Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 13 participants
- 27047 discussions
Dear list.
I'm using freeradius 2.2.5 on Debian-Jessie.
I would like to limit the accepted authentication types to TTLS-PAP, as
I'm using SHA1-PWs stored in a MySQL-DB. As described on
http://deployingradius.com/documents/configuration/auth_type.html
using `Auth-Type' in sites-available/inner-tunnel or default to
generally reject mschap and chap is not recommended. Instead an entry in
the users file (or radcheck table) should be used.
The problem is for me, that the example describes the acception of
MSCHAP only, but I didn't succeed in adapting it for accepting PAP only.
How is this possible to reject any authentication attempt except PAP?
For advanced: How generally switch of PEAP?
Many thanks in advance
and best regards
Jens
2
2
03 May '16
Hello,
I'm using FreeRADIUS Version 3.0.8in a debian 8.
I want to exec a sql query to return a value in Reply-Message:
/etc/freeradius/users
user Cleartext-Password := "pass"
Reply-Message := "%{sql:SELECT username FROM radpostauth
WHERE client like 'PA%' ....}"
When I run freeradius server in debug mode, I get:
Tue May 3 11:58:52 2016 : Debug: (0) files: ::: Examining Reply-Message
Tue May 3 11:58:52 2016 : ERROR: (0) files: %{sql:SELECT username FROM
radpostauth WHERE client like 'PA%' ....
Tue May 3 11:58:52 2016 : ERROR: (0) files:
^
Invalid variable expansion
If I delete the % in users files:
/etc/freeradius/users
user Cleartext-Password := "pass"
Reply-Message := "%{sql:SELECT username FROM radpostauth
WHERE client like 'PA' ....}"
When I run freeradius server in debug mode, I get:
rlm_sql (sql): Reserved connection (4)
(0) files: Executing select query: SELECT username FROM radpostauth WHERE
client like 'PA' and ...
(0) files: SQL query returned no results
rlm_sql (sql): Released connection (4)
(0) files: EXPAND %{sqllocal:SELECT username FROM radpostauth WHERE client
like 'PA' and
I have this running in older versions of freeradius.Sorry for my english
and thank you very much in advance.
::::::::::::::::::::::::::::::::::::
:: Ana Gallardo Gómez ::
::::::::::::::::::::::::::::::::::::
2
1
03 May '16
14.04
Message-ID: <20160430132627.GA10793(a)lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
>> p.s.: using v2 since v3 isn't supported on Ubuntu yet. After a full week of trying both the unofficial release and attempting to compile it myself, I realized that I don't know anywhere near enough about freeradius to debug it properly.
>v3 is supported on Ubuntu - I've installed it on 14.x, 15.x and 16.x servers.
Excellent!
Maybe you can help my get past the part that held me up (for most of a week) the last several times I tried to install this version.
I did the following and everything went fine (generating the large prime took several minutes):
apt-add-repository ppa:freeradius/stable-3.0
apt-get update
apt-get install freeradius make
Then, after making sure all the necessary utilities were installed:
sudo apt-get install freeradius freeradius-mysql freeradius-utils
and creating a test user, I started it with "freeradius -X" and the following tests all gave me "Access-Accept" (the third one wouldn't work for my freeradius2):
radtest bob h3llo localhost 1812 t3sting123
radtest -t mschap bob h3llo localhost 100 t3sting123
radtest -t eap-md5 bob h3llo localhost 100 t3sting123
The problem I had is that I could never get the database to work.
I installed extra mysql stuff I remembered needing for v2:
sudo apt-get install mysql-server
sudo apt-get install libmysqlclient-dev
Then added a database "radius", and imported its tables and user:
mysql -u root -p radius < /etc/freeradius/mods-config/sql/main/mysql/schema.sql
mysql -u root -p < /etc/freeradius/mods-config/sql/main/mysql/setup.sql
And added a test user:
INSERT INTO radcheck (UserName, Attribute, op, Value) VALUES ('bobsql', 'Password', ':=', 'h3llo');
Now, the manual at http://wiki.freeradius.org/guide/SQL-HOWTO says to open "/etc/raddb/radiusd.conf" and "$INCLUDE sql.conf", but "sql.conf" isn't in this version. It also says to edit "/etc/raddb/sql.conf" and the "raddb" directory doesn't even exist on my computer.
I tried cross referencing this with other sites (and made much use of "grep" and "find"), but nothing worked. Installing daloradius seemed to fix the problem but it came back the next day.
Dustin
2
1
Hi All!
I tried to find information on this on the web, but didn't succeed.
I am using freeradius, which is using PAM to talk to an LDAP, together
with a Cisco ASA, and all works fine, except that I have a few users
that use a 'ß' in their password (ß is a special German character,
similar to an s).
It seems that somewhere along the lines the characters get scrambled.
*) Trying with the Cisco ASA radius test client, I see in the freeradius
logs things like
Auth: Login incorrect: [blabla/D$D4?p?591924] (from client xxx port y)
(the ? where initially ß)
*) And with the radtest tool:
radtest blabla 'ßß' xxx.yyy.zzz.aaa secret
=>
Auth: Login incorrect: [blabla/<C3>?<C3>?] (from client xxx port 18120)
Is there any specific restriction on characters that are allowed? ß is
part of the ISO/IEC 8859-1, so it doesn't actually require unicode or
the likes.
I would also rule out any issues with my LDAP backend, as the passwords
work fine when doing authentication directly via LDAP PAM, and via
various other applications using an Apache module.
