql (sql): Attempting to connect rlm_sql_mysql #8
rlm_sql_mysql: Starting connect to MySQL server for #8
rlm_sql (sql): Connected new DB handle, #8
rlm_sql (sql): starting 9
rlm_sql (sql): Attempting to connect rlm_sql_mysql #9
rlm_sql_mysql: Starting connect to MySQL server for #9
rlm_sql (sql): Connected new DB handle, #9
rlm_sql (sql): starting 10
rlm_sql (sql): Attempting to connect rlm_sql_mysql #10
rlm_sql_mysql: Starting connect to MySQL server for #10
rlm_sql (sql): Connected new DB handle, #10
rlm_sql (sql): starting 11
rlm_sql (sql): Attempting to connect rlm_sql_mysql #11
rlm_sql_mysql: Starting connect to MySQL server for #11
rlm_sql (sql): Connected new DB handle, #11
rlm_sql (sql): starting 12
rlm_sql (sql): Attempting to connect rlm_sql_mysql #12
rlm_sql_mysql: Starting connect to MySQL server for #12
rlm_sql (sql): Connected new DB handle, #12
rlm_sql (sql): starting 13
rlm_sql (sql): Attempting to connect rlm_sql_mysql #13
rlm_sql_mysql: Starting connect to MySQL server for #13
rlm_sql (sql): Connected new DB handle, #13
rlm_sql (sql): starting 14
rlm_sql (sql): Attempting to connect rlm_sql_mysql #14
rlm_sql_mysql: Starting connect to MySQL server for #14
rlm_sql (sql): Connected new DB handle, #14
rlm_sql (sql): starting 15
rlm_sql (sql): Attempting to connect rlm_sql_mysql #15
rlm_sql_mysql: Starting connect to MySQL server for #15
rlm_sql (sql): Connected new DB handle, #15
rlm_sql (sql): starting 16
rlm_sql (sql): Attempting to connect rlm_sql_mysql #16
rlm_sql_mysql: Starting connect to MySQL server for #16
rlm_sql (sql): Connected new DB handle, #16
rlm_sql (sql): starting 17
rlm_sql (sql): Attempting to connect rlm_sql_mysql #17
rlm_sql_mysql: Starting connect to MySQL server for #17
rlm_sql (sql): Connected new DB handle, #17
rlm_sql (sql): starting 18
rlm_sql (sql): Attempting to connect rlm_sql_mysql #18
rlm_sql_mysql: Starting connect to MySQL server for #18
rlm_sql (sql): Connected new DB handle, #18
rlm_sql (sql): starting 19
rlm_sql (sql): Attempting to connect rlm_sql_mysql #19
rlm_sql_mysql: Starting connect to MySQL server for #19
rlm_sql (sql): Connected new DB handle, #19
rlm_sql (sql): starting 20
rlm_sql (sql): Attempting to connect rlm_sql_mysql #20
rlm_sql_mysql: Starting connect to MySQL server for #20
rlm_sql (sql): Connected new DB handle, #20
rlm_sql (sql): starting 21
rlm_sql (sql): Attempting to connect rlm_sql_mysql #21
rlm_sql_mysql: Starting connect to MySQL server for #21
rlm_sql (sql): Connected new DB handle, #21
rlm_sql (sql): starting 22
rlm_sql (sql): Attempting to connect rlm_sql_mysql #22
rlm_sql_mysql: Starting connect to MySQL server for #22
rlm_sql (sql): Connected new DB handle, #22
rlm_sql (sql): starting 23
rlm_sql (sql): Attempting to connect rlm_sql_mysql #23
rlm_sql_mysql: Starting connect to MySQL server for #23
rlm_sql (sql): Connected new DB handle, #23
rlm_sql (sql): starting 24
rlm_sql (sql): Attempting to connect rlm_sql_mysql #24
rlm_sql_mysql: Starting connect to MySQL server for #24
rlm_sql (sql): Connected new DB handle, #24
rlm_sql (sql): starting 25
rlm_sql (sql): Attempting to connect rlm_sql_mysql #25
rlm_sql_mysql: Starting connect to MySQL server for #25
rlm_sql (sql): Connected new DB handle, #25
rlm_sql (sql): starting 26
rlm_sql (sql): Attempting to connect rlm_sql_mysql #26
rlm_sql_mysql: Starting connect to MySQL server for #26
rlm_sql (sql): Connected new DB handle, #26
rlm_sql (sql): starting 27
rlm_sql (sql): Attempting to connect rlm_sql_mysql #27
rlm_sql_mysql: Starting connect to MySQL server for #27
rlm_sql (sql): Connected new DB handle, #27
rlm_sql (sql): starting 28
rlm_sql (sql): Attempting to connect rlm_sql_mysql #28
rlm_sql_mysql: Starting connect to MySQL server for #28
rlm_sql (sql): Connected new DB handle, #28
rlm_sql (sql): starting 29
rlm_sql (sql): Attempting to connect rlm_sql_mysql #29
rlm_sql_mysql: Starting connect to MySQL server for #29
rlm_sql (sql): Connected new DB handle, #29
rlm_sql (sql): starting 30
rlm_sql (sql): Attempting to connect rlm_sql_mysql #30
rlm_sql_mysql: Starting connect to MySQL server for #30
rlm_sql (sql): Connected new DB handle, #30
rlm_sql (sql): starting 31
rlm_sql (sql): Attempting to connect rlm_sql_mysql #31
rlm_sql_mysql: Starting connect to MySQL server for #31
rlm_sql (sql): Connected new DB handle, #31
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret, server FROM nas
rlm_sql (sql): Reserving sql socket id: 31
rlm_sql (sql): Released sql socket id: 31
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
Failed binding to authentication address * port 1812: Address already in use
/etc/freeradius/radiusd.conf[273]: Error binding to port for 0.0.0.0 port
1812
3
4
I'm not a website administrator, so anyone that knows more about setting this up so that I can actually have users navigate to it and generate their own QR Code...