Any hint would be welcome!
Thanks,
Rudolf
2
1
radtest bobsql h3llo 192.168.0.166 100 t3sting123
and
radtest -t mschap bobsql h3llo 192.168.0.166 100 t3sting123both work fine from my ubuntu desktop and
radtest -t mschap bobsql h3llo 127.0.0.1:18120 0 t3sting123
works fine from the server (notes in file "inner-tunnel" say that this should mean that peap will work). However,
radtest -t eap-md5 bobsql h3llo 192.168.0.166 100 t3sting123does not work from my ubuntu desktop or the ubuntu server in which freeradius is running (used same command string except with 127.0.0.1 as IP address)
"freeradius -X" output says to look at
http://wiki.freeradius.org/guide/Certificate-Compatibility
which describes the symptoms of my issue but only shows suggestions for what to do if your client is a Windows machine.
Unfortunately, I haven't messed with secure certificates explicitly so don't know how to troubleshoot them. Strangely enough, eap worked fine with the partly-functional mutant hybrid freeradius v2/3 that I ended up with when I tried to install the unofficial freeradius v3 release for Ubuntu.
Dustin
p.s.: using v2 since v3 isn't supported on Ubuntu yet. After a full week of trying both the unofficial release and attempting to compile it myself, I realized that I don't know anywhere near enough about freeradius to debug it properly.
"radtest" output:
root@gremlin:/etc/freeradius# radtest -t eap-md5 bobsql h3llo 127.0.0.1 100 t3sting123
Sending Access-Request packet to host 127.0.0.1 port 1812, id=249, length=0
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 192.168.0.166
NAS-Port = 100
Message-Authenticator = 0x00
EAP-Code = Response
EAP-Type-Identity = "bobsql"
EAP-Message = 0x02f8000b01626f6273716c
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=249, length=64
EAP-Message = 0x01f900061920
Message-Authenticator = 0x67456e4b517c4e986b3d0c7f23d589a1
State = 0x141de28714e4fbb2053fa9d69b9894c2
EAP-Id = 249
EAP-Code = Request
EAP-Type-TTLS = 0x20
root@gremlin:/etc/freeradius#
"freeradius -X" output:
root@gremlin:/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/mschap.new
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/mschap.bak
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "t3sting123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 192.168.0.99 {
require_message_authenticator = no
secret = "t3sting123"
shortname = "OfficeAP"
nastype = "other"
}
client 192.168.0.103 {
require_message_authenticator = no
secret = "t3sting123"
shortname = "OfficeUbiquitiAP"
nastype = "other"
}
client 192.168.0.102 {
require_message_authenticator = no
secret = "t3sting123"
shortname = "DustinUbuntu"
nastype = "other"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "t3sting123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /etc/freeradius/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radius"
password = "radpass"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/freeradius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 54028
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.102 port 51972, id=22, length=89
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x63b41003de06fef4cdb10d9c674732c1
EAP-Message = 0x024c000b01626f6273716c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 76 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 22 to 192.168.0.102 port 51972
EAP-Message = 0x014d00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc5d1b741c59cae74e5c335d132a13974
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 22 with timestamp +19
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xc5d1b741c59cae74 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.102 port 47914, id=228, length=76
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0xd09eb513c856865b83d9773becc09c8e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "h3llo"
[pap] Using clear text password "h3llo"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 228 to 192.168.0.102 port 47914
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 228 with timestamp +33
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.102 port 45062, id=5, length=132
User-Name = "bobsql"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x1b2d3bc48e1628fcb67a4aabec4c7603
MS-CHAP-Challenge = 0x5431fdaef2ef481f
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e386da5486bad62e690e1aecc0dbe0efa9027ee1d3a642d1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 5 to 192.168.0.102 port 45062
MS-CHAP-MPPE-Keys = 0x567e728a9a0f730b1e841a812034ebe1960d1c03a812a7920000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.102 port 40888, id=206, length=132
User-Name = "bobsql"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x0292ae5c52b3c5905b43ae731beb7c63
MS-CHAP-Challenge = 0x597fc32c1884f15d
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000f480f2c91ecbb02affca1cd6e0aaf8530fea4f70431b300c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 206 to 192.168.0.102 port 40888
MS-CHAP-MPPE-Keys = 0x567e728a9a0f730b1e841a812034ebe1960d1c03a812a7920000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 3.
Going to the next request
Waking up in 2.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.102 port 35961, id=32, length=132
User-Name = "bobsql"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x2d707df31b6b58f446440e937e530bca
MS-CHAP-Challenge = 0x71541771cc7aa8b4
MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000077613cdac309e699b0324e1318081226f5bb67816eb7765a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 32 to 192.168.0.102 port 35961
MS-CHAP-MPPE-Keys = 0x567e728a9a0f730b1e841a812034ebe1960d1c03a812a7920000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 4.
Going to the next request
Waking up in 1.5 seconds.
Cleaning up request 2 ID 5 with timestamp +51
Waking up in 2.2 seconds.
Cleaning up request 3 ID 206 with timestamp +54
Waking up in 1.2 seconds.
Cleaning up request 4 ID 32 with timestamp +55
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.102 port 53710, id=147, length=132
User-Name = "bobsql"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x037f49ae3b5ec235d4eaf2267a9b6e25
MS-CHAP-Challenge = 0x5ad7026bacfbcb0c
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000fd3865d282111e51a5d1e78a11224e705e16b4ab346fe1c3
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 147 to 192.168.0.102 port 53710
MS-CHAP-MPPE-Keys = 0x567e728a9a0f730b1e841a812034ebe1960d1c03a812a7920000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.102 port 55717, id=241, length=132
User-Name = "bobsql"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0xa99ccc3a5cca5d0421ce40151860f354
MS-CHAP-Challenge = 0x3ec6b2e188f8077e
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000008a8fc890c2cadcde9db7d78760239b1f592968d44a90cdfd
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 241 to 192.168.0.102 port 55717
MS-CHAP-MPPE-Keys = 0x567e728a9a0f730b1e841a812034ebe1960d1c03a812a7920000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 6.
Going to the next request
Waking up in 1.6 seconds.
Cleaning up request 5 ID 147 with timestamp +79
Waking up in 3.3 seconds.
Cleaning up request 6 ID 241 with timestamp +83
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.102 port 57932, id=206, length=89
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x03d3363df4078fcc0bbfd49d66c8a305
EAP-Message = 0x0291000b01626f6273716c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 145 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 206 to 192.168.0.102 port 57932
EAP-Message = 0x019200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3449d6e934dbcf8a2066e164bff70373
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.102 port 53425, id=97, length=89
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x0a13ff3dd26d20da7de439ed156f8f1e
EAP-Message = 0x029b000b01626f6273716c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 155 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 97 to 192.168.0.102 port 53425
EAP-Message = 0x019c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbb63c299bbffdb53b656996c0040d033
Finished request 8.
Going to the next request
Waking up in 2.9 seconds.
Cleaning up request 7 ID 206 with timestamp +96
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3449d6e934dbcf8a did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Waking up in 2.0 seconds.
rad_recv: Access-Request packet from host 192.168.0.102 port 52917, id=200, length=89
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 127.0.1.1
NAS-Port = 100
Message-Authenticator = 0x1b1dd77b91fd5119c952cba3c7b0789d
EAP-Message = 0x02a5000b01626f6273716c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 165 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 200 to 192.168.0.102 port 52917
EAP-Message = 0x01a600061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfcde2609fc783fe3cd6f633607ab2cb1
Finished request 9.
Going to the next request
Waking up in 1.6 seconds.
Cleaning up request 8 ID 97 with timestamp +98
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xbb63c299bbffdb53 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Waking up in 3.3 seconds.
Cleaning up request 9 ID 200 with timestamp +101
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xfcde2609fc783fe3 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 52521, id=229, length=89
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 192.168.0.166
NAS-Port = 100
Message-Authenticator = 0xd7caba718106a9d1e4802f69771d9a79
EAP-Message = 0x02e4000b01626f6273716c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 228 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 229 to 127.0.0.1 port 52521
EAP-Message = 0x01e500061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xba25f065bac0e928512b36076da019ff
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 229 with timestamp +129
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xba25f065bac0e928 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 33835, id=239, length=89
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 192.168.0.166
NAS-Port = 100
Message-Authenticator = 0xa1e0465c6ce9d505a1d80a9e5a4652be
EAP-Message = 0x02ee000b01626f6273716c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 238 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 239 to 127.0.0.1 port 33835
EAP-Message = 0x01ef00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ef8b2793e17abd6ae69ec18fa4cfd0f
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 47780, id=249, length=89
User-Name = "bobsql"
User-Password = "h3llo"
NAS-IP-Address = 192.168.0.166
NAS-Port = 100
Message-Authenticator = 0x522e550039140c1bb17ae9f549a2a18e
EAP-Message = 0x02f8000b01626f6273716c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bobsql", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 248 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> bobsql
[sql] sql_set_user escaped user --> 'bobsql'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'bobsql' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'bobsql' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 249 to 127.0.0.1 port 47780
EAP-Message = 0x01f900061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x141de28714e4fbb2053fa9d69b9894c2
Finished request 12.
Going to the next request
Waking up in 2.1 seconds.
Cleaning up request 11 ID 239 with timestamp +141
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x3ef8b2793e17abd6 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Waking up in 2.8 seconds.
Cleaning up request 12 ID 249 with timestamp +143
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x141de28714e4fbb2 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
2
1
Hello,
I'm new to this, so please show mercy on me. I managed to get Freeradius to work with AD. I have one SSID setup at the moment on the controller. So far any user with AD credentials that log into our wireless, gets connected. My boss wants me to tweak the system a bit to separate staff from students. We have an OU for staff and another for students. The problem I have is I have no idea where in radius do I configure this option. We want to be able to tell radius that if a student logs into for example to the staff SSID they are rejected but if they log into their student SSID, access is granted. How do I make that happen? Thank very much for any help you can provide.
2
3
Dear list.
I'm using freeradius 2.2.5 on debian for authorization & authentication
to a WiFi-network. The NAS is a TP-Link TL-WR841ND, which is a router
including NAT (without DSL).
I'm trying setting up accounting for automatic session-timeout after the
account expired. For this purpose it seems I need `accounting', which is
activated for performing accounting entries in the mysql-radacct table.
The configuration looks to me okay.
Nevertheless the radacct table stays empty. No entries are made. After
reading the documentation it looks to me, that the client (in this case
the WiFi-router) must support accounting and send accounting packages to
make this feature work or is accounting available in every correctly
implemented radius-WiFi router? Must it the simply be activated and on
which keyword must I look for?