Thanks,
Pete
-----Original Message-----
From: Skrebetz, Pete
Sent: Tuesday, October 11, 2016 9:06 AM
To: FreeRadius users mailing list <freeradius-users(a)lists.freeradius.org>
Subject: multiotp web service on CentOS 7 and Apache
The documentation for how to configure the webserver so that it's not only displaying multiotp.webserver.php but actually working through to the backend is pretty sparse. Has anyone else set this up on Linux? I copied the entire multiotp directory to /var/www/html, but the web front end never seemed to actually add users.
Thanks,
Pete
2
2
Hi All,
I'm using the 'Event-Timestamp' in the python module it's printed as
follows.
*Oct 12 2016 13:59:27 UTC*
However the timestamp format present in the MySQL databse is *2006-01-02
15:04:00*
Is it possible to enforce the same format as MySQL across the board?, I
wasn't able to locate related documentation on this.
PS : Freeradius version 3.0.8
Thanks,
--
*Anuruddha Premalala (MIEEE)Mobile : +94717213122E-mail :
anuruddhapremalal(a)gmail.com <anuruddhapremalal(a)gmail.com>web :
www.anuruddha.org <http://www.anuruddha.org>*
3
2
Hi All,
I'm experimenting with the python extension on freeradius 3.0.8 and faced
the following issues.
When I print the parameter 'p' of the authenticate(p), while executing
* radtest test1 testing123 localhost 10 testing123*
the output is seen as below,
('User-Name', '"test1"')
('User-Password', '"testing123"')
('NAS-IP-Address', '172.31.35.101')
('NAS-Port', '10')
('Message-Authenticator', '0x9a76d539575fdc05d187013433f49981')
('Event-Timestamp', '"Oct 13 2016 06:00:51 UTC"')
Notice that there are some unwanted double quotations around *User-Name ,
User-Password *and *Event-Timestamp.*
I could remove these unwanted strings but it's going to add some over head
to the authentication process. Can I get rid of this unwantd double
quatation without incuring any processing cost on python side?
PS : These double quotations are also present in accounting packets as well.
Thanks,
--
*Anuruddha Premalala (MIEEE)Mobile : +94717213122E-mail :
anuruddhapremalal(a)gmail.com <anuruddhapremalal(a)gmail.com>web :
www.anuruddha.org <http://www.anuruddha.org>*
2
1
Hi,
I'm using a freeradius instance for 802.1x authentication with eap-tls. While everything works fine for my linux (and android) client machines, a windows 10 client is not going past tls client hello. From the freeradius server I'm getting this:
Debug: eap_tls: Continuing EAP-TLS
Debug: eap_tls: Peer sent flags --L
Debug: eap_tls: Peer indicated complete TLS record size will be 174 bytes
Debug: eap_tls: Got complete TLS record (174 bytes)
Debug: eap_tls: [eaptls verify] = length included
Debug: eap_tls: (other): before/accept initialization
Debug: eap_tls: TLS_accept: before/accept initialization
Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0
Debug: eap_tls: <<< recv TLS 1.2 [length 00a9]
Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0
Debug: eap_tls: >>> send TLS 1.2 [length 0002]
ERROR: eap_tls: TLS Alert write:fatal:handshake failure
Error: tls: TLS_accept: Error in error
Error: tls: TLS_accept: Error in error
ERROR: eap_tls: Failed in __FUNCTION__ (SSL_read): s3_srvr.c[1418]:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
ERROR: eap_tls: System call (I/O) error (-1)
ERROR: eap_tls: TLS receive handshake failed during operation
ERROR: eap_tls: [eaptls process] = fail
The problem is that there is a shared cipher. Using a successfull server hello in a linux client connection, I can see what configuration is selected and clearly supported by the server. And the same configuration is actually proposed by the windows client too. Text dumps of tls hellos follow. Versions are: freeradius 3.0.12 and openssl 1.0.2j.