I
Many thanks in advance
Jens
3
3
Hi,
I have been tasked with the adding of VLAN assignments based on groups in our openLDAP server.
Questions : it works but I do not understand why :-)
1) What does base_filter in the modules/ldap do ?
2) Is my group search that I've implemented working "correctly" ? esp. "(&(cn=*)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
The following works but I do see a lot more ldap searches in debug (below) than I expected.
Thanks in advance,
Arjan
LDAP tree : (testserver) has posix and samba data from default Ubuntu schema.
Users Example : cn=sinnige,ou=Users, dc=audiodude,dc=nl
Groups Example : cn=staff,ou=Groups,dc=audiodude,dc=nl
ldapsearch -x -b dc=audiodude,dc=nl "(&(cn=*)(memberUid=sinnige))"
# extended LDIF
#
# LDAPv3
# base <dc=audiodude,dc=nl> with scope subtree
# filter: (&(cn=*)(memberUid=sinnige))
# requesting: ALL
#
# Administrators, Groups, audiodude.nl
dn: cn=Administrators,ou=Groups,dc=audiodude,dc=nl
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Administrators
gidNumber: 544
description: Netbios Domain Members can fully administer the computer/sambaDomainName
sambaSID: S-1-5-32-544
sambaGroupType: 4
displayName: Administrators
memberUid: sinnige
# staff, Groups, audiodude.nl
dn: cn=staff,ou=Groups,dc=audiodude,dc=nl
objectClass: sambaGroupMapping
objectClass: posixGroup
displayName: staff
sambaGroupType: 2
sambaSID: S-1-5-21-2662359605-3693033551-1550532409-21001
description: staff
gidNumber: 10000
cn: staff
memberUid: sinnige
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Most users have the group as PrimaryGroupID. Now I figured that would be the hardest part but it was ok...
pico /etc/freeradius/ldap.attrmap
Add:
checkItem Ldap-PrimaryGroupId gidNumber
pico /etc/freeradius/dictionary
Add:
ATTRIBUTE Ldap-PrimaryGroupId 3010 integer
Then in post auth I assign VLAN attr. In both inner and default if I want both EAP and radtest to work.
if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") {
# staff as additional group
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 1
}
}
elsif (control:Ldap-PrimaryGroupId == 10000) {
# staff as primary group
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 2
}
}
else {
# Guests
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 100
}
}
----------------------------------------
Below Laptop EAP and radtest logon.
-----------------------------------------
root@ldap:/home/sinnige# freeradius -X
freeradius: FreeRADIUS Version 2.2.10, for host x86_64-pc-linux-gnu, built on Mar 27 2016 at 17:22:01
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.0.0.1 {
require_message_authenticator = no
secret = "RadTest-123"
shortname = "ciscorouter"
nastype = "cisco"
}
client 192.168.63.95 {
require_message_authenticator = no
secret = "RadTest-123"
shortname = "wifi1router"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "peap"
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "127.0.0.1"
port = 389
password = "Passwoord^3"
expect_password = yes
identity = "cn=admin,dc=audiodude,dc=nl"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=audiodude,dc=nl"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(ou=Users)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(&(cn=*)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
groupmembership_attribute = "radiusGroupName"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP gidNumber mapped to RADIUS Ldap-PrimaryGroupId
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x213a220
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 51470
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=129
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000d017465737475736572
Message-Authenticator = 0x906d5337f0bc7835762f38b3ba91359c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for testuser
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> testuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser)
[ldap] expand: dc=audiodude,dc=nl -> dc=audiodude,dc=nl
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 127.0.0.1:389, authentication 0
[ldap] bind as cn=admin,dc=audiodude,dc=nl/Passwoord^3 to 127.0.0.1:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=audiodude,dc=nl, with filter (uid=testuser)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] gidNumber -> Ldap-PrimaryGroupId == 10000
[ldap] userPassword -> Password-With-Header == "{SSHA}iO/aTvVBn19xxxxxotulVVi9DXxxxxxB"
[ldap] sambaNtPassword -> NT-Password == 0x44313833393833454145413xxxxx39393539433846344331xxxxxxx430453638
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed781a187d23ad70b6624cff883
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=316
Cleaning up request 0 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed781a187d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100b61980000000ac16030300a7010000a30303572152d661e23887c2fff31b91ef9ada468c7d5e82c14af030b8a6dc862da38f00003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a0040003800320013000500040100003e000500050100000000000a0006000400170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100
Message-Authenticator = 0x7589ec548952c0f75b595c8f933d6750
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 182
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 172
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 00a7]
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> Unknown TLS version [length 0039]
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> Unknown TLS version [length 08a2]
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> Unknown TLS version [length 014d]
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> Unknown TLS version [length 0004]
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x0102040019c000000a4016030300390200003503032652394d06ed4bbed0179767d21f4d64f463af055b145e0d4774c8b1223bfd0f00c03000000dff01000100000b00040300010216030308a20b00089e00089b0003cc308203c8308202b0a003020102020101300d06092a864886f70d01010b050030818c310b3009060355040613024e4c310b3009060355040813024e48310f300d060355040713064865696c6f6f31123010060355040a1309417564696f647564653121301f06092a864886f70d010901161261646d696e40617564696f647564652e6e6c312830260603550403131f417564696f647564652043657274696669636174652041
EAP-Message = 0x7574686f72697479301e170d3136303332373136343633305a170d3236303332353136343633305a3078310b3009060355040613024e4c310b3009060355040813024e4831123010060355040a1309417564696f64756465312530230603550403131c417564696f64756465205365727665722043657274696669636174653121301f06092a864886f70d010901161261646d696e40617564696f647564652e6e6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100ef41364469960a32cf34a0ee4a184026dc3de6482bccdd1415f62970367e5402089dbf9e9a26e45d099cceb3fe863509937c3615be04034e3f5c
EAP-Message = 0x389e1b91505f321b17e0dc46f5d3ad9157ccdb0b172e4f29ef7c06ca3c685903f92742561f733b2a6cf681f4768a2a119e09d82be3c9605eee4abd695dd7f17ad0f5b653e962c0a0c9a09b4deb19f25ca9da080d96a4d4df3edb27a19222b00f9e763c6548cd8a18ce634ac79e7d58b8496c0e255cdb8839de1cee2a0ed1d7c59eb3ed6350c98c24e946fa72ecf41862961de4ccf3d76eb5ad41b952c958c742c25364a847679d4c500d4d64d6d1a5664f24965980f8758e636e756e5e7171b7d2db82b3ad850203010001a348304630130603551d25040c300a06082b06010505070301302f0603551d1f042830263024a022a020861e687474703a2f
EAP-Message = 0x2f7777772e617564696f647564652e6e6c2f63612e63726c300d06092a864886f70d01010b050003820101007af63a1f4da2ac585c9401862ff9aeb7ef891a130000d347b1a3c0a5f97384835f386d39740ac087006abf49129c12f8f5a24fde19fba89d99ca14ff83ce11e93e9b6046dc80b5de30e9c000a413faede47c1cd326af56cf90e13089310f2ea815d81d4fd9542d065fc13e07026ce9fa57305f5e5ecf98091463b474d609df6d824b0e700d86b792f2521e03b4eacfa53cf5badcde4b7b59ea3273f25f0c0a0375e420802a40348fd435bb65784a3d1158393fbb113b460ea96eb19a24f3191283cc8876022241321ed209db54f0cc6417
EAP-Message = 0xfef0886c6d96f13bd95df707
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed780a287d23ad70b6624cff883
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=140
Cleaning up request 1 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed780a287d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061900
Message-Authenticator = 0x61f72d27df273f1865d7f6996721b844
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x010303fc194018a560e8166126adf01657f3403577d528cee162de01501a6e4859fff494328f4f0f6d0004c9308204c5308203ada003020102020900e45ce84c8fbe19d6300d06092a864886f70d01010b050030818c310b3009060355040613024e4c310b3009060355040813024e48310f300d060355040713064865696c6f6f31123010060355040a1309417564696f647564653121301f06092a864886f70d010901161261646d696e40617564696f647564652e6e6c312830260603550403131f417564696f6475646520436572746966696361746520417574686f72697479301e170d3136303332373136343633305a170d3236303332353136
EAP-Message = 0x343633305a30818c310b3009060355040613024e4c310b3009060355040813024e48310f300d060355040713064865696c6f6f31123010060355040a1309417564696f647564653121301f06092a864886f70d010901161261646d696e40617564696f647564652e6e6c312830260603550403131f417564696f6475646520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a777834bc805207072006d6d26ddd6df58d8cde8c266f03abb4371a254d10fb10667ea9872efe5d884b9fc4dae585227303d2cd01c19141c121b5e945c8ca6429305d7c5d20d8f7f
EAP-Message = 0x2b2cb74a79095fc0dbe2adec8afc56bb0fcc192e810516bd09ebdd862ddd75ce939b7bcbcba25f56671417e4484e6dc0b3551ac622c740310be4a411f467a65b7aab0bb35e118ace939cf2bb85c39dfcc46c113ca3cd2a8dcf8414673015354b237f6c412b79a71b758623716cc96b41fc2c82e5a2189e552436aec510c21fa2e20e92ebcae5982696851751b1fdb2abd9b9c8054d8fe01cf1e0234a3cc23bbb25ae605beb6e5448e785d6c46dde9a40ea785572712e93910203010001a382012630820122301d0603551d0e0416041459512aa2711a3c72edbab907bcbb96d6b50732dc3081c10603551d230481b93081b6801459512aa2711a3c72ed
EAP-Message = 0xbab907bcbb96d6b50732dca18192a4818f30818c310b3009060355040613024e4c310b3009060355040813024e48310f300d060355040713064865696c6f6f31123010060355040a1309417564696f647564653121301f06092a864886f70d010901161261646d696e40617564696f647564652e6e6c312830260603550403131f417564696f6475646520436572746966696361746520417574686f72697479820900e45ce84c8fbe19d6300c0603551d13040530030101ff302f0603551d1f042830263024a022a020861e687474703a2f2f7777772e617564696f647564652e6e6c2f63612e63726c300d06092a864886f70d01010b050003820101
EAP-Message = 0x003ff0add8095839
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed783a387d23ad70b6624cff883
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=140
Cleaning up request 2 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed783a387d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061900
Message-Authenticator = 0xfdbb0154be9b6cadd52e428c6fe19067
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x0104025a190068ff0b31c423f3fd95d51202f39de335db833e3f1777e88215d980a33170e626a579836319170350477383271a7178da9f0ffa420a5f06cce801265b964b8afdafc12dd5df7fed154198b53d55a0e77aa241f76e3cacec34f48058af95b536358d740e9e5d01c02f071a630c399f3c3663f45beb9d2c465e17a728f94c87dbaeba2f97ef81398d98435e7e5629ab1c091dca1843b6b348ad7abfa53ec8c24953a66f0343e8d29a89c51f32bafa8407b938fe1709b358c7152824d1cfb9e962ec2f929b949eab9491cf2d32998dd28b08630a0a6c3187c49ca9dea483da0f72bc04850386b0522be1c57acdc2d27fec37486303b6cc6531