Have anyone encountered similar problems? The client hello from windows includes some additional tls extensions -- could it be the cause?
Here are text dumps of client hellos:
linux client:
802.1X Authentication
Version: 802.1X-2004 (2)
Type: EAP Packet (0)
Length: 304
Extensible Authentication Protocol
Code: Response (2)
Id: 181
Length: 304
Type: TLS EAP (EAP-TLS) (13)
EAP-TLS Flags: 0x00
0... .... = Length Included: False
.0.. .... = More Fragments: False
..0. .... = Start: False
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 293
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 289
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: May 18, 2087 18:43:39.000000000 MSK
Random Bytes: a8052b4f8ba5439503d03da61ea2eaad449c9c3a3e9f2ac6...
Session ID Length: 0
Cipher Suites Length: 172
Cipher Suites (86 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 76
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 28
Elliptic Curves Length: 26
Elliptic curves (13 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: brainpoolP512r1 (0x001c)
Elliptic curve: brainpoolP384r1 (0x001b)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: brainpoolP256r1 (0x001a)
Elliptic curve: secp256k1 (0x0016)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 32
Signature Hash Algorithms Length: 30
Signature Hash Algorithms (15 algorithms)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0602
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0502
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0402
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0301
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0302
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0303
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0203
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
windows client:
802.1X Authentication
Version: 802.1X-2001 (1)
Type: EAP Packet (0)
Length: 184
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 184
Type: TLS EAP (EAP-TLS) (13)
EAP-TLS Flags: 0x80
1... .... = Length Included: True
.0.. .... = More Fragments: False
..0. .... = Start: False
EAP-TLS Length: 174
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 169
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 165
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: Oct 12, 2016 22:32:27.000000000 MSK
Random Bytes: cfee7182be38061f0202a3b3ec374724eec7a7eea20270ad...
Session ID Length: 0
Cipher Suites Length: 60
Cipher Suites (30 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 64
Extension: status_request
Type: status_request (0x0005)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 8
Elliptic Curves Length: 6
Elliptic curves (3 curves)
Elliptic curve: Unknown (0x001d)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp384r1 (0x0018)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 20
Signature Hash Algorithms Length: 18
Signature Hash Algorithms (9 algorithms)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0203
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Extension: SessionTicket TLS
Type: SessionTicket TLS (0x0023)
Length: 0
Data (0 bytes)
Extension: Extended Master Secret
Type: Extended Master Secret (0x0017)
Length: 0
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
After the client-hello from the windows system NAS replies with 802.1x failure; for the linux client here is server hello:
802.1X Authentication
Version: 802.1X-2001 (1)
Type: EAP Packet (0)
Length: 558
Extensible Authentication Protocol
Code: Request (1)
Id: 183
Length: 558
Type: TLS EAP (EAP-TLS) (13)
EAP-TLS Flags: 0x80
1... .... = Length Included: True
.0.. .... = More Fragments: False
..0. .... = Start: False
EAP-TLS Length: 1562
[2 EAP-TLS Fragments (1562 bytes): #6(1014), #8(548)]
[Frame: 6, payload: 0-1013 (1014 bytes)]
[Frame: 8, payload: 1014-1561 (548 bytes)]
[Fragment Count: 2]
[Reassembled EAP-TLS Length: 1562]
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 57
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 53
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: Jun 23, 2069 22:43:44.000000000 MSK
Random Bytes: f55c140ff16bab468b8f5d2f21e3cc8237090f9eebf23476...
Session ID Length: 0
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Compression Method: null (0)
Extensions Length: 13
Extension: renegotiation_info
Type: renegotiation_info (0xff01)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 1155
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 1151
Certificates Length: 1148
Certificates (1148 bytes)
REDACTED
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 247
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 243
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp384r1 (0x0018)
Pubkey Length: 97
Pubkey: 0409c1e40a860e38d72cc95fe4bed9bc01b2874f79fa74d3...
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 138
Signature: 30818702414f82bf2dc1f20e19ca281784a1023607d4ae4f...
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 83
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 75
Certificate types count: 3
Certificate types (3 types)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Certificate type: ECDSA Sign (64)
Signature Hash Algorithms Length: 30
Signature Hash Algorithms (15 algorithms)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0602
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0502
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0402
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0301
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0302
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0303
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0203
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Distinguished Names Length: 37
REDACTED
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
1
0