EAP-Message = 0x0a22160303014d0c00014903001741049838e0e6e6af93079fe966bf447a920f5d73fecdad5995db213dbb51e6158920bf7d0c3b60975ab4ffd824af81759a201f4a03b7a280fbcae5acc61a160ef8610401010080c5018328c0736c0cf4988217497a125402434cc43b17a9d9ed2b16e37efbbd9e98068e1d4eb1574421cb4d6b8ee5489b3605f8f9597538f5a3a57c4445fc7bb2a8af04f9b7abcc2ae7e7e6423d914d2054d7e171802f39287f30540d212f52feba1509225b4e7a09b94de105a9e447d28b604b54d2a1d094c6d504916a2b6713851c228546d6512651d6b59f6769af59d80e6aa478162ba281bab0e443e13ccdcdf6df50d41c72b4
EAP-Message = 0x9df4284b26a106e1de54f6d79ed637bb434251e7e2a83b8f9bf532d84f6ec8769d18f3b0410fb792cd41d9181ed1f47f1816409263ca23267ff4673824c2c7f9a724ef94b0ab09faa3b9f2bef685b373581091afaf12d316030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed782a487d23ad70b6624cff883
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=270
Cleaning up request 3 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed782a487d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0204008819800000007e1603030046100000424104151bf6dc5c47981c758c11f4b5d78918176ac1415386ec916ed098ec7ac41c1d52bad2d3b92affe170813a146d8189dbbd25597ffd30298793653dc981a69118140303000101160303002800000000000000004031a48867bc08c3310697549b8d80b3d591748866935bebedbbfd5d696f08a6
Message-Authenticator = 0x2a35dc5e56094d400cd9d76669f7eeaf
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 136
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0046]
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< Unknown TLS version [length 0001]
[peap] <<< Unknown TLS version [length 0010]
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> Unknown TLS version [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> Unknown TLS version [length 0010]
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x010500391900140303000101160303002873ed26321e33ffcef9ec54553cba04df7749fcd45833652acab2090a717583bc47b0512a1303689f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed785a587d23ad70b6624cff883
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=140
Cleaning up request 4 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed785a587d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0x84ecfc0fb32e2c174b6a28519bcce61b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x010600281900170303001d73ed26321e33ffcf09698e5117c31d578b1eabdddde29768aa545ddc74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed784a687d23ad70b6624cff883
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=178
Cleaning up request 5 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed784a687d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0206002c190017030300210000000000000001c067ed9e1d7d3c156a957314bf28db1b86880c9dafee390769
Message-Authenticator = 0x4a291703d06ed075ad19c8edda8b6a5f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 44
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testuser
[peap] Got inner identity 'testuser'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000d017465737475736572
server {
[peap] Setting User-Name to testuser
Sending tunneled request
EAP-Message = 0x0206000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 6 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for testuser
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> testuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser)
[ldap] expand: dc=audiodude,dc=nl -> dc=audiodude,dc=nl
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=audiodude,dc=nl, with filter (uid=testuser)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] gidNumber -> Ldap-PrimaryGroupId == 10000
[ldap] userPassword -> Password-With-Header == "{SSHA}iO/aTvVBn1xxxxxFotulVVi9DXxxxxxB"
[ldap] sambaNtPassword -> NT-Password == 0x443138333938334541454137xxxxx9393539433846344331xxxxxxx430453638
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010700221a0107001d10d99b9aa64103e937480bffa9f22c35127465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x424f8931424893972f2812b1e02f0f6f
[peap] Got tunneled reply RADIUS code Access-Challenge
EAP-Message = 0x010700221a0107001d10d99b9aa64103e937480bffa9f22c35127465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x424f8931424893972f2812b1e02f0f6f
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x010700411900170303003673ed26321e33ffd0c05b27b4bc47a0ac8f3b9ccaed15fb459e2b3f2958449f267b90d4b4f70c86c7930e1105c7570f64fef22fefc437
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed787a787d23ad70b6624cff883
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=232
Cleaning up request 6 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed787a787d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700621900170303005700000000000000024d4aa66c28902443a434d8398fffc484b3931ad8e5b29adc2cbc8a18b23ae22906e0e390f9ea4c8afb3dec06e4302788ccd6c31de9721ac30992e1f1bb29190e36c5dc250517b8d679cd285a6facfa
Message-Authenticator = 0x643a6b39bb04409ea4754ca73a9121df
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 98
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700431a0207003e3180cf31bca440e540e5a4bbb9e23802f30000000000000000aca74573530446cbd4df21bd488f8196a91d59118bfa5c14007465737475736572
server {
[peap] Setting User-Name to testuser
Sending tunneled request
EAP-Message = 0x020700431a0207003e3180cf31bca440e540e5a4bbb9e23802f30000000000000000aca74573530446cbd4df21bd488f8196a91d59118bfa5c14007465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
State = 0x424f8931424893972f2812b1e02f0f6f
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for testuser
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> testuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser)
[ldap] expand: dc=audiodude,dc=nl -> dc=audiodude,dc=nl
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=audiodude,dc=nl, with filter (uid=testuser)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] gidNumber -> Ldap-PrimaryGroupId == 10000
[ldap] userPassword -> Password-With-Header == "{SSHA}iO/aTvVBn19Z4R9FotulVVi9DXxxxxxB"
[ldap] sambaNtPassword -> NT-Password == 0x443138333938334541454137424539393539433846344331xxxxxxx430453638
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: testuser
[mschap] Client is using MS-CHAPv2 for testuser, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800331a0307002e533d43334437353838364334373732413430374238453044423630353643323543433745394544374133
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x424f8931434793972f2812b1e02f0f6f
[peap] Got tunneled reply RADIUS code Access-Challenge
EAP-Message = 0x010800331a0307002e533d43334437353838364334373732413430374238453044423630353643323543433745394544374133
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x424f8931434793972f2812b1e02f0f6f
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x010800521900170303004773ed26321e33ffd1f47b342577b9d67c075944fc26069fb4e79a8c600555ab2086e2af57baaedc2b7fe673e8cacb9f588bab429a96bde082868ebb4685e37c71369a1981bf6081
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed786a887d23ad70b6624cff883
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=171
Cleaning up request 7 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed786a887d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020800251900170303001a000000000000000379e2342194847ccff7ba17ae31042371ebde
Message-Authenticator = 0x43e4fc71fed95c490ab128ccddf6253b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 37
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800061a03
server {
[peap] Setting User-Name to testuser
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
State = 0x424f8931434793972f2812b1e02f0f6f
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for testuser
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> testuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser)
[ldap] expand: dc=audiodude,dc=nl -> dc=audiodude,dc=nl
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=audiodude,dc=nl, with filter (uid=testuser)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] gidNumber -> Ldap-PrimaryGroupId == 10000
[ldap] userPassword -> Password-With-Header == "{SSHA}iO/aTvVBn19Z4R9FotulVVi9DXxxxxxB"
[ldap] sambaNtPassword -> NT-Password == 0x443138333938334541454137424539393539433846344331xxxxxxx430453638
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [testuser/<via Auth-Type = EAP>] (from client wifi1router port 0 via TLS tunnel)
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
+group post-auth {
++? if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl")
[ldap] Entering ldap_groupcmp()
expand: dc=audiodude,dc=nl -> dc=audiodude,dc=nl
expand: %{Stripped-User-Name} ->
... expanding second conditional
expand: %{User-Name} -> testuser
expand: (&(cn=*)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(cn=*)(memberUid=testuser))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=staff,ou=Groups,dc=audiodude,dc=nl, with filter (&(cn=*)(memberUid=testuser))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=testuser,ou=Users,dc=audiodude,dc=nl, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
[ldap] ldap_release_conn: Release Id: 0
? Evaluating (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") -> FALSE
++? if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") -> FALSE
++? elsif (control:Ldap-PrimaryGroupId == 10000)
? Evaluating (control:Ldap-PrimaryGroupId == 10000) -> TRUE
++? elsif (control:Ldap-PrimaryGroupId == 10000) -> TRUE
++elsif (control:Ldap-PrimaryGroupId == 10000) {
+++update reply {
+++} # update reply = noop
++} # elsif (control:Ldap-PrimaryGroupId == 10000) = noop
++ ... skipping else for request 8: Preceding "if" was taken
+} # group post-auth = noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xc94474d2416782861967e2ad1ac087f4
MS-MPPE-Recv-Key = 0x19fcb3f34c831bc4d1608fce58394b36
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
[peap] Got tunneled reply RADIUS code Access-Accept
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xc94474d2416782861967e2ad1ac087f4
MS-MPPE-Recv-Key = 0x19fcb3f34c831bc4d1608fce58394b36
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 192.168.63.95 port 32770
EAP-Message = 0x0109002e1900170303002373ed26321e33ffd2bbdb14f125d5e28a8a0054330ac433012848260f6e3c895ec20d07
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x81a09ed789a987d23ad70b6624cff883
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.63.95 port 32770, id=0, length=180
Cleaning up request 8 ID 0 with timestamp +6
User-Name = "testuser"
NAS-IP-Address = 192.168.63.95
Called-Station-Id = "20aa4b81f8a4"
Calling-Station-Id = "6045bdeef7dc"
NAS-Identifier = "20aa4b81f8a4"
NAS-Port = 69
Framed-MTU = 1400
State = 0x81a09ed789a987d23ad70b6624cff883
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0209002e190017030300230000000000000004d9664923b95dc02d309ed8633e5e0e030090b2b0d9d839f2481474
Message-Authenticator = 0x4af61f7b0ca975f3bcca1298d8633d5c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 9 length 46
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "testuser"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [testuser/<via Auth-Type = EAP>] (from client wifi1router port 69 cli 6045bdeef7dc)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
++? if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl")
[ldap] Entering ldap_groupcmp()
expand: dc=audiodude,dc=nl -> dc=audiodude,dc=nl
expand: %{Stripped-User-Name} ->
... expanding second conditional
expand: %{User-Name} -> testuser
expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=audiodude,dc=nl, with filter (uid=testuser)
[ldap] ldap_release_conn: Release Id: 0
expand: %{Stripped-User-Name} ->
... expanding second conditional
expand: %{User-Name} -> testuser
expand: (&(cn=*)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(cn=*)(memberUid=testuser))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=staff,ou=Groups,dc=audiodude,dc=nl, with filter (&(cn=*)(memberUid=testuser))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=testuser,ou=Users,dc=audiodude,dc=nl, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
[ldap] ldap_release_conn: Release Id: 0
? Evaluating (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") -> FALSE
++? if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") -> FALSE
++? elsif (control:Ldap-PrimaryGroupId == 10000)
(Attribute control:Ldap-PrimaryGroupId was not found)
? Evaluating (control:Ldap-PrimaryGroupId == 10000) -> FALSE
++? elsif (control:Ldap-PrimaryGroupId == 10000) -> FALSE
++else else {
+++update reply {
+++} # update reply = noop
++} # else else = noop
+} # group post-auth = noop
Sending Access-Accept of id 0 to 192.168.63.95 port 32770
User-Name = "testuser"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
MS-MPPE-Recv-Key = 0x9653ff27a224b981da94de8d209d57ea97f72068fa8afa59d28f8abfef685bf6
MS-MPPE-Send-Key = 0xd9f8a012e3a362ff50034bf57012812ac02d6939568e225f35d9083d66108cb8
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 0 with timestamp +6
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 39326, id=106, length=77
User-Name = "sinnige"
User-Password = "Passwoord^3"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0xb9912ca3da05e10d0cc6beba595862c9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "sinnige", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[ldap] performing user authorization for sinnige
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> sinnige
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=sinnige)
[ldap] expand: dc=audiodude,dc=nl -> dc=audiodude,dc=nl
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=audiodude,dc=nl, with filter (uid=sinnige)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] gidNumber -> Ldap-PrimaryGroupId == 512
[ldap] userPassword -> Password-With-Header == "{SSHA}Xr//FIFG3s092KFgUxKHofIL1Bft8LuA"
[ldap] sambaNtPassword -> NT-Password == 0x3234443236393433454346444644333244333530304135413736393136453246
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group PAP {
[pap] login attempt with password "Passwoord^3"
[pap] Using NT encryption.
[pap] expand: %{User-Password} -> Passwoord^3
[pap] NT-Hash of Passwoord^3 = 24d26943ecfdfd32d3500a5a76916e2f
[pap] expand: %{mschap:NT-Hash %{User-Password}} -> 24d26943ecfdfd32d3500a5a76916e2f
[pap] User authenticated successfully
++[pap] = ok
+} # group PAP = ok
Login OK: [sinnige/Passwoord^3] (from client localhost port 1812)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
++? if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl")
[ldap] Entering ldap_groupcmp()
expand: dc=audiodude,dc=nl -> dc=audiodude,dc=nl
expand: %{Stripped-User-Name} ->
... expanding second conditional
expand: %{User-Name} -> sinnige
expand: (&(cn=*)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(cn=*)(memberUid=sinnige))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=staff,ou=Groups,dc=audiodude,dc=nl, with filter (&(cn=*)(memberUid=sinnige))
rlm_ldap::ldap_groupcmp: User found in group cn=staff,ou=Groups,dc=audiodude,dc=nl
[ldap] ldap_release_conn: Release Id: 0
? Evaluating (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") -> TRUE
++? if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") -> TRUE
++if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") {
+++update reply {
+++} # update reply = noop
++} # if (Ldap-Group == "cn=staff,ou=Groups,dc=audiodude,dc=nl") = noop
++ ... skipping elsif for request 10: Preceding "if" was taken
++ ... skipping else for request 10: Preceding "if" was taken
+} # group post-auth = noop
Sending Access-Accept of id 106 to 127.0.0.1 port 39326
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 106 with timestamp +20
Ready to process requests.
3
2
Hi,
I've been recently faced with a crappy NAS that didn't properly
support sending GigaWord and would just wrap the
Acct-{Input,Output}-Octets after 4G, but I still wanted to record the
proper value.
My work around was to use a custom SQL function :
CREATE OR REPLACE FUNCTION BYTE_UPDATE(bigint, bigint) RETURNS bigint
AS 'SELECT CASE WHEN $1 IS NULL OR $2 IS NULL THEN COALESCE($1,$2)
WHEN $2 >= (1::bigint << 32) THEN $2 WHEN $2 < ($1 & ((1::bigint <<
32) - 1)) THEN ((($1 & ~((1::bigint << 32) - 1)) | $2) + (1::bigint <<
32)) ELSE (($1 & ~((1::bigint << 32) - 1)) | $2) END;'
LANGUAGE SQL
IMMUTABLE;
And in queries.conf, change to call it using old_value, new_value as argument :
AcctInputOctets = BYTE_UPDATE(AcctInputOctets,
(('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) +
'%{%{Acct-Input-Octets}:-0}'::bigint)),
The function basically just detects wrap around and assumes that the
4G point was reached and increments value appropriately. If your NAS
properly sends Gigawords, then the function does nothing.
I've been running this on postgres for a while now and it seems to work nicely.
I just thought I'd share that here in case someone else had the same issue ...
Cheers,
Sylvain
1
0
Hello,
We are planning to deploy a new freeradius Server, and we would like to
manage the IP's from freeradius ip pool, but some time ago we heard that
FreeRadis sometimes didnt manage the pool all right.
They said us, it could sometimes duplicate ip's on subscribers.
Does someones knows something about this issue? Is it fixed on last
versions?
Best regards. Juanjo.
Sent with Stampery <https://stampery.com/gmail>
3
14